[Open-scap] help with SCE content creation
Shawn Wells
shawn at redhat.com
Sat May 11 01:06:36 UTC 2013
I'm trying to create SCE checks and receiving a 'notchecked' status with
"No candidate or applicable check found" in my results.xml. Below is my
code, any pointers would be fantastic!
XCCDF
as follows:
> <Group id="rhel6" hidden="false">
> <title xml:lang="en-US">RHEL6 CVE and RHSA Scanning</title>
> <description xml:lang="en-US">RHEL6 CVE and RHSA Scanning</description>
> <Rule id="unconfined_daemons" selected="true" severity="medium">
> <title xml:lang="en-US">Check that there are no unconfined daemons
> (SELINUX)</title>
> <description xmlns:xhtml="http://www.w3.org/1999/xhtml"
> xml:lang="en-US">
> Test description
> </description>
> <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml"
> xml:lang="en-US">
> Test rationale
> </rationale>
> <ident system="http://cce.mitre.org">CCE-26828-4</ident>
> <check system="http://open-scap.org/page/SCE">
> <check-import import-name="stdout" />
> <check-content-ref href="unconfined_daemons.sh" />
> </check>
> </Rule>
> </Group>
The unconfined_daeomons.sh script is one within OpenSCAP tests/
directory [1], however I modified it to set environmental variables:
> ## Set env variables
> XCCDF_RESULT_PASS=101; export XCCDF_RESULT_PASS
> XCCDF_RESULT_FAIL=102; export XCCDF_RESULT_FAIL
> XCCDF_RESULT_ERROR=103; export XCCDF_RESULT_ERROR
> XCCDF_RESULT_UNKNOWN=104; export XCCDF_RESULT_UNKNOWN
> XCCDF_RESULT_NOT_APPLICABLE=105; export XCCDF_RESULT_NOT_APPLICABLE
> XCCDF_RESULT_NOT_CHECKED=106; export XCCDF_RESULT_NOT_CHECKED
> XCCDF_RESULT_NOT_SELECTED=107; export XCCDF_RESULT_NOT_SELECTED
> XCCDF_RESULT_INFORMATIONAL=108; export XCCDF_RESULT_INFORMATIONAL
> XCCDF_RESULT_FIXED=109; export XCCDF_RESULT_FIXED
When I run the scan I receive a result of "notchecked." I've tried with
and without CPE dictionaries (updating the XCCDF to reflect):
> # oscap xccdf eval --profile test \
> --cpe
> /var/www/html/scap-security-guide/RHEL6/output/ssg-rhel6-cpe-dictionary.xml
> \
> --results results.xml \
> xccdf.xml
> Title Check that there are no unconfined daemons (SELINUX)
> Rule unconfined_daemons
> Ident CCE-26828-4
> Result notchecked
Within the results.xml file, I have:
> <rule-result idref="unconfined_daemons" time="2013-05-06T20:41:24"
> severity="medium" weight="1.000000">
> <result>notchecked</result>
> <ident system="http://cce.mitre.org">CCE-26828-4</ident>
> <message severity="info">No candidate or applicable check
> found.</message>
> </rule-result>
Any pointers to where I'm going wrong would be most appreciated!
[1]
https://git.fedorahosted.org/cgit/openscap.git/tree/tests/sce/unconfined_daemons.sh
More information about the Open-scap-list
mailing list