On Wed, Jan 25, 2017 at 7:02 PM, Shawn Wells <[email protected]> wrote:
> > > On 1/25/17 9:55 AM, Jan Cerny wrote: > > Hi, > > > > It might be a bug, but also there can be another reason why this rule > failed. > > > > First thing that I would try is to add "--oval-results" to your command > > and run the scan again. This option adds more details into the HTML > report, > > which hopefully could help you with identifying the problem. > > > > Best Regards > > > > Jan Černý > > Security Technologies | Red Hat, Inc. > > > > ----- Original Message ----- > >> From: "Luke Hinds" <[email protected]> > >> To: [email protected] > >> Sent: Tuesday, January 24, 2017 11:40:19 PM > >> Subject: [Open-scap] inconsistent reporting on auditd > >> > >> Hi, > >> > >> When performing a xccdf scan of Centos 7 I am finding the report of > auditd > >> rule entries inconsistent with how the file is configured. > >> > >> The following is reported as a fail, yet its an exact match for the scap > >> report entry: > >> > >> https://i.imgur.com/m1q7CLf.png > >> > >> The following is a pass: > >> > >> https://i.imgur.com/LqDiRPO.png > >> > >> My command: > >> > >> # oscap xccdf eval --profile common --report ~/report-xccdf.html > --results > >> ~/results.xml --cpe > >> /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml > >> /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml > >> > >> Should I raise this as a bug? > > What version of SSG? > > I don't recall the SSG version that it was patched in, but the original > RHEL7 OVAL content only accepted audit rules with "-k foo", not "-F > key=foo", as shown in your audit.rules. > > The patch was made 16-DEC, so may not be shipping in RHEL yet... > > https://github.com/OpenSCAP/scap-security-guide/commit/ > 66f76d6158a1cd44a91f7f27286022755065e4b6 > > scap-security-guide-0.1.30 This was from the CentOS repository, although I just checked on RHEL and those are incorrectly reporting too (for the standard profile).
_______________________________________________ Open-scap-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/open-scap-list
