Re: [Open-scap] Informational value

Tue, 05 Jul 2016 06:56:53 -0700 


On 7/1/16 3:38 AM, Jan Cerny wrote:

Regarding your second question, OpenSCAP >= 1.2.2 can display OVAL results
in the HTML report if you run it with "--oval-results", eg.:

# oscap xccdf eval --results results.xml --oval-results --report report.html 
my_benchmark.xml

The HTML report will look like in [2].

[1]http://csrc.nist.gov/publications/nistir/ir7275-rev4/NISTIR-7275r4.pdf  
(page 43)
[2]https://www.open-scap.org/wp-content/uploads/2015/09/ssg-rhel7-ds-xccdf.report.html



Can we have the findings showup in the default reports, e.g. those 
without --oval-results? Why burden the users with another CLI argument?



Also, some of the OVAL result summaries are very confusing. Compare "Set 
Last Logon/Access Notification" with the various object and type 
expressions listed in "Set Deny For Failed Password Attempts".... it's 
not clear what all that means. "Last Logon" shows the text of the 
passing file, whereas "Failed Password Attempts" lists subexpressions 
instead.



Does this depend on how the OVAL rules are written, or OpenSCAP 
reporting? Reports would be easier to interpret if we showed the 
offending text, vs a "subexpression" value.


E.g.: current report from "failed password attempts":



        Items not found violatingCheck pam_faillock.so preauth silent
        present in /etc/pam.d/system-auth:


          Object*oval:ssg:obj:870*of type*textfilecontent54_object*

Behaviors       Filepath        Pattern         Instance

no value 	/etc/pam.d/system-auth 
[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*deny=([0-9]+)[\s]*[^\n]*[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]*[\n] 
	1



          State*oval:ssg:ste:871*of type*textfilecontent54_state*

Subexpression
6





Could be changed to:



        Items not found violatingCheck pam_faillock.so preauth silent
        present in /etc/pam.d/system-auth:


          Object*oval:ssg:obj:870*of type*textfilecontent54_object*

Behaviors       Filepath        Pattern         Instance

no value 	/etc/pam.d/system-auth 
[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*deny=([0-9]+)[\s]*[^\n]*[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]*[\n] 
	1



          State*of /etc/pam.d/system-auth***

Subexpression
FAIL: No lines match regex in /etc/pam.d/system-auth





_______________________________________________
Open-scap-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/open-scap-list





















					Reply via email to