In a nut shell, I get the sense that the distributions SL and CentOS are not altering these for their respective distributions.
On Thu, Aug 14, 2014 at 4:25 PM, Jeremiah Jahn <jerem...@goodinassociates.com> wrote: > I'm using it for SL6. The problem is in openscap-cpe-oval.xml. The > test for release is searching on RedHat only. > > I've changed mine to the following: notice the (redhat|sl) on the > second line. You should be able to change it to whatever the > centos-release rpm says. I can't remember right now if SSG is where I > got the original xml file, or if it's the one from open-scap. It's > very possible that you'll have to make sure that you'll have to alter > the ssg-rhel6-cpe-dictionary.xml to point to your altered cpe-oval > file. I've attached them just incase, but it took some tweaking. > > <rpminfo_state id="oval:org.open-scap.cpe.rhel:ste:6" version="1" > xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";> > <name operation="pattern match">^(redhat|sl)-release</name> > <version operation="pattern match">^6[^\d]</version> > </rpminfo_state> > > > > On Thu, Aug 14, 2014 at 3:46 PM, Greg Elin <grege...@gitmachines.com> wrote: >> I would like to start this thread up again. >> >> Any good Urls to explanations on all this is appreciated! >> >> I'm about to spend the rest of the day trying to understand CPE and why I >> was able to get results scanning CentOS 6.5 on one AMI I configured back in >> Jan/Feb without rebuilding the source but and now getting "not applicable" >> across the board for CentOS 6.5. (I may have git cloned the Fedora Repo in >> Jan/Feb while I am using EPEL repos more recently.) >> >> My plan is to examine the respective installs, read whatever docs I can >> find, and look at NIST SP 800-126 (the SCAP spec - >> http://csrc.nist.gov/publications/nistpubs/800-126-rev2/SP800-126r2.pdf). >> >> Help in anyway to speed me on my journey is appreciated! >> >> Greg Elin >> http://govready.org - Making FISMA compliance easier for innovators >> >> email: grege...@gitmachines.com >> phone: 917-304-3488 >> >> >> >> >> >> >> On Thu, Jul 3, 2014 at 11:35 AM, Stuart Green <stuart.gr...@doccentrics.com> >> wrote: >>> >>> >>>> ----- Original Message ----- >>>>> >>>>> From: "Stuart Green" <stuart.gr...@doccentrics.com> >>>>> To: "SCAP Security Guide" <scap-security-guide@lists.fedorahosted.org> >>>>> Sent: Wednesday, July 2, 2014 2:54:57 PM >>>>> Subject: Re: Anyone using rhel6 ssg for centos6? >>>>> >>>>> >>>>> >>>>>> ----- Original Message ----- >>>>>>> >>>>>>> From: "Simon Lukasik" <sluka...@redhat.com> >>>>>>> To: "SCAP Security Guide" <scap-security-guide@lists.fedorahosted.org> >>>>>>> Sent: Tuesday, July 1, 2014 1:05:10 PM >>>>>>> Subject: Re: Anyone using rhel6 ssg for centos6? >>>>>>> >>>>>>> On 06/18/2014 03:41 PM, Rui Pedro Bernardino wrote: >>>>>>>> >>>>>>>> … it seems OpenSCAP is using it’s own ‘openscap-cpe-dict.xml’ and >>>>>>>> that’s >>>>>>>> why the SSG platform check “works”. The checks in >>>>>>>> ‘ssg-rhel6-cpe-dictionary.xml’ fail always. >>>>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> I am sorry for the late response, but I would like to put a bit of >>>>>>> light >>>>>>> into this. >>>>>>> >>>>>>> OpenSCAP uses its inbuilt CPE dictionary when the CPE is not provided >>>>>>> from the outside. This behavior is in line with SCAP requirements for >>>>>>> certified scanner. >>>>>>> >>>>>>> If you are not satisfied with inbuilt CPE name you may need to specify >>>>>>> --cpe command-line option to the scanner. >>>>>>> >>>>>>> For review of inbuilt CPE names run: >>>>>>> >>>>>>> # oscap --version >>>>>>> >>>>>>> In OpenSCAP upstream we try to give good guidance on: how a particular >>>>>>> CPE name shall be implemented [1]. We welcome comments, patches, as >>>>>>> well >>>>>>> as implementation of new platforms. >>>>>>> >>>>>>> I remember, I have recently added CPE names for CentOS 5, 6, and 7. >>>>>>> However, I am unsure whether this new names are been released to the >>>>>>> downstreams. >>>>>> >>>>>> This is the commit in question: >>>>>> >>>>>> >>>>>> https://git.fedorahosted.org/cgit/openscap.git/commit/?id=e09f29496081a0525cda0b18299bccb9803baf76 >>>>>> >>>>>> It is part of the master branch, there have been no releases that >>>>>> contain >>>>>> it yet. The next release with this change will be openscap 1.1.0. This >>>>>> commit may be a good candidate for a downstream patch in the CentOS >>>>>> package. >>>>>> >>>>> Yes please!! >>>> >>>> Please lobby at the appropriate place - https://bugs.centos.org >>> >>> To clarify, you're asking me to raise a request detailing Simon's commit >>> on bugs.centos.org? >>> >>> >>> >>> -- >>> SCAP Security Guide mailing list >>> scap-security-guide@lists.fedorahosted.org >>> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide >>> https://github.com/OpenSCAP/scap-security-guide/ >> >> >> >> -- >> SCAP Security Guide mailing list >> scap-security-guide@lists.fedorahosted.org >> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide >> https://github.com/OpenSCAP/scap-security-guide/ -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
