Hello Bond, replies inline below.
----- Original Message ----- > From: "Bond Masuda" <[email protected]> > To: [email protected] > Sent: Tuesday, July 7, 2015 2:19:47 AM > Subject: Re: Using the RHEL specific SCAP content for CentOS > > Greg, > > Thank you for your links and help. Confirmed that with your CPE dictionary > and OVAL file, I was able to run the content in oscap. > > Jan or Gabe: > > The SCAP content from 0.1.23 release, even after getting it to build with the > suggested 'make' argument by Jan, does not appear to be functional. Is this > a bug or is it because I'm not doing something correctly? The issue you were experiencing is a bit more wider. The OpenSCAP scanner / "oscap" tool when deciding if particular benchmark is applicable to system in question uses two sources of the CPE information: * the file provided on the command line, * but also the internal CPE database. I am not sure which of these is used with higher priority (you would need to check on the OpenSCAP mailing list). In any case, OpenSCAP versions shipped in Red Hat Enterprise Linux 7 / CentOS7 and newer already have inbuilt CPE definitions for CentOS / Scientific Linux operating systems. While the 1.0.8 version you were trying to run the content against not yet. This problem should be solved though in the most recent scap-security-guide-0.1.24 release (see my announcement in the previous email), therefore you should not be experiencing any more issues when trying to scan CentOS6 system. Though in the case you encounter some, feel free to file a ticket or report here. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team > > Thanks, > -Bond > > On 07/06/2015 03:20 PM, Greg Elin wrote: > > > > Bond, > > You have to two files for CentOS: > - ssg-centos6-cpe-dictionary.xml > - ssg-centos6-cpe-oval.xml > > ssg-centos6-cpe-dictionary.xml describes the platform. (CPE stands for Common > Platform Enumeration). > > But ssg-centos6-cpe-oval.xml consists of the "Open Vulnerability Assessment > Language" code that _tests_ whether your platform is is CentOS. You must > have both, b/c the first file refers to the second file. > > You can get them here: > https://raw.githubusercontent.com/GovReady/govready/xplatform/templates/ssg-centos6-cpe-dictionary.xml > https://raw.githubusercontent.com/GovReady/govready/xplatform/templates/ssg-centos6-cpe-oval.xml > > You can put the files anywhere, just make sure they are in the same directory > together, and reference the full path/to/ssg-centos6-cpe-dictionary.xml > > Greg > > On Mon, Jul 6, 2015 at 5:46 PM, Bond Masuda < [email protected] > > wrote: > > > Thanks Jan! Please see inline response below... > > On 07/04/2015 04:32 AM, Jan Lieskovsky wrote: > > Hello Bond, > > > > thank you for your report. > > > > ----- Original Message ----- > > > > I can reproduce that issue, when issuing just 'plain' "make" in the > > scap-security-guide-0.1.23 folder. The issue is Fedora content by > > default requires OVAL-5.11 language version already, and the version > > of the openscap RPM you are trying to build Fedora content against > > (openscap-1.0.8-1.0.1.el6.centos.1.x86_64) does not support OVAL-5.11 > > language version yet. > > > > We will correct this problem in an official way in the upcoming 0.1.24 > > upstream release (should be available for download during next week). > > > > For now please use the following workaround (in the > > scap-security-guide-0.1.23 > > directory after expanding the tarball), issue the following command: > > > > # make SSG_VERSION_IS_GIT_SNAPSHOT=no rpm > > > > This will correctly produce working RPM that can be subsequently used > > on RHEL-6 / CentOS6 system. > > Yes, I was able to build the RPM, however not able to run with oscap. > More below... > > >> As of SCAP Security Guide release 0.1.23, CentOS content is now available > >> (any older version will require tweaking). See the announcement here: > >> https://lists.fedorahosted.org/pipermail/scap-security-guide/2015-June/006462.html > >> > >> You can download and build the SSG content from > >> https://github.com/OpenSCAP/scap-security-guide > >> > >> When you run the XCCDF, you have to specify the CentOS XCCDF like below: > >> > >> # oscap xccdf eval --profile stig-rhel6-server-upstream \ > >> --results /tmp/`hostname`-ssg-results.xml \ > >> --report /tmp/`hostname`-ssg-results.html \ > >> --cpe /usr/share/xml/scap/ssg/content/ssg-centos6-cpe-dictionary.xml \ > >> /usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml > >> > >> Please note that I believe that ssg-centos6-cpe-dictionary.xml is not > >> being > >> built with SSG. OpenSCAP is here: https://github.com/openscap/openscap and > >> the announcement here: So I believe all that needs to be done is: > >> > >> # oscap xccdf eval --profile stig-rhel6-server-upstream \ > >> --results /tmp/`hostname`-ssg-results.xml \ > >> --report /tmp/`hostname`-ssg-results.html \ > >> /usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml > >> > > Trying to run the last command above without specifying CPE, results in > all tests being "notapplicable". And I confirmed there is no > cpe-dictionary.xml being built for CentOS6. > > What am I missing? > -Bond > -- > SCAP Security Guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > https://github.com/OpenSCAP/scap-security-guide/ > > > > > > -- > SCAP Security Guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > https://github.com/OpenSCAP/scap-security-guide/ -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
