Similar results with Ububtu 16.04. Not all results were notapplicable, score 
was given as 25%.

After building openscap and ComplianceAsCode/content I ran:

sudo oscap xccdf eval –profile standard –results ./xccdf-results.xml –cpe 

sudo oscap oval eval –results ./oval-results.xml 

sudo oscap xccdf generate report –oval-template ./oval-results.xml 
./xccdf-results.xml > ./report-xccdf-oval.html

15 rules passed, 6 inconclusive (unknown) and all the rest (24) notapplicable.


sudo oscap xccdf eval –profile standard –results-arf ./results-arf.xml –report 
./report-ds.html –results ./results-ds.xml 

produced the same numbers in the ds-generated report.

I see the value in using the data stream. But the “notapplicable” items are 
largely applicable and should be evaluated.


William B. Boucher, BSEE
Embedded Systems Software Engineer
Information Systems Security Manager
MZA Associates Corporation
4900 Lang Ave. NE, Suite 100
Albuquerque, NM 87109-9708
Phone: 505.245.9970 x166
Fax: 505.245.9971
Cell: 505.459.7620<>

From: Gary Gapinski []
Sent: Friday, January 25, 2019 9:50 AM
To: Boucher, William <>
Subject: Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS

On 1/25/19 10:33 AM, Boucher, William wrote:
Thank you, Gary! I will attempt next to duplicate your process with Ubuntu 1604.

I may as well but cannot guarantee timeliness.
If I am building OpenSCAP over my previous install of the libopenscap8 package, 
do I need to remove libopenscap8 first or can I just make-install over it?

I place the OpenSCAP install in /usr/local and ensure it is used separately and 
preferentially (via $PATH) rather than the one from the distro (or just not 
install from the distro). I use cmake-gui ../ from within the openscap/build 
directory and change CMAKE_INSTALL_PREFIX to /usr/local (cmake-gui, tweak, 
configure, generate; make; sudo make install). Installing on top of the distro 
version will likely cause undesirable results.

I do not typically install ComplianceAsCode but simply access the content from 
the cloned (and built) repo, but if you install it I think it best to choose 
the same installation target (e.g., /usr/local) as that of OpenSCAP.

A functional (and available) install of OpenSCAP is a pre-requisite for 
building ComplianceAsCode.



Gary Gapinski — DB Consulting Group
NASA Glenn Research Center
℡ +1 216 433 3959<tel:+1%20216%20433%203959> — office
℡ +1 216 820 1849<tel:+1%20216%20820%201849> — mobile<>
Open-scap-list mailing list

Reply via email to