I have a similar problem on AWS' AMI. OpenSCAP used to run fine, and few weeks ago it just stopped working, all checks show up as 'not applicable.' Is there a way to force it to just recognize it as RHEL/CentOS 6?
Thanks, Marcin On Fri, Aug 15, 2014 at 1:46 PM, James Ford <james.t.f...@gmail.com> wrote: > Shawn, thanks for the detailed explanation. Rather than faking the system > into thinking it's running RHEL6, would it be possible to update the oval > definitions to include CentOS as an applicable platform? > > > > On Fri, Aug 15, 2014 at 1:10 PM, Shawn Wells <sh...@redhat.com> wrote: > >> On 8/14/14, 5:25 PM, Jeremiah Jahn wrote: >> > I'm using it for SL6. The problem is in openscap-cpe-oval.xml. The >> > test for release is searching on RedHat only. >> > >> > I've changed mine to the following: notice the (redhat|sl) on the >> > second line. You should be able to change it to whatever the >> > centos-release rpm says. I can't remember right now if SSG is where I >> > got the original xml file, or if it's the one from open-scap. It's >> > very possible that you'll have to make sure that you'll have to alter >> > the ssg-rhel6-cpe-dictionary.xml to point to your altered cpe-oval >> > file. I've attached them just incase, but it took some tweaking. >> > >> > <rpminfo_state id="oval:org.open-scap.cpe.rhel:ste:6" version="1" >> > xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";> >> > <name operation="pattern >> match">^(redhat|sl)-release</name> >> > <version operation="pattern match">^6[^\d]</version> >> > </rpminfo_state> >> >> >> To illustrate how CPE works, as part of Greg's question.... >> >> Step 1: In your OVAL check, you define which platforms the check is >> written for. This is done by the <affected> stanzas, such as: >> >> > <affected family="unix"> >> > <platform>Red Hat Enterprise Linux 6</platform> >> > </affected> >> >> >> Step 2: When an SCAP interpreter parses each OVAL rule, it will parse >> the <affected> tag above. For each <platform> listed, it will find the >> associated <cpi-item> to find what <check> needs to be ran. This will >> tell the SCAP interpreter if the OVAL rule is applicable for the system >> being scanned. >> >> For example, from SSG's CPE dictionary: >> >> > <cpe-item name="cpe:/o:redhat:enterprise_linux:6"> >> > <title xml:lang="en-us">Red Hat Enterprise Linux 6</title> >> > <!-- the check references an OVAL file that contains an >> inventory definition --> >> > <check system=" >> http://oval.mitre.org/XMLSchema/oval-definitions-5"; >> href="filename">installed_OS_is_rhel6</check> >> > </cpe-item> >> >> In this case, if the <platform> tag matches the cpe-item/title, then the >> cpe-item/check will be ran. In the case of "Red Hat Enterprise Linux 6" >> the OVAL check "installed_OS_is_rhel6" will be ran. >> >> The installed_OS_is_rhel6 OVAL check queries the system to see if the >> redhat-release-{server workstation}-6 RPM is installed, for example: >> >> >> https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/6/input/checks/installed_OS_is_rhel6.xml#L46#L55 >> > <linux:rpminfo_test check="all" check_existence="at_least_one_exists" >> comment="redhat-release-server is version 6" id="test_rhel_server" >> version="1"> >> > <linux:object object_ref="obj_rhel_server" /> >> > <linux:state state_ref="state_rhel_server" /> >> > </linux:rpminfo_test> >> > <linux:rpminfo_state id="state_rhel_server" version="1"> >> > <linux:version operation="pattern match">^6\.\d+$</linux:version> >> > </linux:rpminfo_state> >> > <linux:rpminfo_object id="obj_rhel_server" version="1"> >> > <linux:name>redhat-release-server</linux:name> >> > </linux:rpminfo_object> >> >> >> If the the check passes, the SCAP interpreter knows the particular OVAL >> rule is applicable to the system, executes the probes, and you get a >> pass/fail result. If the installed_OS_is_rhel6 check fails, the OVAL >> rule will be marked as "Not Applicable." >> >> >> For users running derivative operating systems (CentOS, Scientific...) >> you can edit your CPE dictionary's regex like Jeremiah outlined. This >> will "fake" the system into thinking it's running RHEL6 and allow the >> check to be ran. >> -- >> SCAP Security Guide mailing list >> scap-security-guide@lists.fedorahosted.org >> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide >> https://github.com/OpenSCAP/scap-security-guide/ >> > > > > -- > Sincerely, > > James > > -- > SCAP Security Guide mailing list > scap-security-guide@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > https://github.com/OpenSCAP/scap-security-guide/ >
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
