> > If state is given, the test logic is more like this: > > # Am I vulnerable? > if [ oval:com.redhat.rhsa:obj:20140675005 ] && [ > oval:com.redhat.rhsa:ste:20140675003 > ]; then > echo "VULNERABLE" > else > echo "NOT VULNERABLE" > fi >
It does, this makes more sense now as to why the results are what they are. For context, we run a mix of RHEL and CentOS systems (mostly to align with the environments of our clients) and I'm working on trying to automatically adapt the RHSA SCAP content to also work on our CentOS boxes. The initial results were "everything passed", which I didn't think it should have. So I dug through the "patch" class definition in OVAL spec and that helped to better explain the results I was getting. I was thinking the test was checking whether something was fixed, but it's actually checking whether something is broken. The difference is a subtle but important one. On the CentOS machine, the tests were essentially saying "I don't see the vulnerable Red Hat packages on here so you don't need the patch. PASS!" It should be pretty straight-forward to adapt the content to look for the right conditions now that I better understand how the tests and patch class definitions actually work. Thanks for the help Shawn! - Chuck.
_______________________________________________ Open-scap-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/open-scap-list
