Re: [Open-scap] Open-scap-list Digest, Vol 96, Issue 11

Greg Silverman (CS) Mon, 20 Mar 2017 10:12:07 -0700

We are using 1.2.10. Thanks.

-----Original Message-----
From: open-scap-list-boun...@redhat.com 
[mailto:open-scap-list-boun...@redhat.com] On Behalf Of 
open-scap-list-requ...@redhat.com
Sent: Monday, March 20, 2017 9:00 AM
To: open-scap-list@redhat.com
Subject: Open-scap-list Digest, Vol 96, Issue 11


Send Open-scap-list mailing list submissions to
        open-scap-list@redhat.com

To subscribe or unsubscribe via the World Wide Web, visit
        https://www.redhat.com/mailman/listinfo/open-scap-list
or, via email, send a message with subject or body 'help' to
        open-scap-list-requ...@redhat.com

You can reach the person managing the list at
        open-scap-list-ow...@redhat.com

When replying, please edit your Subject line so it is more specific than "Re: 
Contents of Open-scap-list digest..."


Today's Topics:

   1. Re: Anaconda Addon and Tail (Jan Lieskovsky)
   2. Re: Open-scap-list Digest, Vol 96, Issue 8 (Watson Yuuma Sato)


----------------------------------------------------------------------

Message: 1
Date: Mon, 20 Mar 2017 05:54:41 -0400 (EDT)
From: Jan Lieskovsky <jlies...@redhat.com>
To: spammewo...@cox.net
Cc: open-scap-list@redhat.com
Subject: Re: [Open-scap] Anaconda Addon and Tail
Message-ID:
        <2147052187.4238479.1490003681830.javamail.zim...@redhat.com>
Content-Type: text/plain; charset=utf-8


Hello,

----- Original Message -----
> From: spammewo...@cox.net
> To: open-scap-list@redhat.com
> Sent: Friday, March 17, 2017 6:09:43 PM
> Subject: [Open-scap] Anaconda Addon and Tail
> 
> I am trying to create a kickstart file for a custom RHEL 7.3 DVD and I want
> to use the Anaconda oscap addon.    The addon works well with the default
> setting,  but I'm having an issue using it with a tailored file that I
> created through the openscap workbench.    I am getting the error messages
> "OpenSCAP Error: Unable to open file:
> /run/install/repo/scap/ssg-rhel7-ds.xml [scap_source.c264]"  and 
> "Unrecognized document type for 
> /run/install/repo/scap/ssg-rhel7-ds.xml
> {oscap_source.c307]"

I am guessing the issue is there, because OAA tries to open wrong / 
non-existent file (it tries "/run/install/repo/scap/ssg-rhel7-ds.xml"
instead of "../../../../run/install/repo/scap/ssg-rhel7-ds.xml")

> 
> Here is the addon section from my kickstart file.
> 
> %addon org_fedora_oscap
>     content-type = scap-security-guide
>     profile = stig-rhel7-workstation-upstream
>     tailoring-path = 
> ../../../../run/install/repo/scap/ssg-rhel7-ds.xml
> %end
> 
> Does anyone know what I'm doing wrong ?

AFAICT in the default installation, anaconda creates chroot and mounts 
"/mnt/sysimage" as "/". If you want to use DS file outside of chroot, simple 
"reference to parent folder" won't work. You either first need to copy that DS 
file under the chroot tree. Something like here:
  
http://www.smorgasbork.com/2012/01/04/building-a-custom-centos-7-kickstart-disc-part-4/

IOW have the %post section to have two stages (in first copy the DS file, in 
the latter use it).

Another option is to put that DS file on some remotely accessible HTTP server, 
and tell OAA to fetch that DS file remotely (this might be actually easier 
option that modifying the %post section).

> 
> _______________________________________________
> Open-scap-list mailing list
> Open-scap-list@redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list
> 

HTH, Jan



------------------------------

Message: 2
Date: Mon, 20 Mar 2017 11:52:24 +0100
From: Watson Yuuma Sato <ws...@redhat.com>
To: "Greg Silverman (CS)" <greg.silver...@veritas.com>,
        "open-scap-list@redhat.com" <open-scap-list@redhat.com>
Subject: Re: [Open-scap] Open-scap-list Digest, Vol 96, Issue 8
Message-ID: <b5c74c2e-9e58-aa64-ac1f-e89337d75...@redhat.com>
Content-Type: text/plain; charset=windows-1252; format=flowed

Hi Greg,

On 17/03/17 21:06, Greg Silverman (CS) wrote:
> Still having problems, the generated script is an empty file.
>
> Here is the tailoring file I created, ssg-rhel7-ds-tailoring.xml, with the 
> workbench. It is just an example, to verify I can customize the scanning and 
> fix generation. This tailoring should *not* check for install AIDE, and, it 
> should be sure to check for FIPS compliance, and, if possible, fix that:
>
> <?xml version="1.0" encoding="UTF-8"?> <xccdf:Tailoring 
> xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"; 
> id="xccdf_scap-workbench_tailoring_default">
>    <xccdf:benchmark href="/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml"/>
>    <xccdf:version time="2017-03-17T13:43:12">1</xccdf:version>
>    <xccdf:Profile 
> id="xccdf_com.mycompany_profile_stig-rhel7-server-upstream_customized" 
> extends="xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream">
>      <xccdf:title xmlns:xhtml="http://www.w3.org/1999/xhtml"; xml:lang="en-US" 
> override="true">STIG for Red Hat Enterprise Linux 7 Server 
> [CUSTOMIZED]</xccdf:title>
>      <xccdf:description xmlns:xhtml="http://www.w3.org/1999/xhtml"; 
> xml:lang="en-US" override="true">This is a *draft* profile for STIG. This 
> profile is being developed under the DoD consensus model to become a STIG in 
> coordination with DISA FSO.</xccdf:description>
>      <xccdf:select 
> idref="xccdf_org.ssgproject.content_rule_package_aide_installed" 
> selected="false"/>
>      <xccdf:select 
> idref="xccdf_org.ssgproject.content_rule_aide_build_database" 
> selected="false"/>
>      <xccdf:select 
> idref="xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking" 
> selected="false"/>
>      <xccdf:select idref="xccdf_org.ssgproject.content_group_aide" 
> selected="false"/>
>      <xccdf:select 
> idref="xccdf_org.ssgproject.content_group_remediation_functions" 
> selected="true"/>
>      <xccdf:select idref="xccdf_org.ssgproject.content_group_fips" 
> selected="true"/>
>      <xccdf:select 
> idref="xccdf_org.ssgproject.content_rule_package_dracut-fips_installed" 
> selected="true"/>
>      <xccdf:select 
> idref="xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode" 
> selected="true"/>
>    </xccdf:Profile>
> </xccdf:Tailoring>
>
> I ran this command
>
> oscap xccdf generate fix --profile 
> xccdf_com.mycompany_profile_stig-rhel7-server-upstream_customized 
> --tailoring-file ssg-rhel7-ds-tailoring.xml --output script.sh 
> /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
>
> The script.sh file is created, there is no error, but, the file is empty. 
> Why???
Could you please check the version of OpenSCAP you are using?

I have tested your customization and command with OpenSCAP version 1.2.10, and 
the remediation script is generated empty, but with version 1.2.13, the latest 
upstream, the remediation script is ok.


--
Watson Sato
Security Technologies | Red Hat, Inc



------------------------------

_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

End of Open-scap-list Digest, Vol 96, Issue 11
**********************************************

_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] Open-scap-list Digest, Vol 96, Issue 11

Reply via email to