I use openscap-1.2.8 and scap-security-guide 0.1.28 with centos 7 x64 but I get 57 errors, for example:
oval:ssg-umask_for_daemons:def:1 Set Daemon umask oval:ssg-selinux_state:def:1 SELinux Enforcing oval:ssg-selinux_policytype:def:1 Enable SELinux oval:ssg-accounts_maximum_age_login_defs:def:1 Set Password Expiration Parameters
The problem remains in other versions of scap-security-guide
The command:
oscap oval eval --report oval.html ssg-centos7-ds.xml
This is the an excerpt of oval result with option --verbose-log-file filedevel.log --verbose DEVEL:
I: oscap: Evaluating definition 'oval:ssg-selinux_state:def:1': SELinux Enforcing. [oscap(18298):oscap(7fa845de9840):oval_agent.c:171:oval_agent_eval_definition] I: oscap: Querying textfilecontent54 object 'oval:ssg-object_etc_selinux_config:obj:1', flags: 0. [oscap(18298):oscap(7fa845de9840):oval_probe.c:246:oval_probe_query_object] I: oscap: Creating new syschar for textfilecontent54_object 'oval:ssg-object_etc_selinux_config:obj:1'. [oscap(18298):oscap(7fa845de9840):oval_probe.c:269:oval_probe_query_object] I: oscap: Sending message. [oscap(18298):oscap(7fa845de9840):oval_probe_ext.c:493:oval_probe_comm] D: oscap: MSG -> SEXP [oscap(18298):oscap(7fa845de9840):seap-packet.c:261:SEAP_packet_msg2sexp] D: oscap: ("seap.msg" ":id" 117 (("textfilecontent54_object" ":id" "oval:ssg-object_etc_selinux_config:obj:1" ":oval_version" "5.11" ) (("filepath" ":operation" 5 ":var_check" 1 ) "/etc/selinux/config" ) (("pattern" ":operation" 11 ":var_check" 1 ) "^[\s]SELINUX[\s]=[\s](.)[\s]*$" ) (("instance" ":operation" 5 ":var_check" 1 ) 1 ) ) ) [oscap(18298):oscap(7fa845de9840):seap-packet.c:262:SEAP_packet_msg2sexp] D: oscap: packet size: 1953 [oscap(18298):oscap(7fa845de9840):seap-packet.c:263:SEAP_packet_msg2sexp] D: oscap: total I/O vectors = 1 [oscap(18298):oscap(7fa845de9840):strbuf.c:294:strbuf_write] D: oscap: iot (1) < IOV_MAX (1024) [oscap(18298):oscap(7fa845de9840):strbuf.c:305:strbuf_write] D: oscap: ioc = 1 [oscap(18298):oscap(7fa845de9840):strbuf.c:321:strbuf_write] D: oscap: total bytes written: 359 [oscap(18298):oscap(7fa845de9840):strbuf.c:338:strbuf_write] I: oscap: Waiting for reply. [oscap(18298):oscap(7fa845de9840):oval_probe_ext.c:552:oval_probe_comm]
D: probe_textfilecontent54: offline_mode=00000000 [probe_textfilecontent54(18309):input_handler(7fd2da7e0700):input_handler.c:114:probe_input_handler] D: probe_textfilecontent54: offline_mode_supported=00000001 [probe_textfilecontent54(18309):input_handler(7fd2da7e0700):input_handler.c:115:probe_input_handler] I: probe_textfilecontent54: handling SEAP message ID 117 [probe_textfilecontent54(18309):probe_worker(7fd2d9fdf700):worker.c:51:probe_worker_runfn] D: probe_textfilecontent54: Extracting item from the cache queue: cnt=1, beg=150 [probe_textfilecontent54(18309):icache_worker(7fd2db7e2700):icache.c:121:probe_icache_worker] D: probe_textfilecontent54: Signaling notfull' [probe_textfilecontent54(18309):icache_worker(7fd2db7e2700):icache.c:148:probe_icache_worker] D: probe_textfilecontent54: Handling cache request [probe_textfilecontent54(18309):icache_worker(7fd2db7e2700):icache.c:172:probe_icache_worker] D: probe_textfilecontent54: item ID=4264826240546045233 [probe_textfilecontent54(18309):icache_worker(7fd2db7e2700):icache.c:178:probe_icache_worker] D: probe_textfilecontent54: cache MISS [probe_textfilecontent54(18309):icache_worker(7fd2db7e2700):icache.c:227:probe_icache_worker] D: probe_textfilecontent54: NOP [probe_textfilecontent54(18309):probe_worker(7fd2d9fdf700):icache.c:386:probe_icache_nop] D: probe_textfilecontent54: Signalingnotempty' [probe_textfilecontent54(18309):probe_worker(7fd2d9fdf700):icache.c:411:probe_icache_nop] D: probe_textfilecontent54: Waiting for icache worker to handle the NOP [probe_textfilecontent54(18309):probe_worker(7fd2d9fdf700):icache.c:421:probe_icache_nop] D: probe_textfilecontent54: Extracting item from the cache queue: cnt=1, beg=151 [probe_textfilecontent54(18309):icache_worker(7fd2db7e2700):icache.c:121:probe_icache_worker] D: probe_textfilecontent54: Signaling `notfull' [probe_textfilecontent54(18309):icache_worker(7fd2db7e2700):icache.c:148:probe_icache_worker] D: probe_textfilecontent54: Handling NOP [probe_textfilecontent54(18309):icache_worker(7fd2db7e2700):icache.c:162:probe_icache_worker] D: probe_textfilecontent54: Sync [probe_textfilecontent54(18309):probe_worker(7fd2d9fdf700):icache.c:429:probe_icache_nop] I: probe_textfilecontent54: handler result = 0x7fd2cc0191b0, return code = 0 [probe_textfilecontent54(18309):probe_worker(7fd2d9fdf700):worker.c:56:probe_worker_runfn] I: probe_textfilecontent54: probe thread deleted [probe_textfilecontent54(18309):probe_worker(7fd2d9fdf700):worker.c:75:probe_worker_runfn] D: oscap: return from select [oscap(18298):oscap(7fa845de9840):seap-packet.c:637:SEAP_packet_recv] I: oscap: Received packet [oscap(18298):oscap(7fa845de9840):seap-packet.c:903:SEAP_packet_recv] D: oscap: ("seap.msg" ":id" 117 ":reply-id" 117 (2 () ((("textfilecontent_item" ":id" "11830934" ) ("filepath" "/etc/selinux/config" ) ("path" "/etc/selinux" ) ("filename" "config" ) ("pattern" "^[\s]SELINUX[\s]=[\s](.)[\s]$" ) ("instance" 1 ) ("line" "^[\s]SELINUX[\s]=[\s](.)[\s]$" ) ("text" "SELINUX= #permissive" ) ("subexpression" "#permissive" ) ) ) () ) ) [oscap(18298):oscap(7fa845de9840):seap-packet.c:904:SEAP_packet_recv] I: oscap: packet size: 1913 [oscap(18298):oscap(7fa845de9840):seap-packet.c:905:SEAP_packet_recv] I: oscap: Message received. [oscap(18298):oscap(7fa845de9840):oval_probe_ext.c:586:oval_probe_comm] D: oscap: name=(null), value=0x7fa847f462f0 [oscap(18298):oscap(7fa845de9840):seap-message.c:76:SEAP_msg_free] D: oscap: Syschar entry type: 7007 'textfilecontent' => decoded OK [oscap(18298):oscap(7fa845de9840):oval_sexp.c:952:oval_sexp_to_sysitem] I: oscap: State 'oval:ssg-state_etc_selinux_config:ste:1' references external_variable 'oval:ssg-var_selinux_state:var:1'. [oscap(18298):oscap(7fa845de9840):oval_probe.c:398:oval_probe_query_criteria] I: oscap: oval:ssg-test_etc_selinux_config:tst:1 => error [oscap(18298):oscap(7fa845de9840):oval_resultTest.c:994:oval_result_test_eval]
Thanks in advance!!!!
On 1/27/16 2:17 PM, Ing. Adrian Hernández Yeja wrote:
I use openscap-1.2.8 and scap-security-guide 0.1.28 with centos 7 x64 but I get 57 errors, for example:
oval:ssg-umask_for_daemons:def:1 Set Daemon umask oval:ssg-selinux_state:def:1 SELinux Enforcing oval:ssg-selinux_policytype:def:1 Enable SELinux oval:ssg-accounts_maximum_age_login_defs:def:1 Set Password Expiration Parameters
The problem remains in other versions of scap-security-guide
The command:
oscap oval eval --report oval.html ssg-centos7-ds.xml
This is the an excerpt of oval result with option --verbose-log-file filedevel.log --verbose DEVEL:
I: oscap: Evaluating definition 'oval:ssg-selinux_state:def:1': SELinux Enforcing. [oscap(18298):oscap(7fa845de9840):oval_agent.c:171:oval_agent_eval_definition] I: oscap: Querying textfilecontent54 object 'oval:ssg-object_etc_selinux_config:obj:1', flags: 0. [oscap(18298):oscap(7fa845de9840):oval_probe.c:246:oval_probe_query_object] I: oscap: Creating new syschar for textfilecontent54_object 'oval:ssg-object_etc_selinux_config:obj:1'. [oscap(18298):oscap(7fa845de9840):oval_probe.c:269:oval_probe_query_object] I: oscap: Sending message. [oscap(18298):oscap(7fa845de9840):oval_probe_ext.c:493:oval_probe_comm] D: oscap: MSG -> SEXP [oscap(18298):oscap(7fa845de9840):seap-packet.c:261:SEAP_packet_msg2sexp] D: oscap: ("seap.msg" ":id" 117 (("textfilecontent54_object" ":id" "oval:ssg-object_etc_selinux_config:obj:1" ":oval_version" "5.11" ) (("filepath" ":operation" 5 ":var_check" 1 ) "/etc/selinux/config" ) (("pattern" ":operation" 11 ":var_check" 1 ) "^[\s]SELINUX[\s]=[\s](.)[\s]*$" ) (("instance" ":operation" 5 ":var_check" 1 ) 1 ) ) ) [oscap(18298):oscap(7fa845de9840):seap-packet.c:262:SEAP_packet_msg2sexp] D: oscap: packet size: 1953 [oscap(18298):oscap(7fa845de9840):seap-packet.c:263:SEAP_packet_msg2sexp] D: oscap: total I/O vectors = 1 [oscap(18298):oscap(7fa845de9840):strbuf.c:294:strbuf_write] D: oscap: iot (1) < IOV_MAX (1024) [oscap(18298):oscap(7fa845de9840):strbuf.c:305:strbuf_write] D: oscap: ioc = 1 [oscap(18298):oscap(7fa845de9840):strbuf.c:321:strbuf_write] D: oscap: total bytes written: 359 [oscap(18298):oscap(7fa845de9840):strbuf.c:338:strbuf_write] I: oscap: Waiting for reply. [oscap(18298):oscap(7fa845de9840):oval_probe_ext.c:552:oval_probe_comm]
D: probe_textfilecontent54: offline_mode=00000000 [probe_textfilecontent54(18309):input_handler(7fd2da7e0700):input_handler.c:114:probe_input_handler] D: probe_textfilecontent54: offline_mode_supported=00000001 [probe_textfilecontent54(18309):input_handler(7fd2da7e0700):input_handler.c:115:probe_input_handler] I: probe_textfilecontent54: handling SEAP message ID 117 [probe_textfilecontent54(18309):probe_worker(7fd2d9fdf700):worker.c:51:probe_worker_runfn] D: probe_textfilecontent54: Extracting item from the cache queue: cnt=1, beg=150 [probe_textfilecontent54(18309):icache_worker(7fd2db7e2700):icache.c:121:probe_icache_worker] D: probe_textfilecontent54: Signaling notfull' [probe_textfilecontent54(18309):icache_worker(7fd2db7e2700):icache.c:148:probe_icache_worker] D: probe_textfilecontent54: Handling cache request [probe_textfilecontent54(18309):icache_worker(7fd2db7e2700):icache.c:172:probe_icache_worker] D: probe_textfilecontent54: item ID=4264826240546045233 [probe_textfilecontent54(18309):icache_worker(7fd2db7e2700):icache.c:178:probe_icache_worker] D: probe_textfilecontent54: cache MISS [probe_textfilecontent54(18309):icache_worker(7fd2db7e2700):icache.c:227:probe_icache_worker] D: probe_textfilecontent54: NOP [probe_textfilecontent54(18309):probe_worker(7fd2d9fdf700):icache.c:386:probe_icache_nop] D: probe_textfilecontent54: Signalingnotempty' [probe_textfilecontent54(18309):probe_worker(7fd2d9fdf700):icache.c:411:probe_icache_nop] D: probe_textfilecontent54: Waiting for icache worker to handle the NOP [probe_textfilecontent54(18309):probe_worker(7fd2d9fdf700):icache.c:421:probe_icache_nop] D: probe_textfilecontent54: Extracting item from the cache queue: cnt=1, beg=151 [probe_textfilecontent54(18309):icache_worker(7fd2db7e2700):icache.c:121:probe_icache_worker] D: probe_textfilecontent54: Signaling `notfull' [probe_textfilecontent54(18309):icache_worker(7fd2db7e2700):icache.c:148:probe_icache_worker] D: probe_textfilecontent54: Handling NOP [probe_textfilecontent54(18309):icache_worker(7fd2db7e2700):icache.c:162:probe_icache_worker] D: probe_textfilecontent54: Sync [probe_textfilecontent54(18309):probe_worker(7fd2d9fdf700):icache.c:429:probe_icache_nop] I: probe_textfilecontent54: handler result = 0x7fd2cc0191b0, return code = 0 [probe_textfilecontent54(18309):probe_worker(7fd2d9fdf700):worker.c:56:probe_worker_runfn] I: probe_textfilecontent54: probe thread deleted [probe_textfilecontent54(18309):probe_worker(7fd2d9fdf700):worker.c:75:probe_worker_runfn] D: oscap: return from select [oscap(18298):oscap(7fa845de9840):seap-packet.c:637:SEAP_packet_recv] I: oscap: Received packet [oscap(18298):oscap(7fa845de9840):seap-packet.c:903:SEAP_packet_recv] D: oscap: ("seap.msg" ":id" 117 ":reply-id" 117 (2 () ((("textfilecontent_item" ":id" "11830934" ) ("filepath" "/etc/selinux/config" ) ("path" "/etc/selinux" ) ("filename" "config" ) ("pattern" "^[\s]SELINUX[\s]=[\s](.)[\s]$" ) ("instance" 1 ) ("line" "^[\s]SELINUX[\s]=[\s](.)[\s]$" ) ("text" "SELINUX= #permissive" ) ("subexpression" "#permissive" ) ) ) () ) ) [oscap(18298):oscap(7fa845de9840):seap-packet.c:904:SEAP_packet_recv] I: oscap: packet size: 1913 [oscap(18298):oscap(7fa845de9840):seap-packet.c:905:SEAP_packet_recv] I: oscap: Message received. [oscap(18298):oscap(7fa845de9840):oval_probe_ext.c:586:oval_probe_comm] D: oscap: name=(null), value=0x7fa847f462f0 [oscap(18298):oscap(7fa845de9840):seap-message.c:76:SEAP_msg_free] D: oscap: Syschar entry type: 7007 'textfilecontent' => decoded OK [oscap(18298):oscap(7fa845de9840):oval_sexp.c:952:oval_sexp_to_sysitem] I: oscap: State 'oval:ssg-state_etc_selinux_config:ste:1' references external_variable 'oval:ssg-var_selinux_state:var:1'. [oscap(18298):oscap(7fa845de9840):oval_probe.c:398:oval_probe_query_criteria] I: oscap: oval:ssg-test_etc_selinux_config:tst:1 => error [oscap(18298):oscap(7fa845de9840):oval_resultTest.c:994:oval_result_test_eval]
Thanks in advance!!!!
SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/scap-security-guide@lists.fedorah... https://github.com/OpenSCAP/scap-security-guide/
Many checks require root privileges to properly scan your system. I get the same when running as a non-privileged user: $ oscap oval eval --report /tmp/oval.html ssg-rhel7-ds.xml |grep error|wc -l 54
However, when running as root: $ sudo oscap oval eval --report /tmp/oval.html ssg-rhel7-ds.xml |grep error|wc -l 46
Additionally, many of the OVAL checks are using variables passed in by the XCCDF. Try using a specific profile:
$ oscap info ssg-centos7-ds.xml .... Checklists: Ref-Id: scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml Profiles: xccdf_org.ssgproject.content_profile_standard xccdf_org.ssgproject.content_profile_pci-dss xccdf_org.ssgproject.content_profile_C2S xccdf_org.ssgproject.content_profile_rht-ccp xccdf_org.ssgproject.content_profile_common xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream xccdf_org.ssgproject.content_profile_ospp-rhel7-server
$ sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_ospp-rhel7-server --report /tmp/report.html ssg-centos7-ds.xml
Oh thanks!!! My problem is fixed
I put:
$ sudo oscap xccdf eval --oval-results --profile xccdf_org.ssgproject.content_profile_ospp-rhel7-server --report /tmp/report.html ssg-centos7-ds.xml
and I generated the oval report:
$ sudo oscap oval generate report --output /tmp/oval_report.html ssg-rhel7-oval.xml.result.xml
The result is 0 errors.
Thanks.
----- Mensaje original ----- De: "Shawn Wells" swells@redhat.com Para: scap-security-guide@lists.fedorahosted.org Enviados: Miércoles, 27 de Enero 2016 14:30:41 Asunto: [MASSMAIL]Re: problem with scap-security-guide 0.1.28 and Centos
On 1/27/16 2:17 PM, Ing. Adrian Hernández Yeja wrote:
I use openscap-1.2.8 and scap-security-guide 0.1.28 with centos 7 x64 but I get 57 errors, for example:
oval:ssg-umask_for_daemons:def:1 Set Daemon umask oval:ssg-selinux_state:def:1 SELinux Enforcing oval:ssg-selinux_policytype:def:1 Enable SELinux oval:ssg-accounts_maximum_age_login_defs:def:1 Set Password Expiration Parameters
The problem remains in other versions of scap-security-guide
The command:
oscap oval eval --report oval.html ssg-centos7-ds.xml
This is the an excerpt of oval result with option --verbose-log-file filedevel.log --verbose DEVEL:
I: oscap: Evaluating definition 'oval:ssg-selinux_state:def:1': SELinux Enforcing. [oscap(18298):oscap(7fa845de9840):oval_agent.c:171:oval_agent_eval_definition] I: oscap: Querying textfilecontent54 object 'oval:ssg-object_etc_selinux_config:obj:1', flags: 0. [oscap(18298):oscap(7fa845de9840):oval_probe.c:246:oval_probe_query_object] I: oscap: Creating new syschar for textfilecontent54_object 'oval:ssg-object_etc_selinux_config:obj:1'. [oscap(18298):oscap(7fa845de9840):oval_probe.c:269:oval_probe_query_object] I: oscap: Sending message. [oscap(18298):oscap(7fa845de9840):oval_probe_ext.c:493:oval_probe_comm] D: oscap: MSG -> SEXP [oscap(18298):oscap(7fa845de9840):seap-packet.c:261:SEAP_packet_msg2sexp] D: oscap: ("seap.msg" ":id" 117 (("textfilecontent54_object" ":id" "oval:ssg-object_etc_selinux_config:obj:1" ":oval_version" "5.11" ) (("filepath" ":operation" 5 ":var_check" 1 ) "/etc/selinux/config" ) (("pattern" ":operation" 11 ":var_check" 1 ) "^[\s]SELINUX[\s]=[\s](.)[\s]*$" ) (("instance" ":operation" 5 ":var_check" 1 ) 1 ) ) ) [oscap(18298):oscap(7fa845de9840):seap-packet.c:262:SEAP_packet_msg2sexp] D: oscap: packet size: 1953 [oscap(18298):oscap(7fa845de9840):seap-packet.c:263:SEAP_packet_msg2sexp] D: oscap: total I/O vectors = 1 [oscap(18298):oscap(7fa845de9840):strbuf.c:294:strbuf_write] D: oscap: iot (1) < IOV_MAX (1024) [oscap(18298):oscap(7fa845de9840):strbuf.c:305:strbuf_write] D: oscap: ioc = 1 [oscap(18298):oscap(7fa845de9840):strbuf.c:321:strbuf_write] D: oscap: total bytes written: 359 [oscap(18298):oscap(7fa845de9840):strbuf.c:338:strbuf_write] I: oscap: Waiting for reply. [oscap(18298):oscap(7fa845de9840):oval_probe_ext.c:552:oval_probe_comm]
D: probe_textfilecontent54: offline_mode=00000000 [probe_textfilecontent54(18309):input_handler(7fd2da7e0700):input_handler.c:114:probe_input_handler] D: probe_textfilecontent54: offline_mode_supported=00000001 [probe_textfilecontent54(18309):input_handler(7fd2da7e0700):input_handler.c:115:probe_input_handler] I: probe_textfilecontent54: handling SEAP message ID 117 [probe_textfilecontent54(18309):probe_worker(7fd2d9fdf700):worker.c:51:probe_worker_runfn] D: probe_textfilecontent54: Extracting item from the cache queue: cnt=1, beg=150 [probe_textfilecontent54(18309):icache_worker(7fd2db7e2700):icache.c:121:probe_icache_worker] D: probe_textfilecontent54: Signaling notfull' [probe_textfilecontent54(18309):icache_worker(7fd2db7e2700):icache.c:148:probe_icache_worker] D: probe_textfilecontent54: Handling cache request [probe_textfilecontent54(18309):icache_worker(7fd2db7e2700):icache.c:172:probe_icache_worker] D: probe_textfilecontent54: item ID=4264826240546045233 [probe_textfilecontent54(18309):icache_worker(7fd2db7e2700):icache.c:178:probe_icache_worker] D: probe_textfilecontent54: cache MISS [probe_textfilecontent54(18309):icache_worker(7fd2db7e2700):icache.c:227:probe_icache_worker] D: probe_textfilecontent54: NOP [probe_textfilecontent54(18309):probe_worker(7fd2d9fdf700):icache.c:386:probe_icache_nop] D: probe_textfilecontent54: Signalingnotempty' [probe_textfilecontent54(18309):probe_worker(7fd2d9fdf700):icache.c:411:probe_icache_nop] D: probe_textfilecontent54: Waiting for icache worker to handle the NOP [probe_textfilecontent54(18309):probe_worker(7fd2d9fdf700):icache.c:421:probe_icache_nop] D: probe_textfilecontent54: Extracting item from the cache queue: cnt=1, beg=151 [probe_textfilecontent54(18309):icache_worker(7fd2db7e2700):icache.c:121:probe_icache_worker] D: probe_textfilecontent54: Signaling `notfull' [probe_textfilecontent54(18309):icache_worker(7fd2db7e2700):icache.c:148:probe_icache_worker] D: probe_textfilecontent54: Handling NOP [probe_textfilecontent54(18309):icache_worker(7fd2db7e2700):icache.c:162:probe_icache_worker] D: probe_textfilecontent54: Sync [probe_textfilecontent54(18309):probe_worker(7fd2d9fdf700):icache.c:429:probe_icache_nop] I: probe_textfilecontent54: handler result = 0x7fd2cc0191b0, return code = 0 [probe_textfilecontent54(18309):probe_worker(7fd2d9fdf700):worker.c:56:probe_worker_runfn] I: probe_textfilecontent54: probe thread deleted [probe_textfilecontent54(18309):probe_worker(7fd2d9fdf700):worker.c:75:probe_worker_runfn] D: oscap: return from select [oscap(18298):oscap(7fa845de9840):seap-packet.c:637:SEAP_packet_recv] I: oscap: Received packet [oscap(18298):oscap(7fa845de9840):seap-packet.c:903:SEAP_packet_recv] D: oscap: ("seap.msg" ":id" 117 ":reply-id" 117 (2 () ((("textfilecontent_item" ":id" "11830934" ) ("filepath" "/etc/selinux/config" ) ("path" "/etc/selinux" ) ("filename" "config" ) ("pattern" "^[\s]SELINUX[\s]=[\s](.)[\s]$" ) ("instance" 1 ) ("line" "^[\s]SELINUX[\s]=[\s](.)[\s]$" ) ("text" "SELINUX= #permissive" ) ("subexpression" "#permissive" ) ) ) () ) ) [oscap(18298):oscap(7fa845de9840):seap-packet.c:904:SEAP_packet_recv] I: oscap: packet size: 1913 [oscap(18298):oscap(7fa845de9840):seap-packet.c:905:SEAP_packet_recv] I: oscap: Message received. [oscap(18298):oscap(7fa845de9840):oval_probe_ext.c:586:oval_probe_comm] D: oscap: name=(null), value=0x7fa847f462f0 [oscap(18298):oscap(7fa845de9840):seap-message.c:76:SEAP_msg_free] D: oscap: Syschar entry type: 7007 'textfilecontent' => decoded OK [oscap(18298):oscap(7fa845de9840):oval_sexp.c:952:oval_sexp_to_sysitem] I: oscap: State 'oval:ssg-state_etc_selinux_config:ste:1' references external_variable 'oval:ssg-var_selinux_state:var:1'. [oscap(18298):oscap(7fa845de9840):oval_probe.c:398:oval_probe_query_criteria] I: oscap: oval:ssg-test_etc_selinux_config:tst:1 => error [oscap(18298):oscap(7fa845de9840):oval_resultTest.c:994:oval_result_test_eval]
Thanks in advance!!!!
SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/scap-security-guide@lists.fedorah... https://github.com/OpenSCAP/scap-security-guide/
Many checks require root privileges to properly scan your system. I get the same when running as a non-privileged user: $ oscap oval eval --report /tmp/oval.html ssg-rhel7-ds.xml |grep error|wc -l 54
However, when running as root: $ sudo oscap oval eval --report /tmp/oval.html ssg-rhel7-ds.xml |grep error|wc -l 46
Additionally, many of the OVAL checks are using variables passed in by the XCCDF. Try using a specific profile:
$ oscap info ssg-centos7-ds.xml .... Checklists: Ref-Id: scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml Profiles: xccdf_org.ssgproject.content_profile_standard xccdf_org.ssgproject.content_profile_pci-dss xccdf_org.ssgproject.content_profile_C2S xccdf_org.ssgproject.content_profile_rht-ccp xccdf_org.ssgproject.content_profile_common xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream xccdf_org.ssgproject.content_profile_ospp-rhel7-server
$ sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_ospp-rhel7-server --report /tmp/report.html ssg-centos7-ds.xml
scap-security-guide@lists.fedorahosted.org