[Open-scap] Not able to make SCE script working
Šimon Lukašík
slukasik at redhat.com
Wed Apr 25 14:32:53 UTC 2018
On 04/25/2018 02:10 PM, Raymond Mercier wrote:
> Yes, because scap_1402.sh is an external script in the same folder as
> ds.xml file. I (badly) supposed that oscap program would directly call
> the external file but this is not the case.
>
I think when you pick the XCCDF file and run
oscap ds sds-compose SOMETHING SOMETHING [*]
it will compose new DS file for you with the script inside.
[*] I don't remember the operands, but `oscap ds sds-compose --help`
should help.
Best,
~š.
> How can I pack my script in ds.xml file, is there some resource than can
> explain ?
>
> 2018-04-25 14:05 GMT+02:00 Šimon Lukašík <slukasik at redhat.com
> <mailto:slukasik at redhat.com>>:
>
> On 04/25/2018 10:24 AM, Raymond Mercier wrote:
> > Hi Simon
> >
> > I updated, the error message is different (but still present)
> >
> > xml file:
> > <ns10:Rule id="xccdf_1_rule_1402" selected="true"
> > severity="medium">
> > <ns10:title>selinux</ns10:title>
> > <ns10:description>Checks if you have SELinux
> > enabled</ns10:description>
> > <ns10:check system="http://open-scap.org/page/SCE <http://open-scap.org/page/SCE>">
> > <ns10:check-import import-name="stdout" />
> > <ns10:check-content-ref href="scap_1402.sh" />
> > </ns10:check>
> > </ns10:Rule>
> >
> > output:
> > [root]# oscap xccdf eval --profile xccdf_1_profile_1 rm-ds.xml
> > Title selinux
> > Rule xccdf_1_rule_1402
> > Result notchecked
> >
> > OpenSCAP Error: SCE couldn't find script file 'scap_1402.sh'. Expected
> > location: '/tmp/oscap.3sSrgD/scap_1402.sh'. [sce_engine.c:387]
> >
>
> I couldn't find the SCE script in your datastream as well.
>
> OpenSCAP just unpacks the Datastream XML into tmp dir like
> /tmp/oscap.3sSrgD/ and executes the scan. There is no scap_1402.sh in
> the xml you provided.
>
> Best,
> ~š.
>
> > Same kind of error message if I set absolute path /root/scap_1402.sh
> >
> > Thank you for help
> > Raymond
> >
> >
> > 2018-04-25 10:12 GMT+02:00 Šimon Lukašík <slukasik at redhat.com <mailto:slukasik at redhat.com>
> > <mailto:slukasik at redhat.com <mailto:slukasik at redhat.com>>>:
> >
> > On 04/25/2018 09:47 AM, Raymond Mercier wrote:
> > > <ns10:Rule id="xccdf_1_rule_1402"
> > selected="true" severity="medium">
> > >
> <ns10:title>selinux</ns10:title>
> > > <ns10:description>Checks if
> > you have SELinux enabled</ns10:description>
> > > <ns10:check
> >
> system="http://wordpress-www-open-scap-org.b9ad.pro-us-east-1.openshiftapps.com/page/SCE
> <http://wordpress-www-open-scap-org.b9ad.pro-us-east-1.openshiftapps.com/page/SCE>
> >
> <http://wordpress-www-open-scap-org.b9ad.pro-us-east-1.openshiftapps.com/page/SCE
> <http://wordpress-www-open-scap-org.b9ad.pro-us-east-1.openshiftapps.com/page/SCE>>">
> >
> > This check/system doesn't feel right. :)
> >
> > The usage at
> https://www.open-scap.org/features/other-standards/sce/
> <https://www.open-scap.org/features/other-standards/sce/>
> > <https://www.open-scap.org/features/other-standards/sce/
> <https://www.open-scap.org/features/other-standards/sce/>> say
> > we should use http://open-scap.org/page/SCE instead.
> >
> > Audit, Fix and Be Merry,
> > ~š.
> >
> >
> > > <ns10:check-import
> > import-name="stdout" />
> > >
> > <ns10:check-content-ref href="scap_1402.sh" />
> > > </ns10:check>
> > > </ns10:Rule>
> >
> >
>
>
> ~š.
>
>
~š.
More information about the Open-scap-list
mailing list