Classification: UNCLASSIFIED Caveats: NONE Using the version of OpenSCAP shipped with RHEL6, and the mostly-latest git content (as of 12 May), checks involving probe_file seem to be taking a lot longer. Select output of ps faxw below, with the names changed to protect the non-compliant:
19431 ? S 0:00 \_ /usr/bin/oscap xccdf eval --profile stig-rhel6-server-upstream --results hostname.example.com_scap_el6.xml --report hostname.example.com_scap_el6.html --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml 19445 ? Sl 0:00 \_ /usr/libexec/openscap/probe_system_info 19450 ? Sl 0:00 \_ /usr/libexec/openscap/probe_system_info 19455 ? Sl 0:00 \_ /usr/libexec/openscap/probe_family 19460 ? Sl 0:01 \_ /usr/libexec/openscap/probe_rpmverifyfile 19647 ? Sl 0:00 \_ /usr/libexec/openscap/probe_system_info 19653 ? Sl 0:00 \_ /usr/libexec/openscap/probe_family 19658 ? Sl 0:01 \_ /usr/libexec/openscap/probe_rpmverifyfile 20459 ? Sl 0:00 \_ /usr/libexec/openscap/probe_partition 20468 ? Sl 0:00 \_ /usr/libexec/openscap/probe_rpminfo 20476 ? Sl 0:00 \_ /usr/libexec/openscap/probe_textfilecontent54 20496 ? Sl 1:44 \_ /usr/libexec/openscap/probe_rpmverifyfile 62754 ? Sl 0:00 \_ /usr/libexec/openscap/probe_runlevel 62765 ? Sl 9553:55 \_ /usr/libexec/openscap/probe_file I started the scans on ~50 systems yesterday, and only half of them have finished (seems to be the ones with very few files). It sits on the first of these checks for quite a while, then moves on to sitting on the second one (see in the output, which I redirect to text files): Title Ensure No World-Writable Files Exist Rule world_writeable_files Ident CCE-26910-0 Result fail Title Ensure All Files Are Owned by a User Rule no_files_unowned_by_user Ident CCE-27032-2 Scans used to complete a lot more quickly (as in, minutes), so I'm not sure what happened. I didn't catch any messages over the past few days about this; sorry if I missed them, but I'm (naturally) mid-inspection, which is what these are for... It looks like the *17 release hasn't made it into EPEL yet, or I might try that; there are enough improvements since the 0.1-16 release that I don't want to go back that far. -- Ray Shaw (Contractor, STG) Army Research Laboratory CIO, Unix Support Classification: UNCLASSIFIED Caveats: NONE
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
