Hi Shawn,
if you see all the rules with notapplicable results it's because we
start supporting CPE applicability processing.
I see this in the content:
<platform idref="cpe:/o:redhat:enterprise_linux:6"/>
<platform idref="cpe:/o:redhat:enterprise_linux:6::client"/>
Please use "--cpe-dict" option. I have just found out that it's missing
in a man page. Well I need kick someone. :)
--cpe-dict ssg-rhel6-cpe-dictionary.xml
should work for you if you are on RHEL6 system.
If for some reason you don't want cpe applicability check you need to
remove <platform> elements from the content.
Peter.
On 11/01/2012 05:48 PM, Shawn Wells wrote:
On 11/1/12 12:42 PM, Shawn Wells wrote:
> On 11/1/12 12:34 PM, Steve Grubb wrote:
>> On Thursday, November 01, 2012 05:31:00 PM Peter Vrabec wrote:
>>> >why do you consider this an openscap bug? I suppose it's a bug in
the
>>> >content. The profile you want to evaluate reference to not existing
>>> rule.
>> Well, the original poster was using 0.8 and I know bugs have been
>> fixed since
>> then. So, in troubleshooting the issue, its a simple step to just
>> update to
>> the latest and see if its still there or its fixed. They said its
>> still there,
>> so its time to look deeper at the content.
>>
>> Maybe git bisect is helpful if it is known to have worked sometime
>> in the
>> past.
>
>
> There's a two part problem. Yes, some errors are caused by the bugs in
> RHEL6 openscap (v0.8?). Specifically:
>> 1 1871 In file 'xccdf-results.xml' on line 15992: Element
>> '{http://checklists.nist.gov/xccdf/1.1}ident': This element is not
>> expected.
>> Expected is ( {http://checklists.nist.gov/xccdf/1.1}result ).
>> 1 1871 In file 'xccdf-results.xml' on line 15995: Element
>> '{http://checklists.nist.gov/xccdf/1.1}ident': This element is not
>> expected.
>> Expected is ( {http://checklists.nist.gov/xccdf/1.1}result ).
>
> With that said, there are errors in the XCCDF content itself. Patches
> coming soon.
Just sent out a few patches which clears up the errors, however the
rules now all state "notapplicable"
....continuing to investigate. Thoughts/patches welcome!
$ oscap xccdf eval --profile stig-server RHEL6/output/ssg-rhel6-xccdf.xml
Title Verify No netrc Files Exist
Rule no_netrc_files
Ident CCE-TODO
Result notapplicable
Title Create Warning Banners for All FTP Users
Rule ftp_present_banner
Ident CCE-4554-2
Result notapplicable
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide