Hi all, Thirst thanks a lot for the all the good work done here ;)
I experience a strange issue after building via make the ssg for centos6 (0.1.24 release)
When running :
/usr/bin/oscap xccdf eval --profile pci-dss /usr/share/xml/scap/ssg-centos6-xccdf/ssg-centos6-xccdf.xml
All check are not applicable
Looking at the content of the produced xccdf i notive that the platform tag was still referencing rhel and not centos cpe
To make the resulting xccdf work on a centos6 I had to change the following line in ssg-centos6-xccdf.xml:
*<ns0:platform idref="cpe:/o:linux: enterprise_linux:6" />*
by
*<ns0:platform idref="cpe:/o:centos:centos:6" />*
And now the command bellow work as expected
/usr/bin/oscap xccdf eval --profile pci-dss /usr/share/xml/scap/ssg-centos6-xccdf/ssg-centos6-xccdf.xml
So I took a big breath and I try to run the enable-derivative.py by hand
When I run it with ds or xccdf the result differs :
*../../shared/utils/enable-derivatives.py --enable-centos -i output/ssg-rhel6-xccdf.xml -o /tmp/mike-centos6-xccdf.xml*
*[mike@caprica 6]$ grep platform /tmp/mike-centos6-xccdf.xml |grep cent*
--> no output
*../../shared/utils/enable-derivatives.py --enable-centos -i output/ssg-rhel6-ds.xml -o /tmp/mike-centos6-ds.xml*
*[mike@caprica 6]$ grep platform /tmp/mike-centos6-ds.xml |grep cent*
* <ns9:platform idref="cpe:/o:centos:centos:6" />*
--> we have the centos6 as expected
Digging deeper I thought that it is probably related to the following line:
* benchmarks.extend([*
* (XCCDF11_NS, elem)*
* for elem in list(root.findall(".//{%s}Benchmark" % (XCCDF11_NS)))*
* ])*
* benchmarks.extend([*
* (XCCDF12_NS, elem)*
* for elem in list(root.findall(".//{%s}Benchmark" % (XCCDF12_NS)))*
* ]) *
For a strange reason the root.findall seems not to work with the xccdf file
I could not find out why this is not working….
XCCDF :
*<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1 <http://checklists.nist.gov/xccdf/1.1>" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance <http://www.w3.org/2001/XMLSchema-instance>" id="RHEL-6" resolved="1" xml:lang="en-US">*
DS:
*<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2 <http://checklists.nist.gov/xccdf/1.2>" id="xccdf_org.ssgproject.content_benchmark_RHEL-6" resolved="1" xml:lang="en-US">*
To make a silly test I try the following
* benchmarks.extend([*
* (XCCDF11_NS, elem)*
* for elem in list(root.findall(".")) *
* ])*
*../../shared/utils/enable-derivatives.py --enable-centos -i output/ssg-rhel6-xccdf.xml -o /tmp/mikeeeee*
*[mike@caprica 6]$ grep centos /tmp/mikeeeee*
* <ns0:notice id="centos_warning">html:div*
* <ns0:platform idref="cpe:/o:centos:centos:6" />*
The result make me think i'm on looking on the right spot, but I could not find out why.
Somebody got an idea of what is going on? Or am I totaly missing something
Regards
Mike
PS : the same issue seems to affect RHEL7
REPS: i try to build on centos6 and fedora 21 (just in case i had a strange python dep issue or something) : same result
----- Original Message -----
From: "Michael Boutillier" michael.boutillier@gmail.com To: scap-security-guide@lists.fedorahosted.org Sent: Thursday, August 6, 2015 1:03:29 AM Subject: Fwd: scap
Hi all, Thirst thanks a lot for the all the good work done here ;)
I experience a strange issue after building via make the ssg for centos6 (0.1.24 release)
When running :
/usr/bin/oscap xccdf eval --profile pci-dss /usr/share/xml/scap/ssg-centos6-xccdf/ssg-centos6-xccdf.xml
All check are not applicable
Thanks for the detailed bug report, I can reproduce this and am looking into fixing it.
The datastream works fine, it's just the plain XCCDF 1.1 where the enable-derivatives.py script fails.
----- Original Message -----
From: "Martin Preisler" mpreisle@redhat.com To: "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Thursday, August 6, 2015 1:42:53 PM Subject: Re: scap
----- Original Message -----
From: "Michael Boutillier" michael.boutillier@gmail.com To: scap-security-guide@lists.fedorahosted.org Sent: Thursday, August 6, 2015 1:03:29 AM Subject: Fwd: scap
Hi all, Thirst thanks a lot for the all the good work done here ;)
I experience a strange issue after building via make the ssg for centos6 (0.1.24 release)
When running :
/usr/bin/oscap xccdf eval --profile pci-dss /usr/share/xml/scap/ssg-centos6-xccdf/ssg-centos6-xccdf.xml
All check are not applicable
Thanks for the detailed bug report, I can reproduce this and am looking into fixing it.
The datastream works fine, it's just the plain XCCDF 1.1 where the enable-derivatives.py script fails.
Fix is available and under review, see: https://github.com/OpenSCAP/scap-security-guide/pull/639
Great thanks : I just tested it : [mike@caprica output]$ grep centos ssg-centos6-xccdf.xml html:div
And it seem to work like a charm :) Thanks for the quick fix [image: :+1:]
2015-08-06 14:50 GMT+02:00 Martin Preisler mpreisle@redhat.com:
----- Original Message -----
From: "Martin Preisler" mpreisle@redhat.com To: "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Thursday, August 6, 2015 1:42:53 PM Subject: Re: scap
----- Original Message -----
From: "Michael Boutillier" michael.boutillier@gmail.com To: scap-security-guide@lists.fedorahosted.org Sent: Thursday, August 6, 2015 1:03:29 AM Subject: Fwd: scap
Hi all, Thirst thanks a lot for the all the good work done here ;)
I experience a strange issue after building via make the ssg for centos6 (0.1.24 release)
When running :
/usr/bin/oscap xccdf eval --profile pci-dss /usr/share/xml/scap/ssg-centos6-xccdf/ssg-centos6-xccdf.xml
All check are not applicable
Thanks for the detailed bug report, I can reproduce this and am looking into fixing it.
The datastream works fine, it's just the plain XCCDF 1.1 where the enable-derivatives.py script fails.
Fix is available and under review, see: https://github.com/OpenSCAP/scap-security-guide/pull/639
-- Martin Preisler Security Technologies | Red Hat, Inc. http://martin.preisler.me
scap-security-guide@lists.fedorahosted.org
-
Martin Preisler -
Michael Boutillier