Hi all,
I'm trying to use SCE script in openscap ds file and all I get is
"notchecked" status
my ds file is attached
The command I start is:
[root]# oscap xccdf eval --profile xccdf_1_profile_1 rm-ds.xml
the result I get is:
Title selinux
Rule xccdf_1_rule_1402
Result notchecked
I think something is wrong around "Rule id="xccdf_1_rule_1402" but I don't
understand the problem
The script file to execute (scap_1402.sh) is in the same directory as xml
file, and has valid syntax and correct rights. In standalone mode, it works
but it seems to never be called by oscap
The OS is centos
[root]# uname -a
Linux ip-127.0.0.1.compute.internal 3.10.0-693.21.1.el7.x86_64 #1 SMP
Wed Mar 7 19:03:37 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
The scap installed packages are:
[root]# yum list installed | grep scap
openscap.x86_64 1.2.14-3.el7_4 @updates
openscap-engine-sce.x86_64 1.2.14-3.el7_4 @updates
openscap-scanner.x86_64 1.2.14-3.el7_4 @updates
scap-security-guide.noarch 0.1.33-6.el7.centos @updates
Can somebody help me ? BTW, excuse my english, it is not my natural language
Raymond
<ns0:data-stream-collection xmlns:dc="http://purl.org/dc/elements/1.1/";
xmlns:html="http://www.w3.org/1999/xhtml";
xmlns:ns0="http://scap.nist.gov/schema/scap/source/1.2";
xmlns:ns1="http://www.w3.org/1999/xlink";
xmlns:ns10="http://checklists.nist.gov/xccdf/1.2";
xmlns:ns12="http://www.w3.org/2000/svg";
xmlns:ns14="http://cpe.mitre.org/dictionary/2.0";
xmlns:ns2="urn:oasis:names:tc:entity:xmlns:xml:catalog"
xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5";
xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5";
xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent";
xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix";
xmlns:red-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";
xmlns:ns9="http://scap.nist.gov/schema/ocil/2.0";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
id="scap_1_collection_1"
schematron-version="1.2">
<ns0:data-stream id="scap_1_datastream_1" scap-version="1.2" timestamp="2018-12-13T04:28:31" use-case="OTHER">
<ns0:checklists>
<ns0:component-ref id="scap_1_cref_1" ns1:href="#scap_1_comp_1">
<ns2:catalog>
<ns2:uri name="scap_1_catalog_1" uri="#scap_1_cref_3"/>
</ns2:catalog>
</ns0:component-ref>
</ns0:checklists>
<ns0:checks>
<ns0:component-ref id="scap_1_cref_3" ns1:href="#scap_1_comp_2"/>
</ns0:checks>
</ns0:data-stream>
<ns0:component id="scap_1_comp_1" timestamp="2017-10-19T23:40:42">
<ns10:Benchmark id="xccdf_1_benchmark_1" resolved="1" style="SCAP_1.2">
<ns10:status date="2018-04-10">draft</ns10:status>
<ns10:title>Guide to the Secure ACME</ns10:title>
<ns10:description>This guide presents a catalog of security rules</ns10:description>
<ns10:version>1.0</ns10:version>
<ns10:Profile id="xccdf_1_profile_1">
<ns10:title>ACME Security Profile 1</ns10:title>
<ns10:description>The profile 1 contains rules to secure ACME</ns10:description>
<ns10:select idref="xccdf_1_rule_1401" selected="false"/>
<ns10:select idref="xccdf_1_rule_1402" selected="true"/>
</ns10:Profile>
<ns10:Group id="xccdf_1_group_1">
<ns10:Rule id="xccdf_1_rule_1401" selected="true" severity="medium">
<ns10:title>1.4.01-s: verify rights and permissions on file /tmp/raymond.txt</ns10:title>
<ns10:description>stat -c %a /tmp/raymond.txt</ns10:description>
<ns10:fix system="urn:xccdf:fix:script:sh">date >> /tmp/raymond.txt; chmod 600 /tmp/raymond.txt; chown root:root /tmp/raymond.txt</ns10:fix>
<ns10:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5";>
<ns10:check-content-ref href="scap_1_catalog_1" name="oval:ray:def:1401"/>
</ns10:check>
</ns10:Rule>
<ns10:Rule id="xccdf_1_rule_1402" selected="true" severity="medium">
<ns10:title>selinux</ns10:title>
<ns10:description>Checks if you have SELinux enabled</ns10:description>
<ns10:check system="http://wordpress-www-open-scap-org.b9ad.pro-us-east-1.openshiftapps.com/page/SCE";>
<ns10:check-import import-name="stdout" />
<ns10:check-content-ref href="scap_1402.sh" />
</ns10:check>
</ns10:Rule>
</ns10:Group>
</ns10:Benchmark>
</ns0:component>
<ns0:component id="scap_1_comp_2" timestamp="2018-04-03T23:40:40">
<oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5";>
<generator>
<oval:product_name>ACME Hardening</oval:product_name>
<oval:schema_version>5.10.1</oval:schema_version>
<oval:timestamp>2018-04-10T08:00:00</oval:timestamp>
</generator>
<definitions>
<definition id="oval:ray:def:1401" version="1" class="compliance">
<metadata>
<title>1.4.01-s: 1.4.01-s: verify rights and permissions on file /tmp/raymond.txt</title>
<description>stat -c %a /tmp/raymond.txt</description>
</metadata>
<criteria operator="AND">
<criterion test_ref="oval:ray:tst:1401" comment="1401"/>
</criteria>
</definition>
</definitions>
<tests>
<unix-def:file_test id="oval:ray:tst:1401" comment="oval:ray:tst:1.4.01" version="1" check="all">
<unix-def:object object_ref="oval:ray:obj:1401"/>
<unix-def:state state_ref="oval:ray:ste:1401"/>
</unix-def:file_test>
</tests>
<objects>
<unix-def:file_object id="oval:ray:obj:1401" version="1">
<unix-def:filepath>/tmp/raymond.txt</unix-def:filepath>
</unix-def:file_object>
</objects>
<states>
<unix-def:file_state id="oval:ray:ste:1401" version="1">
<unix-def:group_id operation="equals" datatype="int">0</unix-def:group_id>
<unix-def:user_id operation="equals" datatype="int">0</unix-def:user_id>
<unix-def:uexec operation="equals" datatype="boolean">false</unix-def:uexec>
<unix-def:gwrite operation="equals" datatype="boolean">false</unix-def:gwrite>
<unix-def:gexec operation="equals" datatype="boolean">false</unix-def:gexec>
<unix-def:owrite operation="equals" datatype="boolean">false</unix-def:owrite>
<unix-def:oexec operation="equals" datatype="boolean">false</unix-def:oexec>
</unix-def:file_state>
</states>
</oval_definitions>
</ns0:component>_______________________________________________
Open-scap-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/open-scap-list
