Greg, Thank you for your links and help. Confirmed that with your CPE dictionary and OVAL file, I was able to run the content in oscap.
Jan or Gabe: The SCAP content from 0.1.23 release, even after getting it to build with the suggested 'make' argument by Jan, does not appear to be functional. Is this a bug or is it because I'm not doing something correctly? Thanks, -Bond On 07/06/2015 03:20 PM, Greg Elin wrote: > Bond, > > You have to two files for CentOS: > - ssg-centos6-cpe-dictionary.xml > - ssg-centos6-cpe-oval.xml > > ssg-centos6-cpe-dictionary.xml describes the platform. (CPE stands for > Common Platform Enumeration). > > But ssg-centos6-cpe-oval.xml consists of the "Open Vulnerability > Assessment Language" code that _tests_ whether your platform is is > CentOS. You must have both, b/c the first file refers to the second file. > > You can get them here: > https://raw.githubusercontent.com/GovReady/govready/xplatform/templates/ssg-centos6-cpe-dictionary.xml > https://raw.githubusercontent.com/GovReady/govready/xplatform/templates/ssg-centos6-cpe-oval.xml > > You can put the files anywhere, just make sure they are in the same > directory together, and reference the full > path/to/ssg-centos6-cpe-dictionary.xml > > Greg > > On Mon, Jul 6, 2015 at 5:46 PM, Bond Masuda <[email protected] > <mailto:[email protected]>> wrote: > > Thanks Jan! Please see inline response below... > > On 07/04/2015 04:32 AM, Jan Lieskovsky wrote: > > Hello Bond, > > > > thank you for your report. > > > > ----- Original Message ----- > > > > I can reproduce that issue, when issuing just 'plain' "make" in the > > scap-security-guide-0.1.23 folder. The issue is Fedora content by > > default requires OVAL-5.11 language version already, and the version > > of the openscap RPM you are trying to build Fedora content against > > (openscap-1.0.8-1.0.1.el6.centos.1.x86_64) does not support > OVAL-5.11 > > language version yet. > > > > We will correct this problem in an official way in the upcoming > 0.1.24 > > upstream release (should be available for download during next > week). > > > > For now please use the following workaround (in the > scap-security-guide-0.1.23 > > directory after expanding the tarball), issue the following command: > > > > # make SSG_VERSION_IS_GIT_SNAPSHOT=no rpm > > > > This will correctly produce working RPM that can be subsequently > used > > on RHEL-6 / CentOS6 system. > > Yes, I was able to build the RPM, however not able to run with oscap. > More below... > > >> As of SCAP Security Guide release 0.1.23, CentOS content is now > available > >> (any older version will require tweaking). See the announcement > here: > >> > > https://lists.fedorahosted.org/pipermail/scap-security-guide/2015-June/006462.html > >> > >> You can download and build the SSG content from > >> https://github.com/OpenSCAP/scap-security-guide > >> > >> When you run the XCCDF, you have to specify the CentOS XCCDF > like below: > >> > >> # oscap xccdf eval --profile stig-rhel6-server-upstream \ > >> --results /tmp/`hostname`-ssg-results.xml \ > >> --report /tmp/`hostname`-ssg-results.html \ > >> --cpe > /usr/share/xml/scap/ssg/content/ssg-centos6-cpe-dictionary.xml \ > >> /usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml > >> > >> Please note that I believe that ssg-centos6-cpe-dictionary.xml > is not being > >> built with SSG. OpenSCAP is here: > https://github.com/openscap/openscap and > >> the announcement here: So I believe all that needs to be done is: > >> > >> # oscap xccdf eval --profile stig-rhel6-server-upstream \ > >> --results /tmp/`hostname`-ssg-results.xml \ > >> --report /tmp/`hostname`-ssg-results.html \ > >> /usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml > >> > > Trying to run the last command above without specifying CPE, > results in > all tests being "notapplicable". And I confirmed there is no > cpe-dictionary.xml being built for CentOS6. > > What am I missing? > -Bond > -- > SCAP Security Guide mailing list > [email protected] > <mailto:[email protected]> > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > https://github.com/OpenSCAP/scap-security-guide/ > > > >
-- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
