We are using 1.2.10. Thanks.
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of
[email protected]
Sent: Monday, March 20, 2017 9:00 AM
To: [email protected]
Subject: Open-scap-list Digest, Vol 96, Issue 11
Send Open-scap-list mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://www.redhat.com/mailman/listinfo/open-scap-list
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific than "Re:
Contents of Open-scap-list digest..."
Today's Topics:
1. Re: Anaconda Addon and Tail (Jan Lieskovsky)
2. Re: Open-scap-list Digest, Vol 96, Issue 8 (Watson Yuuma Sato)
----------------------------------------------------------------------
Message: 1
Date: Mon, 20 Mar 2017 05:54:41 -0400 (EDT)
From: Jan Lieskovsky <[email protected]>
To: [email protected]
Cc: [email protected]
Subject: Re: [Open-scap] Anaconda Addon and Tail
Message-ID:
<[email protected]>
Content-Type: text/plain; charset=utf-8
Hello,
----- Original Message -----
> From: [email protected]
> To: [email protected]
> Sent: Friday, March 17, 2017 6:09:43 PM
> Subject: [Open-scap] Anaconda Addon and Tail
>
> I am trying to create a kickstart file for a custom RHEL 7.3 DVD and I want
> to use the Anaconda oscap addon. The addon works well with the default
> setting, but I'm having an issue using it with a tailored file that I
> created through the openscap workbench. I am getting the error messages
> "OpenSCAP Error: Unable to open file:
> /run/install/repo/scap/ssg-rhel7-ds.xml [scap_source.c264]" and
> "Unrecognized document type for
> /run/install/repo/scap/ssg-rhel7-ds.xml
> {oscap_source.c307]"
I am guessing the issue is there, because OAA tries to open wrong /
non-existent file (it tries "/run/install/repo/scap/ssg-rhel7-ds.xml"
instead of "../../../../run/install/repo/scap/ssg-rhel7-ds.xml")
>
> Here is the addon section from my kickstart file.
>
> %addon org_fedora_oscap
> content-type = scap-security-guide
> profile = stig-rhel7-workstation-upstream
> tailoring-path =
> ../../../../run/install/repo/scap/ssg-rhel7-ds.xml
> %end
>
> Does anyone know what I'm doing wrong ?
AFAICT in the default installation, anaconda creates chroot and mounts
"/mnt/sysimage" as "/". If you want to use DS file outside of chroot, simple
"reference to parent folder" won't work. You either first need to copy that DS
file under the chroot tree. Something like here:
http://www.smorgasbork.com/2012/01/04/building-a-custom-centos-7-kickstart-disc-part-4/
IOW have the %post section to have two stages (in first copy the DS file, in
the latter use it).
Another option is to put that DS file on some remotely accessible HTTP server,
and tell OAA to fetch that DS file remotely (this might be actually easier
option that modifying the %post section).
>
> _______________________________________________
> Open-scap-list mailing list
> [email protected]
> https://www.redhat.com/mailman/listinfo/open-scap-list
>
HTH, Jan
------------------------------
Message: 2
Date: Mon, 20 Mar 2017 11:52:24 +0100
From: Watson Yuuma Sato <[email protected]>
To: "Greg Silverman (CS)" <[email protected]>,
"[email protected]" <[email protected]>
Subject: Re: [Open-scap] Open-scap-list Digest, Vol 96, Issue 8
Message-ID: <[email protected]>
Content-Type: text/plain; charset=windows-1252; format=flowed
Hi Greg,
On 17/03/17 21:06, Greg Silverman (CS) wrote:
> Still having problems, the generated script is an empty file.
>
> Here is the tailoring file I created, ssg-rhel7-ds-tailoring.xml, with the
> workbench. It is just an example, to verify I can customize the scanning and
> fix generation. This tailoring should *not* check for install AIDE, and, it
> should be sure to check for FIPS compliance, and, if possible, fix that:
>
> <?xml version="1.0" encoding="UTF-8"?> <xccdf:Tailoring
> xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2";
> id="xccdf_scap-workbench_tailoring_default">
> <xccdf:benchmark href="/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml"/>
> <xccdf:version time="2017-03-17T13:43:12">1</xccdf:version>
> <xccdf:Profile
> id="xccdf_com.mycompany_profile_stig-rhel7-server-upstream_customized"
> extends="xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream">
> <xccdf:title xmlns:xhtml="http://www.w3.org/1999/xhtml"; xml:lang="en-US"
> override="true">STIG for Red Hat Enterprise Linux 7 Server
> [CUSTOMIZED]</xccdf:title>
> <xccdf:description xmlns:xhtml="http://www.w3.org/1999/xhtml";
> xml:lang="en-US" override="true">This is a *draft* profile for STIG. This
> profile is being developed under the DoD consensus model to become a STIG in
> coordination with DISA FSO.</xccdf:description>
> <xccdf:select
> idref="xccdf_org.ssgproject.content_rule_package_aide_installed"
> selected="false"/>
> <xccdf:select
> idref="xccdf_org.ssgproject.content_rule_aide_build_database"
> selected="false"/>
> <xccdf:select
> idref="xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking"
> selected="false"/>
> <xccdf:select idref="xccdf_org.ssgproject.content_group_aide"
> selected="false"/>
> <xccdf:select
> idref="xccdf_org.ssgproject.content_group_remediation_functions"
> selected="true"/>
> <xccdf:select idref="xccdf_org.ssgproject.content_group_fips"
> selected="true"/>
> <xccdf:select
> idref="xccdf_org.ssgproject.content_rule_package_dracut-fips_installed"
> selected="true"/>
> <xccdf:select
> idref="xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode"
> selected="true"/>
> </xccdf:Profile>
> </xccdf:Tailoring>
>
> I ran this command
>
> oscap xccdf generate fix --profile
> xccdf_com.mycompany_profile_stig-rhel7-server-upstream_customized
> --tailoring-file ssg-rhel7-ds-tailoring.xml --output script.sh
> /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
>
> The script.sh file is created, there is no error, but, the file is empty.
> Why???
Could you please check the version of OpenSCAP you are using?
I have tested your customization and command with OpenSCAP version 1.2.10, and
the remediation script is generated empty, but with version 1.2.13, the latest
upstream, the remediation script is ok.
--
Watson Sato
Security Technologies | Red Hat, Inc
------------------------------
_______________________________________________
Open-scap-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/open-scap-list
End of Open-scap-list Digest, Vol 96, Issue 11
**********************************************
_______________________________________________
Open-scap-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/open-scap-list
