[Open-scap] inconsistent reporting on auditd
Luke Hinds
lhinds at redhat.com
Mon Jan 30 11:29:43 UTC 2017
On Wed, Jan 25, 2017 at 7:02 PM, Shawn Wells <shawn at redhat.com> wrote:
>
>
> On 1/25/17 9:55 AM, Jan Cerny wrote:
> > Hi,
> >
> > It might be a bug, but also there can be another reason why this rule
> failed.
> >
> > First thing that I would try is to add "--oval-results" to your command
> > and run the scan again. This option adds more details into the HTML
> report,
> > which hopefully could help you with identifying the problem.
> >
> > Best Regards
> >
> > Jan Černý
> > Security Technologies | Red Hat, Inc.
> >
> > ----- Original Message -----
> >> From: "Luke Hinds" <lhinds at redhat.com>
> >> To: open-scap-list at redhat.com
> >> Sent: Tuesday, January 24, 2017 11:40:19 PM
> >> Subject: [Open-scap] inconsistent reporting on auditd
> >>
> >> Hi,
> >>
> >> When performing a xccdf scan of Centos 7 I am finding the report of
> auditd
> >> rule entries inconsistent with how the file is configured.
> >>
> >> The following is reported as a fail, yet its an exact match for the scap
> >> report entry:
> >>
> >> https://i.imgur.com/m1q7CLf.png
> >>
> >> The following is a pass:
> >>
> >> https://i.imgur.com/LqDiRPO.png
> >>
> >> My command:
> >>
> >> # oscap xccdf eval --profile common --report ~/report-xccdf.html
> --results
> >> ~/results.xml --cpe
> >> /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml
> >> /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml
> >>
> >> Should I raise this as a bug?
>
> What version of SSG?
>
> I don't recall the SSG version that it was patched in, but the original
> RHEL7 OVAL content only accepted audit rules with "-k foo", not "-F
> key=foo", as shown in your audit.rules.
>
> The patch was made 16-DEC, so may not be shipping in RHEL yet...
>
> https://github.com/OpenSCAP/scap-security-guide/commit/
> 66f76d6158a1cd44a91f7f27286022755065e4b6
>
>
scap-security-guide-0.1.30
This was from the CentOS repository, although I just checked on RHEL and
those are incorrectly reporting too (for the standard profile).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20170130/0263ea50/attachment.htm>
More information about the Open-scap-list
mailing list