Hello,
I'm working currently on secure OS and I' ve to enforce a CentOS 7 I get with yum the package scap-security-guide. I adapt xml files (XCCDF) to work with CentOS 7 I pass all the rule at "selected='true'" in different files : XCCDF, OVAL I execute a run with oscap xccdf eval --profile "rht-ccp"
I obtain 42 passed , 48 failed and 304 other The "Other" are "notchecked"
The current engine support all the rules ? Or not ?
I assumed that the rule is postionned to "notchecked" if there is nothing to check. So , for example, I install "Squid" and rerun a global check and the rule "Disable Squid", "Uninstall Squid" are still "notchecked"
Can you guide me with my problem ?
Thank you very very much if you can
Thomas
Thomas,
I am going to offer an answer but I am not 100% certain it is correct.
At the start of each XCCDF XML file is a section that defines profiles using the <profile> tag.
Within each profile tag is a list of rules that are checked (eg, selected=true) for that profile.
To my knowledge, it is the setting in the profile tag overrides the selected=true in the actual rule.
I found this counter intuitive to my experience with CSS in which the inline setting overrides the top of file setting. But from another perspective of you are evaluating the defined profile rather than a singe rule, so the order of overrides make sense.
Greg Elin P: 917-304-3488 E: gregelin@gitmachines.com
Sent from my iPhone
On Jun 4, 2015, at 4:26 AM, thomas belarbi thomas.belarbi@gmail.com wrote:
Hello,
I'm working currently on secure OS and I' ve to enforce a CentOS 7 I get with yum the package scap-security-guide. I adapt xml files (XCCDF) to work with CentOS 7 I pass all the rule at "selected='true'" in different files : XCCDF, OVAL I execute a run with oscap xccdf eval --profile "rht-ccp"
I obtain 42 passed , 48 failed and 304 other The "Other" are "notchecked"
The current engine support all the rules ? Or not ?
I assumed that the rule is postionned to "notchecked" if there is nothing to check. So , for example, I install "Squid" and rerun a global check and the rule "Disable Squid", "Uninstall Squid" are still "notchecked"
Can you guide me with my problem ?
Thank you very very much if you can
Thomas
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
On 6/5/15 7:22 AM, Greg Elin wrote:
Thomas,
I am going to offer an answer but I am not 100% certain it is correct.
At the start of each XCCDF XML file is a section that defines profiles using the <profile> tag.
Within each profile tag is a list of rules that are checked (eg, selected=true) for that profile.
To my knowledge, it is the setting in the profile tag overrides the selected=true in the actual rule.
I found this counter intuitive to my experience with CSS in which the inline setting overrides the top of file setting. But from another perspective of you are evaluating the defined profile rather than a singe rule, so the order of overrides make sense.
Greg Elin P: 917-304-3488 E:gregelin@gitmachines.com
Sent from my iPhone
On Jun 4, 2015, at 4:26 AM, thomas belarbithomas.belarbi@gmail.com wrote:
Hello,
I'm working currently on secure OS and I' ve to enforce a CentOS 7 I get with yum the package scap-security-guide. I adapt xml files (XCCDF) to work with CentOS 7 I pass all the rule at "selected='true'" in different files : XCCDF, OVAL I execute a run with oscap xccdf eval --profile "rht-ccp"
I obtain 42 passed , 48 failed and 304 other The "Other" are "notchecked"
The current engine support all the rules ? Or not ?
I assumed that the rule is postionned to "notchecked" if there is nothing to check. So , for example, I install "Squid" and rerun a global check and the rule "Disable Squid", "Uninstall Squid" are still "notchecked"
Can you guide me with my problem ?
Thank you very very much if you can
SSG represents a catalog of security relevant configuration controls. These are expressed as XCCDF rules.
Groupings of XCCDF rules are called profiles, such as the CCP profile you mentioned. Others include the DoD STIG, PCI, etc.
The "not selected" just indicates some number of rules were not enabled in your profile.
Rule results showing "not checked" means that the rule was selected in your profile, but automation content likely does not exist. An example is "Ensure Software Patches Installed." Almost all profiles want you to apply patches, but attesting you did so through SCAP is sometimes infeasible. So the rule is selected in the profile, but shows up as "not checked" in the HTML reports -- meaning some human verification is likely needed.
scap-security-guide@lists.fedorahosted.org
-
Greg Elin -
Shawn Wells -
thomas belarbi