[Spacewalk-list] Issues with oscap + SW v1.8

Mon, 26 Nov 2012 09:49:46 -0800 

I'm having issues trying to audit my hosts with openscap and spacewalk v1.8 
with the latest DISA STIGS for RHEL5. No matter what I try to do, the results 
of the audit commands I schedule via Spacewalk all return the tests as 
'notapplicable'.

Using latest DISA STIG for RHEL5:  u_redhat_5-v1r1_stig_benchmark.zip
(for testing purposes, the zip files was simply exploded under /root on my 
target test host)

On my target host:
[root@bob ~]# rpm -qa |grep scap
spacewalk-oscap-0.0.10-1.el5
openscap-utils-0.9.1-1.el5
openscap-0.9.1-1.el5

(I tried to use openscap v0.9.2, but it seems that it has issues with the STIG 
V1R1 XML code, whereas 0.9.1 runs without error, but I'm willing to try 0.9.2 
again.)

After scheduling an audit for my target host via the SW webGUI, and checking 
'rhn_check -vvv' output on the target host, I'm seeing the following executing 
on the target system:
    oscap xccdf eval  /root/U_RedHat_5-V1R1_STIG_Benchmark-xccdf.xml

I then ran the command by hand, and indeed, all tests do return a result of 
'notapplicable'.

When I try the recommended command line string from the OpenSCAP folks, per 
http://www.open-scap.org/page/Documentation#How_to_Evaluate_DISA_STIG.28RHEL5.29,
 I actually get real 'pass/fail' output for my target host:

    oscap xccdf eval --profile MAC-1_Public --cpe 
/root/U_RedHat_5-V1R1_STIG_Benchmark-cpe-dictionary.xml 
/root/U_RedHat_5-V1R1_STIG_Benchmark-xccdf.xml

I then tried again without the '-profile MAC-1_Public' and I still got my 
'pass/fail' correctly. So it seems that the '-cpe' argument is required to make 
V1R1 work correctly.

I tried to add both the '-profile' and '-cpe' arguments to Spacewalk via the 
webgui, but after the audit was run, I noticed there was an error returned, it  
refuses the '-cpe':
   xccdf_eval: Following arguments forbidden: --cpe 
/root/U_RedHat_5-V1R1_STIG_Benchmark-cpe-dictionary.xml

Am I using openscap incorrectly here, or should the '-cpe' arugement be 
allowed/required via the webGUI?

Thanks,
Chris.
--
Chris Snyder
SRA Senior Linux Geek
Energystar Network O+M Team
ESTAR Issues: https://estar18.energystar.gov/


_______________________________________________
Spacewalk-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/spacewalk-list

Reply via email to