I'm experiencing what Marci has described as well. I would agree with the goal of creating an OVAL for CentOs as well. On a similar note when I run the scan inside a Docker container "running" CentOs I get a complete scan. I'm all in with goal of creating an OVAL for CentOs and Docker containers.
Rodney Cobb roc...@gitmachines.com @facetherathe 202-602-7077 > On Aug 15, 2014, at 1:48 PM, Marcin Pohl <marcinp...@gmail.com> wrote: > > I have a similar problem on AWS' AMI. OpenSCAP used to run fine, and few > weeks ago it just stopped working, all checks show up as 'not applicable.' > Is there a way to force it to just recognize it as RHEL/CentOS 6? > > Thanks, > Marcin > > >> On Fri, Aug 15, 2014 at 1:46 PM, James Ford <james.t.f...@gmail.com> wrote: >> Shawn, thanks for the detailed explanation. Rather than faking the system >> into thinking it's running RHEL6, would it be possible to update the oval >> definitions to include CentOS as an applicable platform? >> >> >> >>> On Fri, Aug 15, 2014 at 1:10 PM, Shawn Wells <sh...@redhat.com> wrote: >>> On 8/14/14, 5:25 PM, Jeremiah Jahn wrote: >>> > I'm using it for SL6. The problem is in openscap-cpe-oval.xml. The >>> > test for release is searching on RedHat only. >>> > >>> > I've changed mine to the following: notice the (redhat|sl) on the >>> > second line. You should be able to change it to whatever the >>> > centos-release rpm says. I can't remember right now if SSG is where I >>> > got the original xml file, or if it's the one from open-scap. It's >>> > very possible that you'll have to make sure that you'll have to alter >>> > the ssg-rhel6-cpe-dictionary.xml to point to your altered cpe-oval >>> > file. I've attached them just incase, but it took some tweaking. >>> > >>> > <rpminfo_state id="oval:org.open-scap.cpe.rhel:ste:6" version="1" >>> > xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux";> >>> > <name operation="pattern >>> > match">^(redhat|sl)-release</name> >>> > <version operation="pattern match">^6[^\d]</version> >>> > </rpminfo_state> >>> >>> >>> To illustrate how CPE works, as part of Greg's question.... >>> >>> Step 1: In your OVAL check, you define which platforms the check is >>> written for. This is done by the <affected> stanzas, such as: >>> >>> > <affected family="unix"> >>> > <platform>Red Hat Enterprise Linux 6</platform> >>> > </affected> >>> >>> >>> Step 2: When an SCAP interpreter parses each OVAL rule, it will parse >>> the <affected> tag above. For each <platform> listed, it will find the >>> associated <cpi-item> to find what <check> needs to be ran. This will >>> tell the SCAP interpreter if the OVAL rule is applicable for the system >>> being scanned. >>> >>> For example, from SSG's CPE dictionary: >>> >>> > <cpe-item name="cpe:/o:redhat:enterprise_linux:6"> >>> > <title xml:lang="en-us">Red Hat Enterprise Linux 6</title> >>> > <!-- the check references an OVAL file that contains an >>> > inventory definition --> >>> > <check >>> > system="http://oval.mitre.org/XMLSchema/oval-definitions-5"; >>> > href="filename">installed_OS_is_rhel6</check> >>> > </cpe-item> >>> >>> In this case, if the <platform> tag matches the cpe-item/title, then the >>> cpe-item/check will be ran. In the case of "Red Hat Enterprise Linux 6" >>> the OVAL check "installed_OS_is_rhel6" will be ran. >>> >>> The installed_OS_is_rhel6 OVAL check queries the system to see if the >>> redhat-release-{server workstation}-6 RPM is installed, for example: >>> >>> https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/6/input/checks/installed_OS_is_rhel6.xml#L46#L55 >>> > <linux:rpminfo_test check="all" check_existence="at_least_one_exists" >>> > comment="redhat-release-server is version 6" id="test_rhel_server" >>> > version="1"> >>> > <linux:object object_ref="obj_rhel_server" /> >>> > <linux:state state_ref="state_rhel_server" /> >>> > </linux:rpminfo_test> >>> > <linux:rpminfo_state id="state_rhel_server" version="1"> >>> > <linux:version operation="pattern match">^6\.\d+$</linux:version> >>> > </linux:rpminfo_state> >>> > <linux:rpminfo_object id="obj_rhel_server" version="1"> >>> > <linux:name>redhat-release-server</linux:name> >>> > </linux:rpminfo_object> >>> >>> >>> If the the check passes, the SCAP interpreter knows the particular OVAL >>> rule is applicable to the system, executes the probes, and you get a >>> pass/fail result. If the installed_OS_is_rhel6 check fails, the OVAL >>> rule will be marked as "Not Applicable." >>> >>> >>> For users running derivative operating systems (CentOS, Scientific...) >>> you can edit your CPE dictionary's regex like Jeremiah outlined. This >>> will "fake" the system into thinking it's running RHEL6 and allow the >>> check to be ran. >>> -- >>> SCAP Security Guide mailing list >>> scap-security-guide@lists.fedorahosted.org >>> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide >>> https://github.com/OpenSCAP/scap-security-guide/ >> >> >> >> -- >> Sincerely, >> >> James >> >> -- >> SCAP Security Guide mailing list >> scap-security-guide@lists.fedorahosted.org >> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide >> https://github.com/OpenSCAP/scap-security-guide/ > > -- > SCAP Security Guide mailing list > scap-security-guide@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > https://github.com/OpenSCAP/scap-security-guide/
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
