Hi all,
I removed the Value tags I mentioned earlier. oscap still complained
so I kept removing... Eventually I got a succesful run by making the
following adjustments :
diff
rhel6-xccdf-scap-security-guide.xml.ORG
rhel6-xccdf-scap-security-guide.xml
103d102
< <select idref="limit_password_reuse" selected="true"/>
3201,3211d3199
< <Value id="password_history_retain_number"
type="number"
operator="equals" interactive="0">
< <title>remember</title>
< <description>The last n passwords for each user are saved in
< <xhtml:code
xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/security/opa...
in order to force password change history and
< keep the user from alternating between the same password too
< frequently.</description>
< <value selector="">5</value>
< <value selector="0">0</value>
< <value selector="5">5</value>
< <value selector="10">10</value>
< </Value>
3224,3225d3211
< <ident cce="14939-3"/>
< <oval id="accounts_password_reuse_limit"
value="password_history_retain_number"/>
11662c11648
< </Benchmark>
\ No newline at end of file
---
</Benchmark>
By the way, when I changed limit_password_reuse to false instead of
removing it, oscap hangs running it's probes (different ones the few
times I ran it). Probably unrelated but I thought I should mention it.
Regards,
Willem.
On Thu, Jul 26, 2012 at 10:26 AM, Willem Bos <whbos(a)xs4all.nl> wrote:
Hi All,
Before bothering you with my problems I would just like to say thanks
for all the great work on scap-security-guide you guys are doing.
We're investigating a good basis for our Linux security baseline and
OpenSCAP+SSG is spot on.
When running `oscap xccdf eval --profile server
rhel6-xccdf-scap-security-guide.xml` the following error is returned :
1 1871 In file 'rhel6-xccdf-scap-security-guide.xml' on line 3201:
Element '{http://checklists.nist.gov/xccdf/1.1}Value': This element is
not expected. Expected is (
{http://checklists.nist.gov/xccdf/1.1}signature ).
I'm new to scap-security-guide (so browsing the xccdf file was a bit
daunting :-) but the above mentioned <Value
id="password_history_retain_number"...> tag seems out of place in a
'<Rule id="set_password_hashing_algorithm"...>' context :
<Rule id="set_password_hashing_algorithm" severity="low"
selected="false">
<title>Set Password Hashing Algorithm</title>
<description>...
</description>
<reference
href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-5...
<rationale>
Using a stronger hashing algorithm makes password cracking attacks
more difficult.
</rationale>
<ident system="http://cce.mitre.org">CCE-14063-2</ident>
<check
system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref
href="rhel6-oval-scap-security-guide.xml"
name="oval:scap-security-guide:def:839"/>
</check>
</Rule>
<Value id="password_history_retain_number" type="number"
operator="equals" interactive="0">
<title>remember</title>
<description>The last n passwords for each user are saved in
<xhtml:code
xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/security/opa...
in order to force password change history and
keep the user from alternating between the same password too
frequently.</description>
<value selector="">5</value>
<value selector="0">0</value>
<value selector="5">5</value>
<value selector="10">10</value>
</Value>
I'm on RHEL6 and so might be running old(er) software. Is Fedora 16/17
necessary or am I missing something? Here's what I did:
cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.3 (Santiago)
rpm -q git openscap-utils python-lxml
git-1.7.1-2.el6_0.1.x86_64
openscap-utils-0.8.0-2.el6.x86_64
python-lxml-2.2.3-1.1.el6.x86_64
cd scap-security-guide
git log
commit 5454d44eee80becb5c1b8929bf6498edfa3bfdcb
Merge: 405d61e a0f2e7e
Author: Kevin Spargur <kspargur(a)redhat.com>
Date: Wed Jul 25 19:59:05 2012 -0400
Merge branch 'master' of
ssh://git.fedorahosted.org/git/scap-securi
...
cd scap-security-guide/RHEL6
make all
...
oscap xccdf generate guide --profile allrules output/rhel6-xccdf.xml >
output/rhel6-guide.html
WARNING: Processing an unresolved XCCDF document. This may have
unexpected results.
...
Duplicate ID, which will not be added: var_samba_private_directory
Duplicate ID, which will not be added: state_uid_root
Duplicate ID, which will not be added: object_etc_skel_files
Duplicate ID, which will not be added: var_removable_partition
Duplicate ID, which will not be added: var_removable_partition
Duplicate ID, which will not be added: var_ssh_config_directory
...
cd dist/content
oscap xccdf eval --profile server rhel6-xccdf-scap-security-guide.xml
1 1871 In file 'rhel6-xccdf-scap-security-guide.xml' on line 3201:
Element '{http://checklists.nist.gov/xccdf/1.1}Value': This element is
not expected. Expected is (
{http://checklists.nist.gov/xccdf/1.1}signature ).
Regards,
Willem.