I'm using it for SL6. The problem is in openscap-cpe-oval.xml. The
test for release is searching on RedHat only.
I've changed mine to the following: notice the (redhat|sl) on the
second line. You should be able to change it to whatever the
centos-release rpm says. I can't remember right now if SSG is where I
got the original xml file, or if it's the one from open-scap. It's
very possible that you'll have to make sure that you'll have to alter
the ssg-rhel6-cpe-dictionary.xml to point to your altered cpe-oval
file. I've attached them just incase, but it took some tweaking.
<rpminfo_state id="oval:org.open-scap.cpe.rhel:ste:6" version="1"
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";>
<name operation="pattern match">^(redhat|sl)-release</name>
<version operation="pattern match">^6[^\d]</version>
</rpminfo_state>
On Thu, Aug 14, 2014 at 3:46 PM, Greg Elin <grege...@gitmachines.com> wrote:
> I would like to start this thread up again.
>
> Any good Urls to explanations on all this is appreciated!
>
> I'm about to spend the rest of the day trying to understand CPE and why I
> was able to get results scanning CentOS 6.5 on one AMI I configured back in
> Jan/Feb without rebuilding the source but and now getting "not applicable"
> across the board for CentOS 6.5. (I may have git cloned the Fedora Repo in
> Jan/Feb while I am using EPEL repos more recently.)
>
> My plan is to examine the respective installs, read whatever docs I can
> find, and look at NIST SP 800-126 (the SCAP spec -
> http://csrc.nist.gov/publications/nistpubs/800-126-rev2/SP800-126r2.pdf).
>
> Help in anyway to speed me on my journey is appreciated!
>
> Greg Elin
> http://govready.org - Making FISMA compliance easier for innovators
>
> email: grege...@gitmachines.com
> phone: 917-304-3488
>
>
>
>
>
>
> On Thu, Jul 3, 2014 at 11:35 AM, Stuart Green <stuart.gr...@doccentrics.com>
> wrote:
>>
>>
>>> ----- Original Message -----
>>>>
>>>> From: "Stuart Green" <stuart.gr...@doccentrics.com>
>>>> To: "SCAP Security Guide" <scap-security-guide@lists.fedorahosted.org>
>>>> Sent: Wednesday, July 2, 2014 2:54:57 PM
>>>> Subject: Re: Anyone using rhel6 ssg for centos6?
>>>>
>>>>
>>>>
>>>>> ----- Original Message -----
>>>>>>
>>>>>> From: "Simon Lukasik" <sluka...@redhat.com>
>>>>>> To: "SCAP Security Guide" <scap-security-guide@lists.fedorahosted.org>
>>>>>> Sent: Tuesday, July 1, 2014 1:05:10 PM
>>>>>> Subject: Re: Anyone using rhel6 ssg for centos6?
>>>>>>
>>>>>> On 06/18/2014 03:41 PM, Rui Pedro Bernardino wrote:
>>>>>>>
>>>>>>> … it seems OpenSCAP is using it’s own ‘openscap-cpe-dict.xml’ and
>>>>>>> that’s
>>>>>>> why the SSG platform check “works”. The checks in
>>>>>>> ‘ssg-rhel6-cpe-dictionary.xml’ fail always.
>>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> I am sorry for the late response, but I would like to put a bit of
>>>>>> light
>>>>>> into this.
>>>>>>
>>>>>> OpenSCAP uses its inbuilt CPE dictionary when the CPE is not provided
>>>>>> from the outside. This behavior is in line with SCAP requirements for
>>>>>> certified scanner.
>>>>>>
>>>>>> If you are not satisfied with inbuilt CPE name you may need to specify
>>>>>> --cpe command-line option to the scanner.
>>>>>>
>>>>>> For review of inbuilt CPE names run:
>>>>>>
>>>>>> # oscap --version
>>>>>>
>>>>>> In OpenSCAP upstream we try to give good guidance on: how a particular
>>>>>> CPE name shall be implemented [1]. We welcome comments, patches, as
>>>>>> well
>>>>>> as implementation of new platforms.
>>>>>>
>>>>>> I remember, I have recently added CPE names for CentOS 5, 6, and 7.
>>>>>> However, I am unsure whether this new names are been released to the
>>>>>> downstreams.
>>>>>
>>>>> This is the commit in question:
>>>>>
>>>>>
>>>>> https://git.fedorahosted.org/cgit/openscap.git/commit/?id=e09f29496081a0525cda0b18299bccb9803baf76
>>>>>
>>>>> It is part of the master branch, there have been no releases that
>>>>> contain
>>>>> it yet. The next release with this change will be openscap 1.1.0. This
>>>>> commit may be a good candidate for a downstream patch in the CentOS
>>>>> package.
>>>>>
>>>> Yes please!!
>>>
>>> Please lobby at the appropriate place - https://bugs.centos.org
>>
>> To clarify, you're asking me to raise a request detailing Simon's commit
>> on bugs.centos.org?
>>
>>
>>
>> --
>> SCAP Security Guide mailing list
>> scap-security-guide@lists.fedorahosted.org
>> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
>> https://github.com/OpenSCAP/scap-security-guide/
>
>
>
> --
> SCAP Security Guide mailing list
> scap-security-guide@lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
> https://github.com/OpenSCAP/scap-security-guide/
<?xml version="1.0" encoding="utf-8"?>
<oval_definitions
xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix";
xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent";
xmlns:lin-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";
xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5";
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
<generator>
<oval:product_name>vim</oval:product_name>
<oval:schema_version>5.10.1</oval:schema_version>
<oval:timestamp>2012-11-22T15:00:00+01:00</oval:timestamp>
</generator>
<definitions>
<definition class="inventory" id="oval:org.open-scap.cpe.rhel:def:1" version="1">
<metadata>
<title>Red Hat Enterprise Linux</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux</platform>
</affected>
<reference ref_id="cpe:/o:redhat:enterprise_linux" source="CPE"/>
<description>The operating system installed on the system is Red Hat Enterprise Linux</description>
</metadata>
<criteria>
<criterion comment="Installed operating system is part of the unix family" test_ref="oval:org.open-scap.cpe.rhel:tst:1"/>
<criterion comment="Red Hat Enterprise Linux is installed" test_ref="oval:org.open-scap.cpe.rhel:tst:2"/>
</criteria>
</definition>
<definition class="inventory" id="oval:org.open-scap.cpe.rhel:def:5" version="1">
<metadata>
<title>Red Hat Enterprise Linux 5</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 5</platform>
</affected>
<reference ref_id="cpe:/o:redhat:enterprise_linux:5" source="CPE"/>
<description>The operating system installed on the system is Red Hat Enterprise Linux 5</description>
</metadata>
<criteria>
<criterion comment="Installed operating system is part of the unix family" test_ref="oval:org.open-scap.cpe.rhel:tst:1"/>
<criterion comment="Red Hat Enterprise Linux 5 is installed" test_ref="oval:org.open-scap.cpe.rhel:tst:5"/>
</criteria>
</definition>
<definition class="inventory" id="oval:org.open-scap.cpe.rhel:def:6" version="1">
<metadata>
<title>Red Hat Enterprise Linux 6</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<reference ref_id="cpe:/o:redhat:enterprise_linux:6" source="CPE"/>
<description>The operating system installed on the system is Red Hat Enterprise Linux 6</description>
</metadata>
<criteria>
<criterion comment="Installed operating system is part of the unix family" test_ref="oval:org.open-scap.cpe.rhel:tst:1"/>
<criterion comment="Red Hat Enterprise Linux 6 is installed" test_ref="oval:org.open-scap.cpe.rhel:tst:6"/>
</criteria>
</definition>
<definition class="inventory" id="oval:org.open-scap.cpe.rhel:def:7" version="1">
<metadata>
<title>Red Hat Enterprise Linux 7</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<reference ref_id="cpe:/o:redhat:enterprise_linux:7" source="CPE"/>
<description>The operating system installed on the system is Red Hat Enterprise Linux 7</description>
</metadata>
<criteria>
<criterion comment="Installed operating system is part of the unix family" test_ref="oval:org.open-scap.cpe.rhel:tst:1"/>
<criterion comment="Red Hat Enterprise Linux 7 is installed" test_ref="oval:org.open-scap.cpe.rhel:tst:7"/>
</criteria>
</definition>
<definition class="inventory" id="oval:org.open-scap.cpe.fedora:def:16" version="1">
<metadata>
<title>Fedora 16</title>
<affected family="unix">
<platform>Fedora 16</platform>
</affected>
<reference ref_id="cpe:/o:fedoraproject:fedora:16" source="CPE"/>
<description>The operating system installed on the system is Fedora 16</description>
</metadata>
<criteria>
<criterion comment="Installed operating system is part of the unix family" test_ref="oval:org.open-scap.cpe.rhel:tst:1"/>
<criterion comment="Fedora 16 is installed" test_ref="oval:org.open-scap.cpe.fedora:tst:16"/>
</criteria>
</definition>
<definition class="inventory" id="oval:org.open-scap.cpe.fedora:def:17" version="1">
<metadata>
<title>Fedora 17</title>
<affected family="unix">
<platform>Fedora 17</platform>
</affected>
<reference ref_id="cpe:/o:fedoraproject:fedora:17" source="CPE"/>
<description>The operating system installed on the system is Fedora 17</description>
</metadata>
<criteria>
<criterion comment="Installed operating system is part of the unix family" test_ref="oval:org.open-scap.cpe.rhel:tst:1"/>
<criterion comment="Fedora 17 is installed" test_ref="oval:org.open-scap.cpe.fedora:tst:17"/>
</criteria>
</definition>
<definition class="inventory" id="oval:org.open-scap.cpe.fedora:def:18" version="1">
<metadata>
<title>Fedora 18</title>
<affected family="unix">
<platform>Fedora 18</platform>
</affected>
<reference ref_id="cpe:/o:fedoraproject:fedora:18" source="CPE"/>
<description>The operating system installed on the system is Fedora 18</description>
</metadata>
<criteria>
<criterion comment="Installed operating system is part of the unix family" test_ref="oval:org.open-scap.cpe.rhel:tst:1"/>
<criterion comment="Fedora 18 is installed" test_ref="oval:org.open-scap.cpe.fedora:tst:18"/>
</criteria>
</definition>
<definition class="inventory" id="oval:org.open-scap.cpe.fedora:def:19" version="1">
<metadata>
<title>Fedora 19</title>
<affected family="unix">
<platform>Fedora 19</platform>
</affected>
<reference ref_id="cpe:/o:fedoraproject:fedora:19" source="CPE"/>
<description>The operating system installed on the system is Fedora 19</description>
</metadata>
<criteria>
<criterion comment="Installed operating system is part of the unix family" test_ref="oval:org.open-scap.cpe.rhel:tst:1"/>
<criterion comment="Fedora 19 is installed" test_ref="oval:org.open-scap.cpe.fedora:tst:19"/>
</criteria>
</definition>
<definition class="inventory" id="oval:org.open-scap.cpe.fedora:def:20" version="1">
<metadata>
<title>Fedora 20</title>
<affected family="unix">
<platform>Fedora 20</platform>
</affected>
<reference ref_id="cpe:/o:fedoraproject:fedora:20" source="CPE"/>
<description>The operating system installed on the system is Fedora 20</description>
</metadata>
<criteria>
<criterion comment="Installed operating system is part of the unix family" test_ref="oval:org.open-scap.cpe.rhel:tst:1"/>
<criterion comment="Fedora 20 is installed" test_ref="oval:org.open-scap.cpe.fedora:tst:20"/>
</criteria>
</definition>
<definition class="inventory" id="oval:org.open-scap.cpe.fedora:def:21" version="1">
<metadata>
<title>Fedora 21</title>
<affected family="unix">
<platform>Fedora 21</platform>
</affected>
<reference ref_id="cpe:/o:fedoraproject:fedora:21" source="CPE"/>
<description>The operating system installed on the system is Fedora 21</description>
</metadata>
<criteria>
<criterion comment="Installed operating system is part of the unix family" test_ref="oval:org.open-scap.cpe.rhel:tst:1"/>
<criterion comment="Fedora 21 is installed" test_ref="oval:org.open-scap.cpe.fedora:tst:21"/>
</criteria>
</definition>
</definitions>
<tests>
<family_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.rhel:tst:1" version="1" check="only one"
comment="installed operating system is part of the Unix family"
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent";>
<object object_ref="oval:org.open-scap.cpe.unix:obj:1"/>
<state state_ref="oval:org.open-scap.cpe.unix:ste:1"/>
</family_test>
<rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.rhel:tst:2" version="1" check="at least one" comment="/etc/redhat-release is provided by redhat-release package"
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";>
<object object_ref="oval:org.open-scap.cpe.redhat-release:obj:3"/>
<state state_ref="oval:org.open-scap.cpe.rhel:ste:2"/>
</rpminfo_test>
<rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.rhel:tst:5" version="1" check="at least one" comment="redhat-release is version 5"
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";>
<object object_ref="oval:org.open-scap.cpe.redhat-release:obj:1"/>
<state state_ref="oval:org.open-scap.cpe.rhel:ste:5"/>
</rpminfo_test>
<rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.rhel:tst:6" version="1" check="at least one" comment="redhat-release is version 6"
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";>
<object object_ref="oval:org.open-scap.cpe.redhat-release:obj:3"/>
<state state_ref="oval:org.open-scap.cpe.rhel:ste:6"/>
</rpminfo_test>
<rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.rhel:tst:7" version="1" check="at least one" comment="redhat-release is version 7"
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";>
<object object_ref="oval:org.open-scap.cpe.redhat-release:obj:3"/>
<state state_ref="oval:org.open-scap.cpe.rhel:ste:7"/>
</rpminfo_test>
<rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.fedora:tst:16" version="1" check="at least one" comment="fedora-release is version Fedora 16"
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";>
<object object_ref="oval:org.open-scap.cpe.fedora-release:obj:2"/>
<state state_ref="oval:org.open-scap.cpe.fedora:ste:16"/>
</rpminfo_test>
<rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.fedora:tst:17" version="1" check="at least one" comment="fedora-release is version Fedora 17"
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";>
<object object_ref="oval:org.open-scap.cpe.fedora-release:obj:2"/>
<state state_ref="oval:org.open-scap.cpe.fedora:ste:17"/>
</rpminfo_test>
<rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.fedora:tst:18" version="1" check="at least one" comment="fedora-release is version Fedora 18"
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";>
<object object_ref="oval:org.open-scap.cpe.fedora-release:obj:2"/>
<state state_ref="oval:org.open-scap.cpe.fedora:ste:18"/>
</rpminfo_test>
<rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.fedora:tst:19" version="1" check="at least one" comment="fedora-release is version Fedora 19"
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";>
<object object_ref="oval:org.open-scap.cpe.fedora-release:obj:2"/>
<state state_ref="oval:org.open-scap.cpe.fedora:ste:19"/>
</rpminfo_test>
<rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.fedora:tst:20" version="1" check="at least one" comment="fedora-release is version Fedora 20"
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";>
<object object_ref="oval:org.open-scap.cpe.fedora-release:obj:2"/>
<state state_ref="oval:org.open-scap.cpe.fedora:ste:20"/>
</rpminfo_test>
<rpminfo_test check_existence="at_least_one_exists" id="oval:org.open-scap.cpe.fedora:tst:21" version="1" check="at least one" comment="fedora-release is version Fedora 21"
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";>
<object object_ref="oval:org.open-scap.cpe.fedora-release:obj:2"/>
<state state_ref="oval:org.open-scap.cpe.fedora:ste:21"/>
</rpminfo_test>
</tests>
<objects>
<lin-def:rpminfo_object id="oval:org.open-scap.cpe.redhat-release:obj:1" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";>
<lin-def:name>redhat-release</lin-def:name>
</lin-def:rpminfo_object>
<lin-def:rpminfo_object id="oval:org.open-scap.cpe.fedora-release:obj:2" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";>
<lin-def:name>fedora-release</lin-def:name>
</lin-def:rpminfo_object>
<lin-def:rpmverifyfile_object id="oval:org.open-scap.cpe.redhat-release:obj:3" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";>
<!-- Sadly, OVAL cannot do the right query (rpm -q -whatprovides system-release). Let's check the filename instead. -->
<behaviors nolinkto='true' nomd5='true' nosize='true' nouser='true' nogroup='true' nomtime='true' nomode='true' nordev='true' noconfigfiles='true' noghostfiles='true' />
<lin-def:name operation="pattern match"/>
<lin-def:epoch operation="pattern match"/>
<lin-def:version operation="pattern match"/>
<lin-def:release operation="pattern match"/>
<lin-def:arch operation="pattern match"/>
<lin-def:filepath>/etc/redhat-release</lin-def:filepath>
</lin-def:rpmverifyfile_object>
<family_object id="oval:org.open-scap.cpe.unix:obj:1" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"/>
</objects>
<states>
<family_state id="oval:org.open-scap.cpe.unix:ste:1" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent";>
<family>unix</family>
</family_state>
<rpminfo_state id="oval:org.open-scap.cpe.rhel:ste:2" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";>
<name operation="pattern match">^(redhat|sl)-release</name>
</rpminfo_state>
<rpminfo_state id="oval:org.open-scap.cpe.rhel:ste:5" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";>
<version operation="pattern match">^5[^\d]</version>
</rpminfo_state>
<rpminfo_state id="oval:org.open-scap.cpe.rhel:ste:6" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";>
<name operation="pattern match">^(redhat|sl)-release</name>
<version operation="pattern match">^6[^\d]</version>
</rpminfo_state>
<rpminfo_state id="oval:org.open-scap.cpe.rhel:ste:7" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";>
<name operation="pattern match">^(redhat|sl)-release</name>
<version operation="pattern match">^7[^\d]</version>
</rpminfo_state>
<rpminfo_state id="oval:org.open-scap.cpe.fedora:ste:16" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";>
<version operation="pattern match">^16$</version>
</rpminfo_state>
<rpminfo_state id="oval:org.open-scap.cpe.fedora:ste:17" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";>
<version operation="pattern match">^17$</version>
</rpminfo_state>
<rpminfo_state id="oval:org.open-scap.cpe.fedora:ste:18" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";>
<version operation="pattern match">^18$</version>
</rpminfo_state>
<rpminfo_state id="oval:org.open-scap.cpe.fedora:ste:19" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";>
<version operation="pattern match">^19$</version>
</rpminfo_state>
<rpminfo_state id="oval:org.open-scap.cpe.fedora:ste:20" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";>
<version operation="pattern match">^20$</version>
</rpminfo_state>
<rpminfo_state id="oval:org.open-scap.cpe.fedora:ste:21" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";>
<version operation="pattern match">^21$</version>
</rpminfo_state>
</states>
</oval_definitions>
<cpe-list xmlns="http://cpe.mitre.org/dictionary/2.0"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd";>
<cpe-item name="cpe:/o:redhat:enterprise_linux:6">
<title xml:lang="en-us">Red Hat Enterprise Linux 6</title>
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"; href="openscap-cpe-oval.xml">oval:org.open-scap.cpe.rhel:def:6</check>
</cpe-item>
</cpe-list>
--
SCAP Security Guide mailing list
scap-security-guide@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/
