[Spacewalk-list] Issues with oscap + SW v1.8
Snyder, Chris
Chris_Snyder at sra.com
Mon Nov 26 17:42:59 UTC 2012
I'm having issues trying to audit my hosts with openscap and spacewalk v1.8 with the latest DISA STIGS for RHEL5. No matter what I try to do, the results of the audit commands I schedule via Spacewalk all return the tests as 'notapplicable'.
Using latest DISA STIG for RHEL5: u_redhat_5-v1r1_stig_benchmark.zip
(for testing purposes, the zip files was simply exploded under /root on my target test host)
On my target host:
[root at bob ~]# rpm -qa |grep scap
spacewalk-oscap-0.0.10-1.el5
openscap-utils-0.9.1-1.el5
openscap-0.9.1-1.el5
(I tried to use openscap v0.9.2, but it seems that it has issues with the STIG V1R1 XML code, whereas 0.9.1 runs without error, but I'm willing to try 0.9.2 again.)
After scheduling an audit for my target host via the SW webGUI, and checking 'rhn_check -vvv' output on the target host, I'm seeing the following executing on the target system:
oscap xccdf eval /root/U_RedHat_5-V1R1_STIG_Benchmark-xccdf.xml
I then ran the command by hand, and indeed, all tests do return a result of 'notapplicable'.
When I try the recommended command line string from the OpenSCAP folks, per http://www.open-scap.org/page/Documentation#How_to_Evaluate_DISA_STIG.28RHEL5.29, I actually get real 'pass/fail' output for my target host:
oscap xccdf eval --profile MAC-1_Public --cpe /root/U_RedHat_5-V1R1_STIG_Benchmark-cpe-dictionary.xml /root/U_RedHat_5-V1R1_STIG_Benchmark-xccdf.xml
I then tried again without the '-profile MAC-1_Public' and I still got my 'pass/fail' correctly. So it seems that the '-cpe' argument is required to make V1R1 work correctly.
I tried to add both the '-profile' and '-cpe' arguments to Spacewalk via the webgui, but after the audit was run, I noticed there was an error returned, it refuses the '-cpe':
xccdf_eval: Following arguments forbidden: --cpe /root/U_RedHat_5-V1R1_STIG_Benchmark-cpe-dictionary.xml
Am I using openscap incorrectly here, or should the '-cpe' arugement be allowed/required via the webGUI?
Thanks,
Chris.
--
Chris Snyder
SRA Senior Linux Geek
Energystar Network O+M Team
ESTAR Issues: https://estar18.energystar.gov/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20121126/dd7c0369/attachment.htm>
More information about the Spacewalk-list
mailing list