While running SCC 3.1.1.1 against the SSG 0.1-14-14 content, with either the
stig-rhel6-server or usgcb-rhel6-server profile selected from the SCAP stream,
and rpm_verify_permissions = false, there appears to be variables referenced in
the OVAL file but are not declared in the XCCDF and the value is being used in
XCCDF without being declared.
usgcb-rhel6-server profile:
SCC Warning:
"[WARN] Value 'umask_user_value' was not found"
declaration in XCCDF:
# /bin/grep -ir "<value id.* 'umask_user_value" /opt/scc/Resources/
<null>
reference in XCCDF:
# /bin/grep -ir "value idref.*umask_user_value" /opt/scc/Resources/
/opt/scc/Resources/Content/ssg-rhel6-xccdf.xml: <refine-value
idref="umask_user_value" selector="077"/>
# /bin/grep "umask_user_value" /opt/scc/Resources/Content/ssg-rhel6-xccdf.xml
-A13|/bin/grep "oval:ssg:var"|/usr/bin/uniq
<check-export export-name="oval:ssg:var:2261"
value-id="var_accounts_user_umask"/>
reference in OVAL:
/bin/grep -i "2261" /opt/scc/Resources/Content/ssg-rhel6-oval.xml
<ind:subexpression operation="equals" var_check="all"
var_ref="oval:ssg:var:2261"/>
<ind:subexpression operation="equals" var_check="all"
var_ref="oval:ssg:var:2261"/>
<ind:subexpression operation="equals" var_check="all"
var_ref="oval:ssg:var:2261"/>
<ind:subexpression operation="equals" var_check="all"
var_ref="oval:ssg:var:2261"/>
<external_variable comment="umask for user shell" datatype="string"
id="oval:ssg:var:2261" version="1"/>
stig-rhel6-server profile:
SCC Warning:
"[WARN] Value 'sysctl_net_ipv4_icmp_ignore_bogus_error_messages_value' was not
found."
declaration in XCCDF:
# /bin/grep -ir "<value
id.*sysctl_net_ipv4_icmp_ignore_bogus_error_messages_value" /opt/scc/Resources/
<null>
reference in XCCDF:
# /bin/grep -ir "value
idref.*sysctl_net_ipv4_icmp_ignore_bogus_error_messages_value"
/opt/scc/Resources/
/opt/scc/Resources/Content/ssg-rhel6-xccdf.xml: <refine-value
idref="sysctl_net_ipv4_icmp_ignore_bogus_error_messages_value"
selector="enabled"/>
/opt/scc/Resources/Content/ssg-rhel6-xccdf.xml: <refine-value
idref="sysctl_net_ipv4_icmp_ignore_bogus_error_messages_value"
selector="enabled"/>
/opt/scc/Resources/Content/ssg-rhel6-xccdf.xml: <refine-value
idref="sysctl_net_ipv4_icmp_ignore_bogus_error_messages_value"
selector="enabled"/>
reference in OVAL:
<null>
SCC Warning:
[WARN] Value 'var_password_min_len' was not found.
[WARN] Value 'var_password_max_age' was not found.
[WARN] Value 'var_password_min_age' was not found.
[WARN] Value 'var_password_warn_age' was not found.
$ /bin/grep -E "var_password_[m|w]"
/opt/scc/Resources/Content/ssg-rhel6-xccdf.xml
<refine-value idref="var_password_min_len" selector="6"/>
<refine-value idref="var_password_max_age" selector="90"/>
<refine-value idref="var_password_min_age" selector="7"/>
<refine-value idref="var_password_warn_age" selector="7"/>
$ /bin/grep -E "var_password_[m|w]"
/opt/scc/Resources/Content/ssg-rhel6-oval.xml
$ <null>
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
