On 03/07/2013 08:21 PM, Rodrian, Logan P (IS) wrote:
Has this always been the case that the CPE/Dictionary is needed for oscap execution?
No.
The CPE dictionary is needed only by openscap-0.9.1 and openscap-0.9.2.
Since 0.9.3, the openscap has a build-in CPE dictionary, thus for the most common cases --cpe option shall not be needed.
I ask because if this is a new feature, I will pingthe SecState list about when they will be including the Dictionary as an argument to their program. Currently, secstate imports only an xccdf and will not work with the SSG v0.1-10....trying to resolve why this is.
Logan Rodrian
*From:* scap-security-guide-bounces@lists.fedorahosted.org [scap-security-guide-bounces@lists.fedorahosted.org] on behalf of Shawn Wells [shawn@redhat.com] *Sent:* Thursday, March 07, 2013 11:05 *To:* scap-security-guide@lists.fedorahosted.org *Subject:* EXT :Re: scap-security-guide 0.1-10 help
On 3/7/13 8:51 AM, Rodrian, Logan P (IS) wrote:
It appears that the full command is needed. The scan won't run without the cpe/dictionary reference. The minimal command needed is as follows: oscap xccdf eval --profile <profile> \ --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml \ /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
Ah, yes. The --cpe is *very* much needed as it provides some platform checks. The others (--report, etc) are optional.
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide