3:26 a.m.
Hello,
I'm working currently on secure OS and I' ve to enforce a CentOS 7
I get with yum the package scap-security-guide.
I adapt xml files (XCCDF) to work with CentOS 7
I pass all the rule at "selected='true'" in different files : XCCDF,
OVAL
I execute a run with oscap xccdf eval --profile "rht-ccp"
I obtain 42 passed , 48 failed and 304 other
The "Other" are "notchecked"
The current engine support all the rules ? Or not ?
I assumed that the rule is postionned to "notchecked" if there is nothing
to check.
So , for example, I install "Squid" and rerun a global check and the rule
"Disable Squid", "Uninstall Squid" are still "notchecked"
Can you guide me with my problem ?
Thank you very very much if you can
Thomas
6:22 a.m.
Thomas,
I am going to offer an answer but I am not 100% certain it is correct.
At the start of each XCCDF XML file is a section that defines profiles using the
<profile> tag.
Within each profile tag is a list of rules that are checked (eg, selected=true) for that
profile.
To my knowledge, it is the setting in the profile tag overrides the selected=true in the
actual rule.
I found this counter intuitive to my experience with CSS in which the inline setting
overrides the top of file setting. But from another perspective of you are evaluating the
defined profile rather than a singe rule, so the order of overrides make sense.
Greg Elin
P: 917-304-3488
E: gregelin(a)gitmachines.com
Sent from my iPhone
On Jun 4, 2015, at 4:26 AM, thomas belarbi
<thomas.belarbi(a)gmail.com> wrote:
Hello,
I'm working currently on secure OS and I' ve to enforce a CentOS 7
I get with yum the package scap-security-guide.
I adapt xml files (XCCDF) to work with CentOS 7
I pass all the rule at "selected='true'" in different files : XCCDF,
OVAL
I execute a run with oscap xccdf eval --profile "rht-ccp"
I obtain 42 passed , 48 failed and 304 other
The "Other" are "notchecked"
The current engine support all the rules ? Or not ?
I assumed that the rule is postionned to "notchecked" if there is nothing to
check.
So , for example, I install "Squid" and rerun a global check and the rule
"Disable Squid", "Uninstall Squid" are still "notchecked"
Can you guide me with my problem ?
Thank you very very much if you can
Thomas
--
SCAP Security Guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/
11:59 a.m.
On 6/5/15 7:22 AM, Greg Elin wrote:
Thomas,
I am going to offer an answer but I am not 100% certain it is correct.
At the start of each XCCDF XML file is a section that defines profiles using the
<profile> tag.
Within each profile tag is a list of rules that are checked (eg, selected=true) for that
profile.
To my knowledge, it is the setting in the profile tag overrides the selected=true in the
actual rule.
I found this counter intuitive to my experience with CSS in which the inline setting
overrides the top of file setting. But from another perspective of you are evaluating the
defined profile rather than a singe rule, so the order of overrides make sense.
Greg Elin
P: 917-304-3488
E:gregelin@gitmachines.com
Sent from my iPhone
> >On Jun 4, 2015, at 4:26 AM, thomas belarbi<thomas.belarbi(a)gmail.com>
wrote:
> >
> >Hello,
> >
> >I'm working currently on secure OS and I' ve to enforce a CentOS 7
> >I get with yum the package scap-security-guide.
> >I adapt xml files (XCCDF) to work with CentOS 7
> >I pass all the rule at "selected='true'" in different files :
XCCDF, OVAL
> >I execute a run with oscap xccdf eval --profile "rht-ccp"
> >
> >I obtain 42 passed , 48 failed and 304 other
> >The "Other" are "notchecked"
> >
> >The current engine support all the rules ? Or not ?
> >
> >I assumed that the rule is postionned to "notchecked" if there is
nothing to check.
> >So , for example, I install "Squid" and rerun a global check and the
rule "Disable Squid", "Uninstall Squid" are still
"notchecked"
> >
> >Can you guide me with my problem ?
> >
> >Thank you very very much if you can
> >
SSG represents a catalog of security relevant configuration controls.
These are expressed as XCCDF rules.
Groupings of XCCDF rules are called profiles, such as the CCP profile
you mentioned. Others include the DoD STIG, PCI, etc.
The "not selected" just indicates some number of rules were not enabled
in your profile.
Rule results showing "not checked" means that the rule was selected in
your profile, but automation content likely does not exist. An example
is "Ensure Software Patches Installed." Almost all profiles want you to
apply patches, but attesting you did so through SCAP is sometimes
infeasible. So the rule is selected in the profile, but shows up as "not
checked" in the HTML reports -- meaning some human verification is
likely needed.
3238
days inactive
3242
days old
scap-security-guide@lists.fedorahosted.org
2 comments
3 participants
participants (3)
-
Greg Elin -
Shawn Wells -
thomas belarbi