[Open-scap] Issues with open-scap 0.9.1 and 0.9.2 on RHEL6 (UNCLASSIFIED)
Spencer R. Shimko
sshimko at tresys.com
Tue Nov 20 15:32:15 UTC 2012
On Nov 20, 2012, at 10:19 AM, "Shaw, Ray V CTR (US)" <ray.v.shaw.ctr at mail.mil>
wrote:
> Classification: UNCLASSIFIED
> Caveats: NONE
>
> I've been building my own openscap and openscap-utils RPMs on RHEL6 using the latest upstream tarball with the RHEL6 source RPMs (with a few modifications due to new files to package). This has allowed me to scan RHEL6 systems using both the draft RHEL6 content (rhel6-xccdf-scap-security-guide.xml):
>
> oscap xccdf eval --profile "stig-server" --results hostname_scap.xml --report hostname_scap.html /usr/local/scap-security-guide/content/rhel6-xccdf-scap-security-guide.xml
>
> and the DISA RHEL5 STIG content:
>
> oscap xccdf eval --profile "MAC-2_Sensitive" --results hostname_scap.xml --report hostname_scap.html U_RedHat_5-V1R1_STIG_Benchmark-xccdf.xml
>
> Unfortunately, this no longer works if I build RPMs with 0.9.1 or 0.9.2; all of the checks are marked as "notapplicable", and the scan successfully does nothing. This happens with both sets of content. If I downgrade to 0.9.0, it all works again.
Is this really RHEL or is it CentOS?
Recently we had to start stripping out platform tags to get accurate results:
sed -i -r -e "s/<platform.*//g" /usr/local/scap-security-guide/RHEL6/output/ssg-rhel6-xccdf.xml
Thanks,
--Spencer
>
> I have also just tried the 0.9.2 RPMs available via the epel-6-openscap repo, and they have the same behavior.
>
> (I guess in theory, the RHEL5 STIG is not "supposed to" be used on RHEL6; SCC tells me it doesn't apply to my platform when I try. But I need to scan RHEL6 systems with something to prepare for inspections, and that seems like the best fit. And I would definitely expect the scap-security-guide content to work.)
>
> Is anyone successfully scanning using this content with 0.9.1/0.9.2 on RHEL6? I'm running RHEL6.3 with the most recent updates, using the 0.1-6 RPM provided on the scap-security-guide download page, and the latest DISA STIG content.
>
> Thanks,
>
> --
> Ray Shaw
> Contractor, STG
> Unix support, Army Research Labs
>
>
> Classification: UNCLASSIFIED
> Caveats: NONE
>
>
>
> _______________________________________________
> Open-scap-list mailing list
> Open-scap-list at redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list
More information about the Open-scap-list
mailing list