<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    Thank you for clearing that up.<br>
    <br>
    <div class="moz-cite-prefix">On 2/27/15 9:40 AM, Shawn Wells wrote:<br>
    </div>
    <blockquote cite="mid:54F0AC13.2040108@redhat.com" type="cite">
      <meta content="text/html; charset=windows-1252"
        http-equiv="Content-Type">
      <br>
      <div class="moz-cite-prefix">On 2/27/15 12:33 PM, Ray Blair wrote:<br>
      </div>
      <blockquote cite="mid:54F0AA79.60601@comcast.net" type="cite">
        <p class="MsoNormal"><span style="color:#1F497D">I am using
            scap-security-guide-0.1.20.tar and OpenSCAP version 1.0.3.2
            that ships with rhel7</span></p>
        <p class="MsoNormal"><span style="color:#1F497D">The command I
            am running is:</span></p>
        <p class="MsoNormal"><span style="color:#1F497D">oscap xccdf
            eval –profile stig-rhel7-server-upstream –cpe
            ssg-rhel7-cpe-dictionary.xml –reports “somefilename” 
            --results “somefilename”  ssg-rhel7-xccdf.xml</span></p>
        <p class="MsoNormal"><span style="color:#1F497D"> </span><span
            style="color:#1F497D">It seems to run fine until I add more
            checks.  For instance if I enable check kdump service it
            comes back with notchecked.  I get the same results for most
            additional checks.  I have tried several iterations of
            running with and without specifying the profile, cpe
            dictionary file and have tried using a tailoring file and
            get the same results.</span> </p>
        <p class="MsoNormal"><span style="color:#1F497D"> </span><span
            style="color:#1F497D">I got the latest OpenSCAP version
            (1.2.1-0.1) and compiled it with the --enable–sce option.
            Now the results are notapplicable instead of notchecked.  I
            am not sure if this is progress.  I also tried several other
            compiler options with the same results .  I am probably
            missing something simple.</span> </p>
      </blockquote>
      <br>
      SSG's RHEL7 content is still in active churn (which is part of why
      it's not shipping in RHEL7 yet). Much of the underlying OVAL
      content hasn't been ported from RHEL6 to RHEL7 yet, which is
      likely causing the notchecked results. <br>
      <br>
      Here's the upstream repo of OVAL checks:<br>
      <a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://github.com/OpenSCAP/scap-security-guide/tree/master/RHEL/7/input/checks">https://github.com/OpenSCAP/scap-security-guide/tree/master/RHEL/7/input/checks</a><br>
      <br>
      Or expressed another way, for the 406 RHEL7 XCCDF rules, only 131
      have OVAL so far:<br>
      $ grep -rin "<Rule" RHEL/7/input/ | wc -l<br>
      406<br>
      $ ls RHEL/7/input/checks/ | wc -l<br>
      131<br>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Open-scap-list mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Open-scap-list@redhat.com">Open-scap-list@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/open-scap-list">https://www.redhat.com/mailman/listinfo/open-scap-list</a></pre>
    </blockquote>
    <br>
  </body>
</html>