[Open-scap] inconsistent reporting on auditd
Shawn Wells
shawn at redhat.com
Wed Jan 25 19:02:56 UTC 2017
On 1/25/17 9:55 AM, Jan Cerny wrote:
> Hi,
>
> It might be a bug, but also there can be another reason why this rule failed.
>
> First thing that I would try is to add "--oval-results" to your command
> and run the scan again. This option adds more details into the HTML report,
> which hopefully could help you with identifying the problem.
>
> Best Regards
>
> Jan Černý
> Security Technologies | Red Hat, Inc.
>
> ----- Original Message -----
>> From: "Luke Hinds" <lhinds at redhat.com>
>> To: open-scap-list at redhat.com
>> Sent: Tuesday, January 24, 2017 11:40:19 PM
>> Subject: [Open-scap] inconsistent reporting on auditd
>>
>> Hi,
>>
>> When performing a xccdf scan of Centos 7 I am finding the report of auditd
>> rule entries inconsistent with how the file is configured.
>>
>> The following is reported as a fail, yet its an exact match for the scap
>> report entry:
>>
>> https://i.imgur.com/m1q7CLf.png
>>
>> The following is a pass:
>>
>> https://i.imgur.com/LqDiRPO.png
>>
>> My command:
>>
>> # oscap xccdf eval --profile common --report ~/report-xccdf.html --results
>> ~/results.xml --cpe
>> /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml
>> /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml
>>
>> Should I raise this as a bug?
What version of SSG?
I don't recall the SSG version that it was patched in, but the original
RHEL7 OVAL content only accepted audit rules with "-k foo", not "-F
key=foo", as shown in your audit.rules.
The patch was made 16-DEC, so may not be shipping in RHEL yet...
https://github.com/OpenSCAP/scap-security-guide/commit/66f76d6158a1cd44a91f7f27286022755065e4b6
More information about the Open-scap-list
mailing list