… it seems OpenSCAP is using it’s own ‘openscap-cpe-dict.xml’ and that’s why the SSG platform check “works”. The checks in ‘ssg-rhel6-cpe-dictionary.xml’ fail always.
From: [email protected] [mailto:[email protected]] On Behalf Of Rui Pedro Bernardino Sent: quarta-feira, 18 de Junho de 2014 13:21 To: SCAP Security Guide Subject: RE: Anyone using rhel6 ssg for centos6? It requires an extra hack because ‘version’ on CentOS won’t match the specified pattern; here is how I did it to keep it compatible with RHEL: 1. Add an extra criterion: <criteria operator="OR"> <criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" test_ref="test_rhel_workstation" /> <criterion comment="Red Hat Enterprise Linux 6 Server is installed" test_ref="test_rhel_server" /> <criterion comment="CentOS 6 is installed" test_ref="test_centos" /> </criteria> 2. Add an extra test: <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="centos-release is version 6" id="test_centos" version="1"> <linux:object object_ref="obj_centos" /> <linux:state state_ref="state_centos" /> </linux:rpminfo_test> <linux:rpminfo_state id="state_centos" version="1"> <linux:version operation="pattern match">^6</linux:version> </linux:rpminfo_state> <linux:rpminfo_object id="obj_centos" version="1"> <linux:name>centos-release</linux:name> </linux:rpminfo_object> Another weirder issue on the original SSG check: I don’t think this check works on ‘pure’ RHEL6 either but the platform still matches for some reason I do not understand. When I use ‘—oval-results’, the CPE result file (ssg-rhel6-cpe-oval.xml.result.xml), the test_rhel_* tests all fail for the same reason, i.e: <lin-sys:version>6Server</lin-sys:version> Won’t match: <lin-def:version operation="pattern match">^6\.\d+$</lin-def:version> Thus resulting in ‘false’ for test_rhel_server: <test test_id="oval:ssg:tst:103" version="1" check="all" result="false"> <tested_item item_id="1046111" result="false"/> </test> and consequently for installed_OS_is_rhel6: <definition definition_id="oval:ssg:def:100" result="false" version="1"> But the definition still works ok, although it doesn’t on CentOS… What am I getting wrong were? Thanks! From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Trey Henefield Sent: quarta-feira, 18 de Junho de 2014 12:31 To: SCAP Security Guide Subject: RE: Anyone using rhel6 ssg for centos6? The check for Red Hat 6 is pulled from: scap-security-guide\RHEL\6\input\checks\installed_OS_is_rhel6.xml Simply change the two references to 'redhat-release' to state 'centos-release' instead. Then rebuild. That should do it. Best regards, Trey Henefield, CISSP Senior IAVA Engineer Ultra Electronics Advanced Tactical Systems, Inc. 4101 Smith School Road Building IV, Suite 100 Austin, TX 78744 USA [email protected]<mailto:[email protected]> Tel: +1 512 327 6795 ext. 647 Fax: +1 512 327 8043 Mobile: +1 512 541 6450 www.ultra-ats.com<http://www.ultra-ats.com> -----Original Message----- From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Pettorino, Jeffrey D CTR USAF USAFA USAFA/DFAN Sent: Tuesday, June 17, 2014 4:01 PM To: '[email protected]' Subject: Anyone using rhel6 ssg for centos6? I have been trying to get oscap working on my CentOS6.5 network core, without luck. Everything comes back with "Result notapplicable". I am pretty new to SCAP and XCCDF, but am a long-time user of Nessus and Security Center (prior to ACAS program by DISA). Does anyone have suggestions where I can find some in depth guidance to adjust the rhel6 configs to CentOS? -- Jeff v/r, Jeffrey D. Pettorino, GCIH, CISSP Systems Engineer High Performance Computing Research Center United States Air Force Academy [email protected]<mailto:[email protected]> 719/333-9391 ---- The use of the Unix philosophy just for UNIX was a great waste. Fortunately, Linux came along. - Bellevue Linux User Group member, 2005 Disclaimer The information contained in this communication from [email protected]<mailto:[email protected]> sent at 2014-06-18 07:30:57 is private and may be legally privileged or export controlled. It is intended solely for use by [email protected]<mailto:[email protected]> and others authorized to receive it. If you are not [email protected]<mailto:[email protected]> you are hereby notified that any disclosure, copying, distribution or taking action in reliance of the contents of this information is strictly prohibited and may be unlawful.
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
