Bond, You have to two files for CentOS: - ssg-centos6-cpe-dictionary.xml - ssg-centos6-cpe-oval.xml
ssg-centos6-cpe-dictionary.xml describes the platform. (CPE stands for Common Platform Enumeration). But ssg-centos6-cpe-oval.xml consists of the "Open Vulnerability Assessment Language" code that _tests_ whether your platform is is CentOS. You must have both, b/c the first file refers to the second file. You can get them here: https://raw.githubusercontent.com/GovReady/govready/xplatform/templates/ssg-centos6-cpe-dictionary.xml https://raw.githubusercontent.com/GovReady/govready/xplatform/templates/ssg-centos6-cpe-oval.xml You can put the files anywhere, just make sure they are in the same directory together, and reference the full path/to/ssg-centos6-cpe-dictionary.xml Greg On Mon, Jul 6, 2015 at 5:46 PM, Bond Masuda <[email protected]> wrote: > Thanks Jan! Please see inline response below... > > On 07/04/2015 04:32 AM, Jan Lieskovsky wrote: > > Hello Bond, > > > > thank you for your report. > > > > ----- Original Message ----- > > > > I can reproduce that issue, when issuing just 'plain' "make" in the > > scap-security-guide-0.1.23 folder. The issue is Fedora content by > > default requires OVAL-5.11 language version already, and the version > > of the openscap RPM you are trying to build Fedora content against > > (openscap-1.0.8-1.0.1.el6.centos.1.x86_64) does not support OVAL-5.11 > > language version yet. > > > > We will correct this problem in an official way in the upcoming 0.1.24 > > upstream release (should be available for download during next week). > > > > For now please use the following workaround (in the > scap-security-guide-0.1.23 > > directory after expanding the tarball), issue the following command: > > > > # make SSG_VERSION_IS_GIT_SNAPSHOT=no rpm > > > > This will correctly produce working RPM that can be subsequently used > > on RHEL-6 / CentOS6 system. > > Yes, I was able to build the RPM, however not able to run with oscap. > More below... > > >> As of SCAP Security Guide release 0.1.23, CentOS content is now > available > >> (any older version will require tweaking). See the announcement here: > >> > https://lists.fedorahosted.org/pipermail/scap-security-guide/2015-June/006462.html > >> > >> You can download and build the SSG content from > >> https://github.com/OpenSCAP/scap-security-guide > >> > >> When you run the XCCDF, you have to specify the CentOS XCCDF like below: > >> > >> # oscap xccdf eval --profile stig-rhel6-server-upstream \ > >> --results /tmp/`hostname`-ssg-results.xml \ > >> --report /tmp/`hostname`-ssg-results.html \ > >> --cpe /usr/share/xml/scap/ssg/content/ssg-centos6-cpe-dictionary.xml \ > >> /usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml > >> > >> Please note that I believe that ssg-centos6-cpe-dictionary.xml is not > being > >> built with SSG. OpenSCAP is here: https://github.com/openscap/openscap > and > >> the announcement here: So I believe all that needs to be done is: > >> > >> # oscap xccdf eval --profile stig-rhel6-server-upstream \ > >> --results /tmp/`hostname`-ssg-results.xml \ > >> --report /tmp/`hostname`-ssg-results.html \ > >> /usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml > >> > > Trying to run the last command above without specifying CPE, results in > all tests being "notapplicable". And I confirmed there is no > cpe-dictionary.xml being built for CentOS6. > > What am I missing? > -Bond > -- > SCAP Security Guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > https://github.com/OpenSCAP/scap-security-guide/ >
-- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
