On 1/25/17 9:55 AM, Jan Cerny wrote: > Hi, > > It might be a bug, but also there can be another reason why this rule failed. > > First thing that I would try is to add "--oval-results" to your command > and run the scan again. This option adds more details into the HTML report, > which hopefully could help you with identifying the problem. > > Best Regards > > Jan Černý > Security Technologies | Red Hat, Inc. > > ----- Original Message ----- >> From: "Luke Hinds" <[email protected]> >> To: [email protected] >> Sent: Tuesday, January 24, 2017 11:40:19 PM >> Subject: [Open-scap] inconsistent reporting on auditd >> >> Hi, >> >> When performing a xccdf scan of Centos 7 I am finding the report of auditd >> rule entries inconsistent with how the file is configured. >> >> The following is reported as a fail, yet its an exact match for the scap >> report entry: >> >> https://i.imgur.com/m1q7CLf.png >> >> The following is a pass: >> >> https://i.imgur.com/LqDiRPO.png >> >> My command: >> >> # oscap xccdf eval --profile common --report ~/report-xccdf.html --results >> ~/results.xml --cpe >> /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml >> /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml >> >> Should I raise this as a bug?
What version of SSG? I don't recall the SSG version that it was patched in, but the original RHEL7 OVAL content only accepted audit rules with "-k foo", not "-F key=foo", as shown in your audit.rules. The patch was made 16-DEC, so may not be shipping in RHEL yet... https://github.com/OpenSCAP/scap-security-guide/commit/66f76d6158a1cd44a91f7f27286022755065e4b6 _______________________________________________ Open-scap-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/open-scap-list
