[Open-scap] "No TestResult" error with oscap xccdf generate fix
Shawn Wells
shawn at redhat.com
Tue Feb 5 16:24:41 UTC 2013
On 2/5/13 7:20 AM, Simon Lukasik wrote:
> On 02/02/2013 05:46 AM, Shawn Wells wrote:
>> >I am playing around with generating fix scripts from XCCDF content and I
>> >am receiving a "No TestResult" error. Here is the process and commands
>> >I'm using, could anybody point me in the right direction?
>> >
>> >My versions:
>>> >>$ cat /etc/redhat-release ; rpm -qv openscap openscap-utils
>>> >>Red Hat Enterprise Linux Server release 6.3 (Santiago)
>>> >>openscap-0.9.2-1.el6.x86_64
>>> >>openscap-utils-0.9.2-1.el6.x86_64
>> >
>> >
>> >Within my XCCDF I have:
>>> >><Rule id="install_aide" severity="medium" selected="false">
>>> >>.......
>>> >><fix system="urn:xccdf:fix:script:bash">yum install aide</fix>
>>> >>.......
>>> >></Rule>
>> >
>> >I run a scan:
>>> >>oscap xccdf eval --profile stig-rhel6-server \
>>> >>--results /tmp/stig-results.xml \
>>> >>--report /tmp/stig-results.html \
>>> >>--oval-results \
>>> >>--cpe
>>> >>/var/www/html/scap-security-guide/RHEL6/output/ssg-rhel6-cpe-dictionary.xml
>>> >>\
>>> >>/var/www/html/scap-security-guide/RHEL6/output/ssg-rhel6-xccdf.xml
>>> >>...........
>> >
>> >And within my results file (/tmp/stig-results.xml):
>>> >><rule-result idref="install_aide" time="2013-02-01T16:51:03"
>>> >>severity="medium" weight="1.000000">
>>> >> <result>pass</result>
>>> >> <ident system="http://cce.mitre.org">CCE-27024-9</ident>
>>> >> <fix xmlns:xhtml="http://www.w3.org/1999/xhtml"
>>> >>system="urn:xccdf:fix:script:bash">yum install aide</fix>
>>> >> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>>> >> <check-content-ref name="oval:ssg:def:1331"
>>> >>href="ssg-rhel6-oval.xml"/>
>>> >> </check>
>>> >> </rule-result>
>> >
>> >I then run the following to generate the fix script and receive the "No
>> >TestResult" error:
>>> >>## Attempt from results file
>>> >>$ oscap xccdf generate fix --result-id "install_aide"
>>> >>/tmp/stig-results.xml
>>> >>No TestResult 'install_aide'. Aborting.
>>> >>
>>> >>## Attempt from my XCCDF content
>>> >>$ oscap xccdf generate fix --result-id "install_aide" ssg-rhel6-xccdf.xml
>>> >>No TestResult 'install_aide'. Aborting.
>> >
>> >If I change <result> to "fail" within my results file I still receive
>> >the error. Any guidance is appreciated!
>> >
> Hello Shawn,
>
> The
>
> oscap xccdf generate fix
>
> does not take rule-result/@idref, but TestResult/@id. TestResult is
> high-level XCCDF element.
>
> $ oscap xccdf generate fix --help | grep result-id
> --result-id <id> - Fixes will be generated for failed
> rule-results of the specified TestResult.
>
> At this time you are unable to generate fix for a single rule-result. We
> are aware of some of generate-fix deficiencies and we are currently
> improving fix/remediation processing.
>
> Best Regards,
Thank you Simon! As Brian and yourself highlighted I wasn't using the
TestResult/@id.
Would you consider updating the manpage to call out this distinction?
More information about the Open-scap-list
mailing list