[Open-scap] OSCAP - CVE information

Mohanraj, Bharath bharath_mohanraj_tp at bmc.com
Thu Aug 30 13:01:18 UTC 2018 

Hi Marek,



Thanks for your reply.



I'm using the RHEL7 xccdf that is shipped with scap security guide. So based on your reply it looks like, these XCCDF xmls which are part of ssg will not have CVE linked.



In that case, can you please guide me the location from where I can get the required xmls for evaluating all platforms supported by OSCAP?



Also, is the command going to be similar to xccdf, right now I'm using below two commands,

oscap xccdf eval --profile <profile_name> --results <result_xml> --progress <xccdf_xml>

oscap xccdf eval --remediate --profile <profile_name> --tailoring-file <tailoring_file> --results <result_xml> --progress <xccdf_xml>



Will the command remain same for oval as well, except for changing "oscap xccdf eval" to "oscap oval eval"? Please clarify.



Regards,

Bharath M



-----Original Message-----
From: Marek Haicman <mhaicman at redhat.com>
Sent: Thursday, August 30, 2018 5:53 PM
To: Mohanraj, Bharath <bharath_mohanraj_tp at bmc.com>; open-scap-list <open-scap-list at redhat.com>
Subject: Re: [Open-scap] OSCAP - CVE information



On 08/30/2018 02:05 PM, Mohanraj, Bharath wrote:

> Hi Team,

>

> I'm using the oscap scanner on linux boxes, for triggering "oscap

> xccdf eval" command. In the output generated, one of the info I would

> need to present is the CVE for each rule. However, I don't see the CVE

> info for the rules  in the xccdf xmls (no <ident> tag for CVEs under the rules).

>

> Can you please help me understand how I can capture the CVE associated

> with each rule?

>

> Regards,

>

> Bharath M



Hello Bharath,

what xccdf xmls are you using? In case you target RHEL, then CVE vulnerabilities are detected using content downloaded from https://urldefense.proofpoint.com/v2/url?u=https-3A__www.redhat.com_security_data_oval_&d=DwID-g&c=UrUhmHsiTVT5qkaA4d_oSzcamb9hmamiCDMzBAEwC7E&r=AUaowh4kDgwmfFF8B9dpIGVcrfeOZDaHu6Di1CZTnp4&m=kMwq-DtTaQQ9c8tjyXsXju19K6K3emMl8b7SruHINqw&s=frx6brG1Kc18pnlMd88AWwt5zzw3ub6N5OhX2PSOZJE&e=  and scanned using `oscap oval eval`. Content shipped in SCAP Security Guide is configuration guidance which is different approach to security. Thus no CVE information is linked.



In case you consume CVE content for different platforms, it's up to them to produce it with proper metadata.



Hope it helps,

Marek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20180830/79bcea7e/attachment.htm>

More information about the Open-scap-list mailing list