[Open-scap] help with SCE content creation

Shawn Wells shawn at redhat.com
Sat May 11 01:06:36 UTC 2013 

I'm trying to create SCE checks and receiving a 'notchecked' status with 
"No candidate or applicable check found" in my results.xml. Below is my 
code, any pointers would be fantastic!


XCCDF
  as follows:
> <Group id="rhel6" hidden="false">
>   <title xml:lang="en-US">RHEL6 CVE and RHSA Scanning</title>
>   <description xml:lang="en-US">RHEL6 CVE and RHSA Scanning</description>
>   <Rule id="unconfined_daemons" selected="true" severity="medium">
>     <title xml:lang="en-US">Check that there are no unconfined daemons 
> (SELINUX)</title>
>     <description xmlns:xhtml="http://www.w3.org/1999/xhtml" 
> xml:lang="en-US">
>       Test description
>     </description>
>     <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" 
> xml:lang="en-US">
>     Test rationale
>     </rationale>
>     <ident system="http://cce.mitre.org">CCE-26828-4</ident>
>     <check system="http://open-scap.org/page/SCE">
>       <check-import import-name="stdout" />
>       <check-content-ref href="unconfined_daemons.sh" />
>     </check>
>   </Rule>
> </Group>



The unconfined_daeomons.sh script is one within OpenSCAP tests/ 
directory [1], however I modified it to set environmental variables:
> ## Set env variables
> XCCDF_RESULT_PASS=101; export XCCDF_RESULT_PASS
> XCCDF_RESULT_FAIL=102; export XCCDF_RESULT_FAIL
> XCCDF_RESULT_ERROR=103; export XCCDF_RESULT_ERROR
> XCCDF_RESULT_UNKNOWN=104; export XCCDF_RESULT_UNKNOWN
> XCCDF_RESULT_NOT_APPLICABLE=105; export XCCDF_RESULT_NOT_APPLICABLE
> XCCDF_RESULT_NOT_CHECKED=106; export XCCDF_RESULT_NOT_CHECKED
> XCCDF_RESULT_NOT_SELECTED=107; export XCCDF_RESULT_NOT_SELECTED
> XCCDF_RESULT_INFORMATIONAL=108; export XCCDF_RESULT_INFORMATIONAL
> XCCDF_RESULT_FIXED=109; export XCCDF_RESULT_FIXED


When I run the scan I receive a result of "notchecked." I've tried with 
and without CPE dictionaries (updating the XCCDF to reflect):
> # oscap xccdf eval --profile test \
> --cpe 
> /var/www/html/scap-security-guide/RHEL6/output/ssg-rhel6-cpe-dictionary.xml 
> \
> --results results.xml \
> xccdf.xml
> Title   Check that there are no unconfined daemons (SELINUX)
> Rule    unconfined_daemons
> Ident   CCE-26828-4
> Result  notchecked

Within the results.xml file, I have:
>     <rule-result idref="unconfined_daemons" time="2013-05-06T20:41:24" 
> severity="medium" weight="1.000000">
>       <result>notchecked</result>
>       <ident system="http://cce.mitre.org">CCE-26828-4</ident>
>       <message severity="info">No candidate or applicable check 
> found.</message>
>     </rule-result>

Any pointers to where I'm going wrong would be most appreciated!


[1] 
https://git.fedorahosted.org/cgit/openscap.git/tree/tests/sce/unconfined_daemons.sh

More information about the Open-scap-list mailing list