----- Original Message -----
From: "Ivan Saez Scheihing" saezscheihing@gmail.com To: "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Tuesday, April 22, 2014 8:00:39 PM Subject: Re: oscap & jboss on Fedora
Martin,
I was able to run xccdf and oscan after editing the eap5-xccdf.xml file. I did comment out all '<platform idref="cpe:/a:redhat..' lines (5 lines in total).
java -jar xccdfexec.jar -result bla.xml --report bla.html --profile eap5_full -c eap5-cpe-oval.xml -C eap5-cpe-dictionary.xl -P eap5_full
No idea what xccdfexec.jar is. Is it a wrapper around oscap? The arguments look familiar.
Did run and asked me a lot's of questions. The same questions as can be found in the JBossEAP5_Guide.html document. Based on my answers it generated a few xml files. But am I mistaken or doesn't xccdfexec cheeck anything?
Oscap did check some things by it self (by inspecting jboss xml files I supose). I run it with the following options:
oscap xccdf eval --results bla.xml --report bla.html --profile eap5-full -cpe eap5-cpe-dictionary.xml eap5-xccdf.xml
It generated the bla.html file and most of the checks were done. Previously I did check the Jboss by hand and I think oscap is not very meticulous. Some checks did get the passed status and I'm sure it should have failed. Any comments on this/
We need more specifics, else I can't comment. Give us a particular rule that passed and shouldn't have. Post your xccdf result file, post your oval results.