<html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body text="#000000" bgcolor="#FFFFFF"> <div class="moz-cite-prefix">On 2/27/15 12:33 PM, Ray Blair wrote: </div> <blockquote cite="mid:54F0AA79.60601@comcast.net" type="cite"> I am using scap-security-guide-0.1.20.tar and OpenSCAP version 1.0.3.2 that ships with rhel7 The command I am running is: oscap xccdf eval –profile stig-rhel7-server-upstream –cpe ssg-rhel7-cpe-dictionary.xml –reports “somefilename” --results “somefilename” ssg-rhel7-xccdf.xml It seems to run fine until I add more checks. For instance if I enable check kdump service it comes back with notchecked. I get the same results for most additional checks. I have tried several iterations of running with and without specifying the profile, cpe dictionary file and have tried using a tailoring file and get the same results. I got the latest OpenSCAP version (1.2.1-0.1) and compiled it with the --enable–sce option. Now the results are notapplicable instead of notchecked. I am not sure if this is progress. I also tried several other compiler options with the same results . I am probably missing something simple. </blockquote> SSG's RHEL7 content is still in active churn (which is part of why it's not shipping in RHEL7 yet). Much of the underlying OVAL content hasn't been ported from RHEL6 to RHEL7 yet, which is likely causing the notchecked results. Here's the upstream repo of OVAL checks: <a class="moz-txt-link-freetext" href="https://github.com/OpenSCAP/scap-security-guide/tree/master/RHEL/7/input/checks">https://github.com/OpenSCAP/scap-security-guide/tree/master/RHEL/7/input/checks</a> Or expressed another way, for the 406 RHEL7 XCCDF rules, only 131 have OVAL so far: $ grep -rin "<Rule" RHEL/7/input/ | wc -l 406 $ ls RHEL/7/input/checks/ | wc -l 131 </body> </html>