Bond,
Try running the following:
# oscap xccdf eval --profile stig-rhel6-server-upstream \
--results /tmp/`hostname`-ssg-results.xml \
--report /tmp/`hostname`-ssg-results.html \
--cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml \
/usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml
On Mon, Jul 6, 2015 at 6:19 PM, Bond Masuda <[email protected]>
wrote:
> Greg,
>
> Thank you for your links and help. Confirmed that with your CPE dictionary
> and OVAL file, I was able to run the content in oscap.
>
> Jan or Gabe:
>
> The SCAP content from 0.1.23 release, even after getting it to build with
> the suggested 'make' argument by Jan, does not appear to be functional. Is
> this a bug or is it because I'm not doing something correctly?
>
> Thanks,
> -Bond
>
>
> On 07/06/2015 03:20 PM, Greg Elin wrote:
>
> Bond,
>
> You have to two files for CentOS:
> - ssg-centos6-cpe-dictionary.xml
> - ssg-centos6-cpe-oval.xml
>
> ssg-centos6-cpe-dictionary.xml describes the platform. (CPE stands for
> Common Platform Enumeration).
>
> But ssg-centos6-cpe-oval.xml consists of the "Open Vulnerability
> Assessment Language" code that _tests_ whether your platform is is CentOS.
> You must have both, b/c the first file refers to the second file.
>
> You can get them here:
>
> https://raw.githubusercontent.com/GovReady/govready/xplatform/templates/ssg-centos6-cpe-dictionary.xml
>
> https://raw.githubusercontent.com/GovReady/govready/xplatform/templates/ssg-centos6-cpe-oval.xml
>
> You can put the files anywhere, just make sure they are in the same
> directory together, and reference the full
> path/to/ssg-centos6-cpe-dictionary.xml
>
> Greg
>
> On Mon, Jul 6, 2015 at 5:46 PM, Bond Masuda <[email protected]>
> wrote:
>
>> Thanks Jan! Please see inline response below...
>>
>> On 07/04/2015 04:32 AM, Jan Lieskovsky wrote:
>> > Hello Bond,
>> >
>> > thank you for your report.
>> >
>> > ----- Original Message -----
>> >
>> > I can reproduce that issue, when issuing just 'plain' "make" in the
>> > scap-security-guide-0.1.23 folder. The issue is Fedora content by
>> > default requires OVAL-5.11 language version already, and the version
>> > of the openscap RPM you are trying to build Fedora content against
>> > (openscap-1.0.8-1.0.1.el6.centos.1.x86_64) does not support OVAL-5.11
>> > language version yet.
>> >
>> > We will correct this problem in an official way in the upcoming 0.1.24
>> > upstream release (should be available for download during next week).
>> >
>> > For now please use the following workaround (in the
>> scap-security-guide-0.1.23
>> > directory after expanding the tarball), issue the following command:
>> >
>> > # make SSG_VERSION_IS_GIT_SNAPSHOT=no rpm
>> >
>> > This will correctly produce working RPM that can be subsequently used
>> > on RHEL-6 / CentOS6 system.
>>
>> Yes, I was able to build the RPM, however not able to run with oscap.
>> More below...
>>
>> >> As of SCAP Security Guide release 0.1.23, CentOS content is now
>> available
>> >> (any older version will require tweaking). See the announcement here:
>> >>
>> https://lists.fedorahosted.org/pipermail/scap-security-guide/2015-June/006462.html
>> >>
>> >> You can download and build the SSG content from
>> >> https://github.com/OpenSCAP/scap-security-guide
>> >>
>> >> When you run the XCCDF, you have to specify the CentOS XCCDF like
>> below:
>> >>
>> >> # oscap xccdf eval --profile stig-rhel6-server-upstream \
>> >> --results /tmp/`hostname`-ssg-results.xml \
>> >> --report /tmp/`hostname`-ssg-results.html \
>> >> --cpe /usr/share/xml/scap/ssg/content/ssg-centos6-cpe-dictionary.xml \
>> >> /usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml
>> >>
>> >> Please note that I believe that ssg-centos6-cpe-dictionary.xml is not
>> being
>> >> built with SSG. OpenSCAP is here: https://github.com/openscap/openscap
>> and
>> >> the announcement here: So I believe all that needs to be done is:
>> >>
>> >> # oscap xccdf eval --profile stig-rhel6-server-upstream \
>> >> --results /tmp/`hostname`-ssg-results.xml \
>> >> --report /tmp/`hostname`-ssg-results.html \
>> >> /usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml
>> >>
>>
>> Trying to run the last command above without specifying CPE, results in
>> all tests being "notapplicable". And I confirmed there is no
>> cpe-dictionary.xml being built for CentOS6.
>>
>> What am I missing?
>> -Bond
>> --
>> SCAP Security Guide mailing list
>> [email protected]
>> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
>> https://github.com/OpenSCAP/scap-security-guide/
>>
>
>
>
>
>
> --
> SCAP Security Guide mailing list
> [email protected]
> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
> https://github.com/OpenSCAP/scap-security-guide/
>
--
SCAP Security Guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/
