We are using 1.2.10. Thanks. -----Original Message----- From: open-scap-list-boun...@redhat.com [mailto:open-scap-list-boun...@redhat.com] On Behalf Of open-scap-list-requ...@redhat.com Sent: Monday, March 20, 2017 9:00 AM To: open-scap-list@redhat.com Subject: Open-scap-list Digest, Vol 96, Issue 11
Send Open-scap-list mailing list submissions to open-scap-list@redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/open-scap-list or, via email, send a message with subject or body 'help' to open-scap-list-requ...@redhat.com You can reach the person managing the list at open-scap-list-ow...@redhat.com When replying, please edit your Subject line so it is more specific than "Re: Contents of Open-scap-list digest..." Today's Topics: 1. Re: Anaconda Addon and Tail (Jan Lieskovsky) 2. Re: Open-scap-list Digest, Vol 96, Issue 8 (Watson Yuuma Sato) ---------------------------------------------------------------------- Message: 1 Date: Mon, 20 Mar 2017 05:54:41 -0400 (EDT) From: Jan Lieskovsky <jlies...@redhat.com> To: spammewo...@cox.net Cc: open-scap-list@redhat.com Subject: Re: [Open-scap] Anaconda Addon and Tail Message-ID: <2147052187.4238479.1490003681830.javamail.zim...@redhat.com> Content-Type: text/plain; charset=utf-8 Hello, ----- Original Message ----- > From: spammewo...@cox.net > To: open-scap-list@redhat.com > Sent: Friday, March 17, 2017 6:09:43 PM > Subject: [Open-scap] Anaconda Addon and Tail > > I am trying to create a kickstart file for a custom RHEL 7.3 DVD and I want > to use the Anaconda oscap addon. The addon works well with the default > setting, but I'm having an issue using it with a tailored file that I > created through the openscap workbench. I am getting the error messages > "OpenSCAP Error: Unable to open file: > /run/install/repo/scap/ssg-rhel7-ds.xml [scap_source.c264]" and > "Unrecognized document type for > /run/install/repo/scap/ssg-rhel7-ds.xml > {oscap_source.c307]" I am guessing the issue is there, because OAA tries to open wrong / non-existent file (it tries "/run/install/repo/scap/ssg-rhel7-ds.xml" instead of "../../../../run/install/repo/scap/ssg-rhel7-ds.xml") > > Here is the addon section from my kickstart file. > > %addon org_fedora_oscap > content-type = scap-security-guide > profile = stig-rhel7-workstation-upstream > tailoring-path = > ../../../../run/install/repo/scap/ssg-rhel7-ds.xml > %end > > Does anyone know what I'm doing wrong ? AFAICT in the default installation, anaconda creates chroot and mounts "/mnt/sysimage" as "/". If you want to use DS file outside of chroot, simple "reference to parent folder" won't work. You either first need to copy that DS file under the chroot tree. Something like here: http://www.smorgasbork.com/2012/01/04/building-a-custom-centos-7-kickstart-disc-part-4/ IOW have the %post section to have two stages (in first copy the DS file, in the latter use it). Another option is to put that DS file on some remotely accessible HTTP server, and tell OAA to fetch that DS file remotely (this might be actually easier option that modifying the %post section). > > _______________________________________________ > Open-scap-list mailing list > Open-scap-list@redhat.com > https://www.redhat.com/mailman/listinfo/open-scap-list > HTH, Jan ------------------------------ Message: 2 Date: Mon, 20 Mar 2017 11:52:24 +0100 From: Watson Yuuma Sato <ws...@redhat.com> To: "Greg Silverman (CS)" <greg.silver...@veritas.com>, "open-scap-list@redhat.com" <open-scap-list@redhat.com> Subject: Re: [Open-scap] Open-scap-list Digest, Vol 96, Issue 8 Message-ID: <b5c74c2e-9e58-aa64-ac1f-e89337d75...@redhat.com> Content-Type: text/plain; charset=windows-1252; format=flowed Hi Greg, On 17/03/17 21:06, Greg Silverman (CS) wrote: > Still having problems, the generated script is an empty file. > > Here is the tailoring file I created, ssg-rhel7-ds-tailoring.xml, with the > workbench. It is just an example, to verify I can customize the scanning and > fix generation. This tailoring should *not* check for install AIDE, and, it > should be sure to check for FIPS compliance, and, if possible, fix that: > > <?xml version="1.0" encoding="UTF-8"?> <xccdf:Tailoring > xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" > id="xccdf_scap-workbench_tailoring_default"> > <xccdf:benchmark href="/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml"/> > <xccdf:version time="2017-03-17T13:43:12">1</xccdf:version> > <xccdf:Profile > id="xccdf_com.mycompany_profile_stig-rhel7-server-upstream_customized" > extends="xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream"> > <xccdf:title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" > override="true">STIG for Red Hat Enterprise Linux 7 Server > [CUSTOMIZED]</xccdf:title> > <xccdf:description xmlns:xhtml="http://www.w3.org/1999/xhtml" > xml:lang="en-US" override="true">This is a *draft* profile for STIG. This > profile is being developed under the DoD consensus model to become a STIG in > coordination with DISA FSO.</xccdf:description> > <xccdf:select > idref="xccdf_org.ssgproject.content_rule_package_aide_installed" > selected="false"/> > <xccdf:select > idref="xccdf_org.ssgproject.content_rule_aide_build_database" > selected="false"/> > <xccdf:select > idref="xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking" > selected="false"/> > <xccdf:select idref="xccdf_org.ssgproject.content_group_aide" > selected="false"/> > <xccdf:select > idref="xccdf_org.ssgproject.content_group_remediation_functions" > selected="true"/> > <xccdf:select idref="xccdf_org.ssgproject.content_group_fips" > selected="true"/> > <xccdf:select > idref="xccdf_org.ssgproject.content_rule_package_dracut-fips_installed" > selected="true"/> > <xccdf:select > idref="xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode" > selected="true"/> > </xccdf:Profile> > </xccdf:Tailoring> > > I ran this command > > oscap xccdf generate fix --profile > xccdf_com.mycompany_profile_stig-rhel7-server-upstream_customized > --tailoring-file ssg-rhel7-ds-tailoring.xml --output script.sh > /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml > > The script.sh file is created, there is no error, but, the file is empty. > Why??? Could you please check the version of OpenSCAP you are using? I have tested your customization and command with OpenSCAP version 1.2.10, and the remediation script is generated empty, but with version 1.2.13, the latest upstream, the remediation script is ok. -- Watson Sato Security Technologies | Red Hat, Inc ------------------------------ _______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list End of Open-scap-list Digest, Vol 96, Issue 11 ********************************************** _______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list