[Open-scap] "No TestResult" error with oscap xccdf generate fix

Brian Millett bmillett at gmail.com
Tue Feb 5 13:35:46 UTC 2013 

On Tue, 05 Feb 2013 13:20:55 +0100
Simon Lukasik <slukasik at redhat.com> wrote:

> On 02/02/2013 05:46 AM, Shawn Wells wrote:
> > I am playing around with generating fix scripts from XCCDF content and I
> > am receiving a "No TestResult" error. Here is the process and commands
> > I'm using, could anybody point me in the right direction?
> > 
> > My versions:
> >> $ cat /etc/redhat-release ; rpm -qv openscap openscap-utils
> >> Red Hat Enterprise Linux Server release 6.3 (Santiago)
> >> openscap-0.9.2-1.el6.x86_64
> >> openscap-utils-0.9.2-1.el6.x86_64
> > 
> > 
> > Within my XCCDF I have:
> >> <Rule id="install_aide" severity="medium" selected="false">
> >> .......
> >> <fix system="urn:xccdf:fix:script:bash">yum install aide</fix>
> >> .......
> >> </Rule>
> > 
> > I run a scan:
> >> oscap xccdf eval --profile stig-rhel6-server \
> >> --results /tmp/stig-results.xml \
> >> --report /tmp/stig-results.html \
> >> --oval-results \
> >> --cpe
> >> /var/www/html/scap-security-guide/RHEL6/output/ssg-rhel6-cpe-dictionary.xml
> >> \
> >> /var/www/html/scap-security-guide/RHEL6/output/ssg-rhel6-xccdf.xml
> >> ........... 
> > 
> > And within my results file (/tmp/stig-results.xml):
> >> <rule-result idref="install_aide" time="2013-02-01T16:51:03"
> >> severity="medium" weight="1.000000">
> >>       <result>pass</result>
> >>       <ident system="http://cce.mitre.org">CCE-27024-9</ident>
> >>       <fix xmlns:xhtml="http://www.w3.org/1999/xhtml"
> >> system="urn:xccdf:fix:script:bash">yum install aide</fix>
> >>       <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
> >>         <check-content-ref name="oval:ssg:def:1331"
> >> href="ssg-rhel6-oval.xml"/>
> >>       </check>
> >>     </rule-result> 
> > 
> > I then run the following to generate the fix script and receive the "No
> > TestResult" error:
> >> ## Attempt from results file
> >> $ oscap xccdf generate fix --result-id "install_aide"
> >> /tmp/stig-results.xml
> >> No TestResult 'install_aide'. Aborting.

A couple of observations on my part.  I can generate a bash remediation script
only if I do 

1)  oscap xccdf generate fix --result-id xccdf_org.open-scap_testresult_stig-rhel6-server

which is an hardcoded result-id prefix, but it is "xccdf_org.open-scap_testresult_<PROFILE>" and 

2) system="urn:xccdf:fix:script:bash" in the fix does not work, it generates
nothing, system="urn:xccdf:fix:script:sh" however does work.

-- 
Brian Millett
"In the last five years, I've seen things off-world you can't even imagine.
 I've stood in the Abendi desert and watched all seven moons go into
 eclipse. I've walked in vaults that have been sealed longer than
 there's been a human race, breathing air that's five million years old.
 You call that a shortcut, if you will, but I've lived. By God, Stephen,
 I have *lived*."
   -- [ Vance Hendricks, "Infection"]

More information about the Open-scap-list mailing list