We have several sebool XCCDFs in shared/xccdf/system/selinux, however it appears OVAL and remediations are not being generated.
For example from shared/xccdf/system/selinux.xml : > <Rule id="sebool_fips_mode" severity="medium" prodtype="rhel7"> > ...... > <oval id="sebool_fips_mode" /> > </Rule> Which has an entry in the selinux_booleans.csv file: > $ grep -rin fips_mode shared/templates/selinux_booleans.csv > 52:fips_mode,enable After running a make, no OVAL gets attached in the datastream: > <ns0:Rule > id="xccdf_org.ssgproject.content_rule_sebool_fips_mode" > selected="false" severity="medium"> > ..... > <ns0:ident > system="https://nvd.nist.gov/cce/index.cfm";>CCE-80418-7</ns0:ident> > <ns0:check system="http://scap.nist.gov/schema/ocil/2";> > <ns0:check-content-ref href="ssg-rhel7-ocil.xml" > name="ocil:ssg-sebool_fips_mode_ocil:questionnaire:1"/> > </ns0:check> > </ns0:Rule> So I cleaned out my build directory and re-ran 'make -j4 rhel7' and saw some errors: > WARNING: OVAL check 'sebool_abrt_upload_watch_anon_write' was not > found, removing <check-content> element from the XCCDF rule. > WARNING: OVAL check 'sebool_antivirus_can_scan_system' was not found, > removing <check-content> element from the XCCDF rule. > WARNING: OVAL check 'sebool_auditadm_exec_content' was not found, > removing <check-content> element from the XCCDF rule. > WARNING: OVAL check 'sebool_cron_userdomain_transition' was not found, > removing <check-content> element from the XCCDF rule. Is there a reason the seboolean checks aren't getting build into datastreams? _______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
