Hi All,
Before bothering you with my problems I would just like to say thanks
for all the great work on scap-security-guide you guys are doing.
We're investigating a good basis for our Linux security baseline and
OpenSCAP+SSG is spot on.
When running `oscap xccdf eval --profile server
rhel6-xccdf-scap-security-guide.xml` the following error is returned :
1 1871 In file 'rhel6-xccdf-scap-security-guide.xml' on line 3201:
Element '{http://checklists.nist.gov/xccdf/1.1}Value': This element is
not expected. Expected is (
{http://checklists.nist.gov/xccdf/1.1}signature ).
I'm new to scap-security-guide (so browsing the xccdf file was a bit
daunting :-) but the above mentioned <Value
id="password_history_retain_number"...> tag seems out of place in a
'<Rule id="set_password_hashing_algorithm"...>' context :
<Rule id="set_password_hashing_algorithm" severity="low"
selected="false">
<title>Set Password Hashing Algorithm</title>
<description>...
</description>
<reference
href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf";>IA-5</reference>
<rationale>
Using a stronger hashing algorithm makes password cracking attacks
more difficult.
</rationale>
<ident system="http://cce.mitre.org";>CCE-14063-2</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5";>
<check-content-ref
href="rhel6-oval-scap-security-guide.xml"
name="oval:scap-security-guide:def:839"/>
</check>
</Rule>
<Value id="password_history_retain_number" type="number"
operator="equals" interactive="0">
<title>remember</title>
<description>The last n passwords for each user are saved in
<xhtml:code
xmlns:xhtml="http://www.w3.org/1999/xhtml";>/etc/security/opasswd</xhtml:code>
in order to force password change history and
keep the user from alternating between the same password too
frequently.</description>
<value selector="">5</value>
<value selector="0">0</value>
<value selector="5">5</value>
<value selector="10">10</value>
</Value>
I'm on RHEL6 and so might be running old(er) software. Is Fedora 16/17
necessary or am I missing something? Here's what I did:
cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.3 (Santiago)
rpm -q git openscap-utils python-lxml
git-1.7.1-2.el6_0.1.x86_64
openscap-utils-0.8.0-2.el6.x86_64
python-lxml-2.2.3-1.1.el6.x86_64
cd scap-security-guide
git log
commit 5454d44eee80becb5c1b8929bf6498edfa3bfdcb
Merge: 405d61e a0f2e7e
Author: Kevin Spargur <kspar...@redhat.com>
Date: Wed Jul 25 19:59:05 2012 -0400
Merge branch 'master' of ssh://git.fedorahosted.org/git/scap-securi
...
cd scap-security-guide/RHEL6
make all
...
oscap xccdf generate guide --profile allrules output/rhel6-xccdf.xml >
output/rhel6-guide.html
WARNING: Processing an unresolved XCCDF document. This may have
unexpected results.
...
Duplicate ID, which will not be added: var_samba_private_directory
Duplicate ID, which will not be added: state_uid_root
Duplicate ID, which will not be added: object_etc_skel_files
Duplicate ID, which will not be added: var_removable_partition
Duplicate ID, which will not be added: var_removable_partition
Duplicate ID, which will not be added: var_ssh_config_directory
...
cd dist/content
oscap xccdf eval --profile server rhel6-xccdf-scap-security-guide.xml
1 1871 In file 'rhel6-xccdf-scap-security-guide.xml' on line 3201:
Element '{http://checklists.nist.gov/xccdf/1.1}Value': This element is
not expected. Expected is (
{http://checklists.nist.gov/xccdf/1.1}signature ).
Regards,
Willem.
_______________________________________________
scap-security-guide mailing list
scap-security-guide@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/scap-security-guide
