Has this always been the case that the CPE/Dictionary is needed for oscap execution? I ask because if this is a new feature, I will ping the SecState list about when they will be including the Dictionary as an argument to their program. Currently, secstate imports only an xccdf and will not work with the SSG v0.1-10....trying to resolve why this is.

Logan Rodrian

From: scap-security-guide-bounces@lists.fedorahosted.org [scap-security-guide-bounces@lists.fedorahosted.org] on behalf of Shawn Wells [shawn@redhat.com]
Sent: Thursday, March 07, 2013 11:05
To: scap-security-guide@lists.fedorahosted.org
Subject: EXT :Re: scap-security-guide 0.1-10 help

On 3/7/13 8:51 AM, Rodrian, Logan P (IS) wrote:

It appears that the full command is needed. The scan won't run without the cpe/dictionary reference. The minimal command needed is as follows:
oscap xccdf eval --profile <profile> \
--cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml \
/usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml

Ah, yes. The --cpe is *very* much needed as it provides some platform checks. The others (--report, etc) are optional.