It requires an extra hack because ‘version’ on CentOS won’t match the specified
pattern; here is how I did it to keep it compatible with RHEL:
1. Add an extra criterion:
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Workstation is
installed" test_ref="test_rhel_workstation" />
<criterion comment="Red Hat Enterprise Linux 6 Server is installed"
test_ref="test_rhel_server" />
<criterion comment="CentOS 6 is installed"
test_ref="test_centos" />
</criteria>
2. Add an extra test:
<linux:rpminfo_test check="all" check_existence="at_least_one_exists"
comment="centos-release is version 6" id="test_centos" version="1">
<linux:object object_ref="obj_centos" />
<linux:state state_ref="state_centos" />
</linux:rpminfo_test>
<linux:rpminfo_state id="state_centos" version="1">
<linux:version operation="pattern match">^6</linux:version>
</linux:rpminfo_state>
<linux:rpminfo_object id="obj_centos" version="1">
<linux:name>centos-release</linux:name>
</linux:rpminfo_object>
Another weirder issue on the original SSG check: I don’t think this check works
on ‘pure’ RHEL6 either but the platform still matches for some reason I do not
understand.
When I use ‘—oval-results’, the CPE result file
(ssg-rhel6-cpe-oval.xml.result.xml), the test_rhel_* tests all fail for the
same reason, i.e:
<lin-sys:version>6Server</lin-sys:version>
Won’t match:
<lin-def:version operation="pattern match">^6\.\d+$</lin-def:version>
Thus resulting in ‘false’ for test_rhel_server:
<test test_id="oval:ssg:tst:103" version="1" check="all" result="false">
<tested_item item_id="1046111" result="false"/>
</test>
and consequently for installed_OS_is_rhel6:
<definition definition_id="oval:ssg:def:100" result="false" version="1">
But the definition still works ok, although it doesn’t on CentOS… What am I
getting wrong were?
Thanks!
From: [email protected]
[mailto:[email protected]] On Behalf Of Trey
Henefield
Sent: quarta-feira, 18 de Junho de 2014 12:31
To: SCAP Security Guide
Subject: RE: Anyone using rhel6 ssg for centos6?
The check for Red Hat 6 is pulled from:
scap-security-guide\RHEL\6\input\checks\installed_OS_is_rhel6.xml
Simply change the two references to 'redhat-release' to state 'centos-release'
instead. Then rebuild.
That should do it.
Best regards,
Trey Henefield, CISSP
Senior IAVA Engineer
Ultra Electronics
Advanced Tactical Systems, Inc.
4101 Smith School Road
Building IV, Suite 100
Austin, TX 78744 USA
[email protected]<mailto:[email protected]>
Tel: +1 512 327 6795 ext. 647
Fax: +1 512 327 8043
Mobile: +1 512 541 6450
www.ultra-ats.com<http://www.ultra-ats.com>
-----Original Message-----
From:
[email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of
Pettorino, Jeffrey D CTR USAF USAFA USAFA/DFAN
Sent: Tuesday, June 17, 2014 4:01 PM
To: '[email protected]'
Subject: Anyone using rhel6 ssg for centos6?
I have been trying to get oscap working on my CentOS6.5 network core, without
luck.
Everything comes back with "Result notapplicable".
I am pretty new to SCAP and XCCDF, but am a long-time user of Nessus and
Security Center (prior to ACAS program by DISA).
Does anyone have suggestions where I can find some in depth guidance to adjust
the rhel6 configs to CentOS?
--
Jeff
v/r,
Jeffrey D. Pettorino, GCIH, CISSP
Systems Engineer
High Performance Computing Research Center United States Air Force Academy
[email protected]<mailto:[email protected]>
719/333-9391
----
The use of the Unix philosophy just for UNIX was a great waste.
Fortunately, Linux came along.
- Bellevue Linux User Group member, 2005
Disclaimer
The information contained in this communication from
[email protected]<mailto:[email protected]> sent at
2014-06-18 07:30:57 is private and may be legally privileged or export
controlled. It is intended solely for use by
[email protected]<mailto:[email protected]>
and others authorized to receive it. If you are not
[email protected]<mailto:[email protected]>
you are hereby notified that any disclosure, copying, distribution or taking
action in reliance of the contents of this information is strictly prohibited
and may be unlawful.
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
