[Open-scap] Issues with open-scap 0.9.1 and 0.9.2 on RHEL6 (UNCLASSIFIED)

Spencer R. Shimko sshimko at tresys.com
Tue Nov 20 15:32:15 UTC 2012 

On Nov 20, 2012, at 10:19 AM, "Shaw, Ray V CTR (US)" <ray.v.shaw.ctr at mail.mil>
 wrote:

> Classification: UNCLASSIFIED
> Caveats: NONE
> 
> I've been building my own openscap and openscap-utils RPMs on RHEL6 using the latest upstream tarball with the RHEL6 source RPMs (with a few modifications due to new files to package).  This has allowed me to scan RHEL6 systems using both the draft RHEL6 content (rhel6-xccdf-scap-security-guide.xml):
> 
> oscap xccdf eval --profile "stig-server" --results hostname_scap.xml --report hostname_scap.html /usr/local/scap-security-guide/content/rhel6-xccdf-scap-security-guide.xml
> 
> and the DISA RHEL5 STIG content:
> 
> oscap xccdf eval --profile "MAC-2_Sensitive" --results hostname_scap.xml --report hostname_scap.html U_RedHat_5-V1R1_STIG_Benchmark-xccdf.xml
> 
> Unfortunately, this no longer works if I build RPMs with 0.9.1 or 0.9.2; all of the checks are marked as "notapplicable", and the scan successfully does nothing.  This happens with both sets of content.  If I downgrade to 0.9.0, it all works again.

Is this really RHEL or is it CentOS?  

Recently we had to start stripping out platform tags to get accurate results:
sed -i -r -e "s/<platform.*//g" /usr/local/scap-security-guide/RHEL6/output/ssg-rhel6-xccdf.xml

Thanks,
--Spencer

> 
> I have also just tried the 0.9.2 RPMs available via the epel-6-openscap repo, and they have the same behavior.
> 
> (I guess in theory, the RHEL5 STIG is not "supposed to" be used on RHEL6; SCC tells me it doesn't apply to my platform when I try.  But I need to scan RHEL6 systems with something to prepare for inspections, and that seems like the best fit.  And I would definitely expect the scap-security-guide content to work.)
> 
> Is anyone successfully scanning using this content with 0.9.1/0.9.2 on RHEL6?  I'm running RHEL6.3 with the most recent updates, using the 0.1-6 RPM provided on the scap-security-guide download page, and the latest DISA STIG content.
> 
> Thanks,
> 
> --
> Ray Shaw
> Contractor, STG
> Unix support, Army Research Labs
> 
> 
> Classification: UNCLASSIFIED
> Caveats: NONE
> 
> 
> 
> _______________________________________________
> Open-scap-list mailing list
> Open-scap-list at redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list

More information about the Open-scap-list mailing list