[Open-scap] rule-2.3.5.2.a/c failure FC14
Peter Vrabec
pvrabec at redhat.com
Mon Mar 21 13:52:19 UTC 2011
Hi Ted,
On Friday, March 18, 2011 05:22:10 pm Ted Toth wrote:
> I've just started to look at openscap and ran it as follows:
> oscap xccdf eval --profile F14-Desktop --result-file xccdf-results.xml
> scap-fedora14-xccdf.xml
>
> I noticed several failures:
> Rule ID: rule-2.3.5.2.a
> Title: Set Boot Loader user owner
> Result: fail
>
> Rule ID: rule-2.3.5.2.c
> Title: Set permission on /boot/grub/grub.conf
> Result: fail
>
> that I don't understand because /boot/grub/grub.conf is owned by root
> with permissions 600:
>
> [root at localhost log]# ls -laZ /boot/grub/grub.conf
> -rw-------. root root system_u:object_r:boot_t:s0 /boot/grub/grub.conf
>
> Can someone help me understand what could be happening here?
I'm sorry I have to say that this is a bug in the openscap library. It does
not handle a slash at the end of <path> element in OVAL content properly.
example:
"<unix-def:path>/boot/grub/</unix-def:path>"
I have changed it to
"<unix-def:path>/boot/grub</unix-def:path>"
file: scap-fedora14-oval.xml
commit: c1bf6ce11a4f235a62359009b4e9a6b72814f8c6
This is just a quick solution. I have also filed bug against the openscap:
http://bugzilla.redhat.com/show_bug.cgi?id=689427
I hope we will have a proper solution/fix ASAP.
thnx.,
Peter.
> Ted
>
> _______________________________________________
> Open-scap-list mailing list
> Open-scap-list at redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list
More information about the Open-scap-list
mailing list