Hi Marek,


Thanks for your reply.



I'm using the RHEL7 xccdf that is shipped with scap security guide. So based on 
your reply it looks like, these XCCDF xmls which are part of ssg will not have 
CVE linked.



In that case, can you please guide me the location from where I can get the 
required xmls for evaluating all platforms supported by OSCAP?



Also, is the command going to be similar to xccdf, right now I'm using below 
two commands,

oscap xccdf eval --profile <profile_name> --results <result_xml> --progress 
<xccdf_xml>

oscap xccdf eval --remediate --profile <profile_name> --tailoring-file 
<tailoring_file> --results <result_xml> --progress <xccdf_xml>



Will the command remain same for oval as well, except for changing "oscap xccdf 
eval" to "oscap oval eval"? Please clarify.



Regards,

Bharath M



-----Original Message-----
From: Marek Haicman <mhaic...@redhat.com>
Sent: Thursday, August 30, 2018 5:53 PM
To: Mohanraj, Bharath <bharath_mohanraj...@bmc.com>; open-scap-list 
<open-scap-list@redhat.com>
Subject: Re: [Open-scap] OSCAP - CVE information



On 08/30/2018 02:05 PM, Mohanraj, Bharath wrote:

> Hi Team,

>

> I'm using the oscap scanner on linux boxes, for triggering "oscap

> xccdf eval" command. In the output generated, one of the info I would

> need to present is the CVE for each rule. However, I don't see the CVE

> info for the rules  in the xccdf xmls (no <ident> tag for CVEs under the 
> rules).

>

> Can you please help me understand how I can capture the CVE associated

> with each rule?

>

> Regards,

>

> Bharath M



Hello Bharath,

what xccdf xmls are you using? In case you target RHEL, then CVE 
vulnerabilities are detected using content downloaded from 
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.redhat.com_security_data_oval_&d=DwID-g&c=UrUhmHsiTVT5qkaA4d_oSzcamb9hmamiCDMzBAEwC7E&r=AUaowh4kDgwmfFF8B9dpIGVcrfeOZDaHu6Di1CZTnp4&m=kMwq-DtTaQQ9c8tjyXsXju19K6K3emMl8b7SruHINqw&s=frx6brG1Kc18pnlMd88AWwt5zzw3ub6N5OhX2PSOZJE&e=
  and scanned using `oscap oval eval`. Content shipped in SCAP Security Guide 
is configuration guidance which is different approach to security. Thus no CVE 
information is linked.



In case you consume CVE content for different platforms, it's up to them to 
produce it with proper metadata.



Hope it helps,

Marek
_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Reply via email to