Bond,

You have to two files for CentOS:

- ssg-centos6-cpe-dictionary.xml

- ssg-centos6-cpe-oval.xml

ssg-centos6-cpe-dictionary.xml describes the platform. (CPE stands for Common Platform Enumeration).

But ssg-centos6-cpe-oval.xml consists of the "Open Vulnerability Assessment Language" code that _tests_ whether your platform is is CentOS. You must have both, b/c the first file refers to the second file.

You can get them here:

https://raw.githubusercontent.com/GovReady/govready/xplatform/templates/ssg-centos6-cpe-dictionary.xml

https://raw.githubusercontent.com/GovReady/govready/xplatform/templates/ssg-centos6-cpe-oval.xml

You can put the files anywhere, just make sure they are in the same directory together, and reference the full path/to/ssg-centos6-cpe-dictionary.xml

Greg

On Mon, Jul 6, 2015 at 5:46 PM, Bond Masuda <bond.masuda@hexadiam.com> wrote:

Thanks Jan! Please see inline response below...

On 07/04/2015 04:32 AM, Jan Lieskovsky wrote:
> Hello Bond,
>
> thank you for your report.
>
> ----- Original Message -----
>
> I can reproduce that issue, when issuing just 'plain' "make" in the
> scap-security-guide-0.1.23 folder. The issue is Fedora content by
> default requires OVAL-5.11 language version already, and the version
> of the openscap RPM you are trying to build Fedora content against
> (openscap-1.0.8-1.0.1.el6.centos.1.x86_64) does not support OVAL-5.11
> language version yet.
>
> We will correct this problem in an official way in the upcoming 0.1.24
> upstream release (should be available for download during next week).
>
> For now please use the following workaround (in the scap-security-guide-0.1.23
> directory after expanding the tarball), issue the following command:
>
> # make SSG_VERSION_IS_GIT_SNAPSHOT=no rpm
>
> This will correctly produce working RPM that can be subsequently used
> on RHEL-6 / CentOS6 system.

Yes, I was able to build the RPM, however not able to run with oscap.
More below...

>> As of SCAP Security Guide release 0.1.23, CentOS content is now available
>> (any older version will require tweaking). See the announcement here:
>> https://lists.fedorahosted.org/pipermail/scap-security-guide/2015-June/006462.html
>>
>> You can download and build the SSG content from
>> https://github.com/OpenSCAP/scap-security-guide
>>
>> When you run the XCCDF, you have to specify the CentOS XCCDF like below:
>>
>> # oscap xccdf eval --profile stig-rhel6-server-upstream \
>> --results /tmp/`hostname`-ssg-results.xml \
>> --report /tmp/`hostname`-ssg-results.html \
>> --cpe /usr/share/xml/scap/ssg/content/ssg-centos6-cpe-dictionary.xml \
>> /usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml
>>
>> Please note that I believe that ssg-centos6-cpe-dictionary.xml is not being
>> built with SSG. OpenSCAP is here: https://github.com/openscap/openscap and
>> the announcement here: So I believe all that needs to be done is:
>>
>> # oscap xccdf eval --profile stig-rhel6-server-upstream \
>> --results /tmp/`hostname`-ssg-results.xml \
>> --report /tmp/`hostname`-ssg-results.html \
>> /usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml
>>

Trying to run the last command above without specifying CPE, results in
all tests being "notapplicable". And I confirmed there is no
cpe-dictionary.xml being built for CentOS6.

What am I missing?

-Bond
--
SCAP Security Guide mailing list
scap-security-guide@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/