Hey list, I'm probably looking at this from the wrong way, but I thought that if one would include oval statements in the XCCDF rules, you'd be able to use "oscap xccdf eval" - but that just returns a bunch of notchecked statements.
Or am I doing something wrong? $ oscap xccdf eval test_xccdf.xml Title Test 12345 Rule xccdf_test_rule_RULE-001001 Ident RULE-001001 Result notchecked $ oscap oval eval test_oval.xml Definition oval:com.test:def:1: true Evaluation done.
<?xml version="1.0" encoding="UTF-8"?> <Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; id="xccdf_test_benchmark_1" resolved="1" xml:lang="en"> <status date="2018-03-26">draft</status> <title xmlns:xhtml="http://www.w3.org/1999/xhtml"; xml:lang="en">Configuration Baseline</title> <description xmlns:xhtml="http://www.w3.org/1999/xhtml"; xml:lang="en">The full configuration baseline</description> <notice xmlns:xhtml="http://www.w3.org/1999/xhtml"; xml:lang="en">A benchmark.</notice> <platform idref="cpe:/o:redhat:enterprise_linux:7"/> <version>0.99</version> <model system="urn:xccdf:scoring:default"/> <model system="urn:xccdf:scoring:flat"/> <model system="urn:xccdf:scoring:flat-unweighted"/> <Profile id="xccdf_test_profile_all"> <title xmlns:xhtml="http://www.w3.org/1999/xhtml"; xml:lang="en">Full validation profile</title> <description xmlns:xhtml="http://www.w3.org/1999/xhtml"; xml:lang="en">In this profile, we document the full configuration set applicable to the technology.</description> <select idref="tbd" selected="true"/> <select idref="application" selected="true"/> <select idref="application-pending" selected="true"/> <select idref="instance" selected="true"/> <select idref="instance-pending" selected="true"/> <select idref="system" selected="true"/> <select idref="system-pending" selected="true"/> <select idref="network" selected="true"/> <select idref="network-pending" selected="true"/> <select idref="organization" selected="true"/> <select idref="organization-pending" selected="true"/> <select idref="group" selected="true"/> <select idref="group-pending" selected="true"/> </Profile> <Group id="xccdf_test_group_software_deployments_and_file_systems"> <title xmlns:xhtml="http://www.w3.org/1999/xhtml"; xml:lang="en">Software Deployments and File Systems</title> <description xmlns:xhtml="http://www.w3.org/1999/xhtml"; xml:lang="en">In this chapter, we document rules related to the installation of the technology, the files and resources (locations and permissions) and file systems.</description> <Group id="xccdf_test_group_software_deployments_and_file_systems-file_systems"> <title xmlns:xhtml="http://www.w3.org/1999/xhtml"; xml:lang="en">File Systems</title> <description xmlns:xhtml="http://www.w3.org/1999/xhtml"; xml:lang="en">In this section, we look at file systems, mount points and mount options, as well as file system tuning.</description> <Group id="xccdf_test_group_software_deployments_and_file_systems-file_systems-hadoopsd"> <title xmlns:xhtml="http://www.w3.org/1999/xhtml"; xml:lang="en">/hadoop/sd*</title> <description xmlns:xhtml="http://www.w3.org/1999/xhtml"; xml:lang="en">Hadoop DataNode data block filesystem</description> <Rule id="xccdf_test_rule_RULE-001001" cluster-id="application" selected="true" weight="0.000000" severity="high"> <title xmlns:xhtml="http://www.w3.org/1999/xhtml"; xml:lang="en">Test 12345</title> <description xmlns:xhtml="http://www.w3.org/1999/xhtml"; xml:lang="en">TEST 1344</description> <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml"; xml:lang="en">TEST 134</rationale> <ident system="https://internal/scb";>RULE-001001</ident> <fixtext xmlns:xhtml="http://www.w3.org/1999/xhtml"; xml:lang="en">Check this and that</fixtext> <check system="http://oval.mitre.org/XMLSchema/oval-common-5";> <check-content-ref name="oval:com.test:def:1" href="test_oval.xml"/> </check> </Rule> </Group> </Group> </Group> </Benchmark>
<?xml version='1.0' encoding='utf-8'?> <oval_definitions xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5"; xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"; xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://standards.iso.org/iso/19770/-2/2009/schema.xsd schema.xsd"> <generator> <oval:product_name>Convertor</oval:product_name> <oval:schema_version>5.11.1</oval:schema_version> <oval:timestamp>2018-04-26T10:45:00.692336</oval:timestamp> </generator> <definitions> <definition class="compliance" id="oval:com.test:def:1" version="1"> <metadata> <title>Mount test</title> <description>mount test</description> <reference ref_id="RULE-001001" source="XCCDF"/> <affected family="unix"> <platform>Red Hat Enterprise Linux 7</platform> </affected> </metadata> <criteria operator="AND"> <criterion comment="/home" test_ref="oval:com.test:tst:1"/> </criteria> </definition> </definitions> <tests> <partition_test check="all" check_existence="all_exist" comment="Mount test" id="oval:com.test:tst:1" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";> <object object_ref="oval:com.test:obj:1"/> </partition_test> </tests> <objects> <partition_object id="oval:com.test:obj:1" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";> <mount_point var_check="at least one" var_ref="oval:com.test:var:1"/> </partition_object> </objects> <variables> <constant_variable comment="Home dirs" datatype="string" id="oval:com.test:var:1" version="1"> <value>/home</value> <value>/export/home</value> </constant_variable> </variables> </oval_definitions>
_______________________________________________ Open-scap-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/open-scap-list
