[Open-scap] Regarding OSCAP Results
Martin Preisler
mpreisle at redhat.com
Mon Feb 10 09:58:08 UTC 2014
Hi,
>
> On my own I was able to get my system to score a 82.02, but I have had some
> questions about the rule results
>
>
> - I had 180 that passed. That's self-explanatory.
> - 19 that failed. That's also self-explanatory. Although I did follow
> the proposed fixes for some and they still failed. e.g. "Enable Auditing
> for Processes Which Start Prior to the Audit Daemon" CCE-26785-6
> - 2 that errored. I guess I don't understand the difference between an
> error and a fail. An error I would guess is when the test runs, but not
> until completion. A failure is a test that runs until completion, but does
> not yield a pass result. The 2 errors were for "Ensure No Device Files
> are
> Unlabled by SELinux" (CCE-26774-0) and "Modify the System Login Banner"
> (CCE-26974-6).
Error as in error in evaluation. This commonly means that you don't have
sufficient permissions to perform the scan or that the system is in a state
that the check's author did not anticipate.
> - 167 that were not selected. This seems troublesome to me. Why were
> they not selected? Were they not selected because I selected a
> stig-rhel6-server profile and the definitions encompass a superset to
> that?
Exactly.
SSG is a big complex project, it has many profiles and many rules. You
selected one of those profiles which only selects a subset of those rules.
What you are seeing is normal and is nothing to be concerned about.
Very likely there is no single profile that selects all the rules.
> - 19 were not checked. Now there is a reference to this in oscap
> documentation
> - http://www.open-scap.org/page/Documentation#Check_engines
> - "Results of rules with a check that requires a check engine not
> supported by openscap will be reported as 'notchecked'"
> - I have compiled oscap with sce enabled (i.e. ./configure
> --enable-sce), but this has not solved all issues.
> - How do I get oscap to work with the check engines in question?
Either the rules have no check written for them so they can't be automatically
evaluated, or the check uses a check system that your copy of openscap
does not support. Since you compiled openscap with SCE enabled I think
the former is more likely.
> I really like what you all have done with this project and appreciate the
> tremendous amount of effort, but these results seem to suggest to me that
> the oscap implementation is incomplete. Please correct me if I am wrong.
I hope I have :-)
--
Martin Preisler
More information about the Open-scap-list
mailing list