[Open-scap] Regarding OSCAP Results

Martin Preisler mpreisle at redhat.com
Mon Feb 10 09:58:08 UTC 2014 

Hi,

> 
> On my own I was able to get my system to score a 82.02, but I have had some
> questions about the rule results
> 
> 
>    - I had 180 that passed. That's self-explanatory.
>    - 19 that failed. That's also self-explanatory. Although I did follow
>    the proposed fixes for some and they still failed. e.g. "Enable Auditing
>    for Processes Which Start Prior to the Audit Daemon" CCE-26785-6
>    - 2 that errored. I guess I don't understand the difference between an
>    error and a fail. An error I would guess is when the test runs, but not
>    until completion. A failure is a test that runs until completion, but does
>    not yield a pass result. The 2 errors were for  "Ensure No Device Files
>    are
>    Unlabled by SELinux" (CCE-26774-0) and "Modify the System Login Banner"
>    (CCE-26974-6).

Error as in error in evaluation. This commonly means that you don't have
sufficient permissions to perform the scan or that the system is in a state
that the check's author did not anticipate.

>    - 167 that were not selected. This seems troublesome to me. Why were
>    they not selected? Were they not selected because I selected a
>    stig-rhel6-server profile and the definitions encompass a superset to
>    that?

Exactly.

SSG is a big complex project, it has many profiles and many rules. You
selected one of those profiles which only selects a subset of those rules.
What you are seeing is normal and is nothing to be concerned about.

Very likely there is no single profile that selects all the rules.

>    - 19 were not checked. Now there is a reference to this in oscap
>    documentation
>       - http://www.open-scap.org/page/Documentation#Check_engines
>       - "Results of rules with a check that requires a check engine not
>          supported by openscap will be reported as 'notchecked'"
>       - I have compiled oscap with sce enabled (i.e. ./configure
>       --enable-sce), but this has not solved all issues.
>       - How do I get oscap to work with the check engines in question?

Either the rules have no check written for them so they can't be automatically
evaluated, or the check uses a check system that your copy of openscap
does not support. Since you compiled openscap with SCE enabled I think
the former is more likely.

> I really like what you all have done with this project and appreciate the
> tremendous amount of effort, but these results seem to suggest to me that
> the oscap implementation is incomplete. Please correct me if I am wrong.

I hope I have :-)

-- 
Martin Preisler

More information about the Open-scap-list mailing list