Hi,
I'n new to oscap/xccdf and am trying unleash it on a Jboss 5 installation (Jboss EAP 5 (5.1.2)). The original jboss installation runs on a RedHat 6 server but I'm not allowed to install software on that server. I've copied the Jboss installation on a Fedora server and when I try to use xccdf I get the following error: !! The target checklist is not applicable to this platform. aborting.... I'm not sure if it's refering to Fedora or Jboss. Any ideas? The when I try oscap oscap xccdf evel --results bla.xml --report bla.html --profile eap5_full --cpe eap5-cpe-dictionary.xml eap5-xccdf.xml
I get lot's of "not applicable" messages and the bla.html contains no meaningfull information.
I'm trying to run oscap/xccdf on fedora because it's the only Linux distro where I was able to yum install all necessary rpm's. All other distro's gave me problems when dependent rpm's like xerces where needed.
I hope you can give some ideas.
regards,
Ivan
Ivan,
The JBoss content within SSG is meant for JBoss EAP 5, and running on Red Hat Enterprise Linux 6. A JBoss installation on any other platform, including Fedora, will certainly run into a number of issues - including non-applicability messages.
Dave
On Sun, Apr 20, 2014 at 7:51 AM, Ivan Saez Scheihing < saezscheihing@gmail.com> wrote:
Hi,
I'n new to oscap/xccdf and am trying unleash it on a Jboss 5 installation (Jboss EAP 5 (5.1.2)). The original jboss installation runs on a RedHat 6 server but I'm not allowed to install software on that server. I've copied the Jboss installation on a Fedora server and when I try to use xccdf I get the following error: !! The target checklist is not applicable to this platform. aborting.... I'm not sure if it's refering to Fedora or Jboss. Any ideas? The when I try oscap oscap xccdf evel --results bla.xml --report bla.html --profile eap5_full --cpe eap5-cpe-dictionary.xml eap5-xccdf.xml
I get lot's of "not applicable" messages and the bla.html contains no meaningfull information.
I'm trying to run oscap/xccdf on fedora because it's the only Linux distro where I was able to yum install all necessary rpm's. All other distro's gave me problems when dependent rpm's like xerces where needed.
I hope you can give some ideas.
regards,
Ivan
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
----- Original Message -----
From: "Ivan Saez Scheihing" saezscheihing@gmail.com To: "CAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Sunday, April 20, 2014 1:51:59 PM Subject: oscap & jboss on Fedora
Hi,
I'n new to oscap/xccdf and am trying unleash it on a Jboss 5 installation (Jboss EAP 5 (5.1.2)). The original jboss installation runs on a RedHat 6 server but I'm not allowed to install software on that server. I've copied the Jboss installation on a Fedora server and when I try to use xccdf I get the following error: !! The target checklist is not applicable to this platform. aborting.... I'm not sure if it's refering to Fedora or Jboss. Any ideas? The when I try oscap oscap xccdf evel --results bla.xml --report bla.html --profile eap5_full --cpe eap5-cpe-dictionary.xml eap5-xccdf.xml
I get lot's of "not applicable" messages and the bla.html contains no meaningfull information.
If you insist on running it on this platform combination you need to remove all the <platform>..</platform> elements from the XCCDF.
Martin,
Okay. thanks. I'll give it a try and let you know if it works.
regards,
Ivan
On Tue, Apr 22, 2014 at 12:30 PM, Martin Preisler mpreisle@redhat.comwrote:
----- Original Message -----
From: "Ivan Saez Scheihing" saezscheihing@gmail.com To: "CAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Sunday, April 20, 2014 1:51:59 PM Subject: oscap & jboss on Fedora
Hi,
I'n new to oscap/xccdf and am trying unleash it on a Jboss 5 installation (Jboss EAP 5 (5.1.2)). The original jboss installation runs on a RedHat 6 server but I'm not allowed to install software on that server. I've
copied
the Jboss installation on a Fedora server and when I try to use xccdf I
get
the following error: !! The target checklist is not applicable to this platform. aborting.... I'm not sure if it's refering to Fedora or Jboss. Any ideas? The when I try oscap oscap xccdf evel --results bla.xml --report bla.html --profile eap5_full --cpe eap5-cpe-dictionary.xml eap5-xccdf.xml
I get lot's of "not applicable" messages and the bla.html contains no meaningfull information.
If you insist on running it on this platform combination you need to remove all the <platform>..</platform> elements from the XCCDF.
-- Martin Preisler _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Martin,
I was able to run xccdf and oscan after editing the eap5-xccdf.xml file. I did comment out all '<platform idref="cpe:/a:redhat..' lines (5 lines in total).
java -jar xccdfexec.jar -result bla.xml --report bla.html --profile eap5_full -c eap5-cpe-oval.xml -C eap5-cpe-dictionary.xl -P eap5_full
Did run and asked me a lot's of questions. The same questions as can be found in the JBossEAP5_Guide.html document. Based on my answers it generated a few xml files. But am I mistaken or doesn't xccdfexec cheeck anything?
Oscap did check some things by it self (by inspecting jboss xml files I supose). I run it with the following options:
oscap xccdf eval --results bla.xml --report bla.html --profile eap5-full -cpe eap5-cpe-dictionary.xml eap5-xccdf.xml
It generated the bla.html file and most of the checks were done. Previously I did check the Jboss by hand and I think oscap is not very meticulous. Some checks did get the passed status and I'm sure it should have failed. Any comments on this/
I'm very unexperienced with xccdfexec and oscan and maybe I'm not using these tools correctly.
regards,
Ivan
On Tue, Apr 22, 2014 at 12:32 PM, Ivan Saez Scheihing < saezscheihing@gmail.com> wrote:
Martin,
Okay. thanks. I'll give it a try and let you know if it works.
regards,
Ivan
On Tue, Apr 22, 2014 at 12:30 PM, Martin Preisler mpreisle@redhat.comwrote:
----- Original Message -----
From: "Ivan Saez Scheihing" saezscheihing@gmail.com To: "CAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Sunday, April 20, 2014 1:51:59 PM Subject: oscap & jboss on Fedora
Hi,
I'n new to oscap/xccdf and am trying unleash it on a Jboss 5
installation
(Jboss EAP 5 (5.1.2)). The original jboss installation runs on a RedHat
6
server but I'm not allowed to install software on that server. I've
copied
the Jboss installation on a Fedora server and when I try to use xccdf I
get
the following error: !! The target checklist is not applicable to this platform. aborting.... I'm not sure if it's refering to Fedora or Jboss. Any ideas? The when I try oscap oscap xccdf evel --results bla.xml --report bla.html --profile eap5_full --cpe eap5-cpe-dictionary.xml eap5-xccdf.xml
I get lot's of "not applicable" messages and the bla.html contains no meaningfull information.
If you insist on running it on this platform combination you need to remove all the <platform>..</platform> elements from the XCCDF.
-- Martin Preisler _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
----- Original Message -----
From: "Ivan Saez Scheihing" saezscheihing@gmail.com To: "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Tuesday, April 22, 2014 8:00:39 PM Subject: Re: oscap & jboss on Fedora
Martin,
I was able to run xccdf and oscan after editing the eap5-xccdf.xml file. I did comment out all '<platform idref="cpe:/a:redhat..' lines (5 lines in total).
java -jar xccdfexec.jar -result bla.xml --report bla.html --profile eap5_full -c eap5-cpe-oval.xml -C eap5-cpe-dictionary.xl -P eap5_full
No idea what xccdfexec.jar is. Is it a wrapper around oscap? The arguments look familiar.
Did run and asked me a lot's of questions. The same questions as can be found in the JBossEAP5_Guide.html document. Based on my answers it generated a few xml files. But am I mistaken or doesn't xccdfexec cheeck anything?
Oscap did check some things by it self (by inspecting jboss xml files I supose). I run it with the following options:
oscap xccdf eval --results bla.xml --report bla.html --profile eap5-full -cpe eap5-cpe-dictionary.xml eap5-xccdf.xml
It generated the bla.html file and most of the checks were done. Previously I did check the Jboss by hand and I think oscap is not very meticulous. Some checks did get the passed status and I'm sure it should have failed. Any comments on this/
We need more specifics, else I can't comment. Give us a particular rule that passed and shouldn't have. Post your xccdf result file, post your oval results.
Martin,
Thank you for your answer. See attachment for xccdf result file. If you look at the rule Result for Disable Hot Deployment in production
you will see it passes. But if I check manually I can see that the file
JBOSS_HOME/server/[PROFILE]/deploy/hdscanner-jboss-beans.xml
hasn't been deleted. So my conclusion is that the rule should have failed.
And I'm not sure what you mean with "oval results". if you tell how to generate it I will post it.
regards,
Ivan
On Tue, Apr 29, 2014 at 1:29 PM, Martin Preisler mpreisle@redhat.comwrote:
----- Original Message -----
From: "Ivan Saez Scheihing" saezscheihing@gmail.com To: "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Tuesday, April 22, 2014 8:00:39 PM Subject: Re: oscap & jboss on Fedora
Martin,
I was able to run xccdf and oscan after editing the eap5-xccdf.xml file.
I
did comment out all '<platform idref="cpe:/a:redhat..' lines (5 lines in total).
java -jar xccdfexec.jar -result bla.xml --report bla.html --profile eap5_full -c eap5-cpe-oval.xml -C eap5-cpe-dictionary.xl -P eap5_full
No idea what xccdfexec.jar is. Is it a wrapper around oscap? The arguments look familiar.
Did run and asked me a lot's of questions. The same questions as can be found in the JBossEAP5_Guide.html document. Based on my answers it generated a few xml files. But am I mistaken or doesn't xccdfexec cheeck anything?
Oscap did check some things by it self (by inspecting jboss xml files I supose). I run it with the following options:
oscap xccdf eval --results bla.xml --report bla.html --profile eap5-full -cpe eap5-cpe-dictionary.xml eap5-xccdf.xml
It generated the bla.html file and most of the checks were done.
Previously
I did check the Jboss by hand and I think oscap is not very meticulous. Some checks did get the passed status and I'm sure it should have failed. Any comments on this/
We need more specifics, else I can't comment. Give us a particular rule that passed and shouldn't have. Post your xccdf result file, post your oval results.
-- Martin Preisler _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
----- Original Message -----
From: "Ivan Saez Scheihing" saezscheihing@gmail.com To: "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Tuesday, April 29, 2014 1:45:08 PM Subject: Re: oscap & jboss on Fedora
Martin,
Thank you for your answer. See attachment for xccdf result file. If you look at the rule Result for Disable Hot Deployment in production
you will see it passes. But if I check manually I can see that the file
JBOSS_HOME/server/[PROFILE]/deploy/hdscanner-jboss-beans.xml
Without knowing any details about the particular rule I will just say that it could a bug in the content. The content is what tells openscap what it should check. OVAL results will greatly help in debugging the issue.
hasn't been deleted. So my conclusion is that the rule should have failed.
And I'm not sure what you mean with "oval results". if you tell how to generate it I will post it.
Add --oval-results to the command line you use to run oscap. It will create an XML file with OVAL results. These may contain details we need to debug the issue.
[snip]
No idea what xccdfexec.jar is. Is it a wrapper around oscap? The arguments look familiar.
I still need an answer to this.
Martin,
See attachment for oval-results file. Thanks!
regards,
Ivan
On Fri, May 2, 2014 at 5:34 PM, Martin Preisler mpreisle@redhat.com wrote:
----- Original Message -----
From: "Ivan Saez Scheihing" saezscheihing@gmail.com To: "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Tuesday, April 29, 2014 1:45:08 PM Subject: Re: oscap & jboss on Fedora
Martin,
Thank you for your answer. See attachment for xccdf result file. If you look at the rule Result for Disable Hot Deployment in production
you will see it passes. But if I check manually I can see that the file
JBOSS_HOME/server/[PROFILE]/deploy/hdscanner-jboss-beans.xml
Without knowing any details about the particular rule I will just say that it could a bug in the content. The content is what tells openscap what it should check. OVAL results will greatly help in debugging the issue.
hasn't been deleted. So my conclusion is that the rule should have
failed.
And I'm not sure what you mean with "oval results". if you tell how to generate it I will post it.
Add --oval-results to the command line you use to run oscap. It will create an XML file with OVAL results. These may contain details we need to debug the issue.
[snip]
No idea what xccdfexec.jar is. Is it a wrapper around oscap? The
arguments
look familiar.
I still need an answer to this.
-- Martin Preisler _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
----- Original Message -----
From: "Ivan Saez Scheihing" saezscheihing@gmail.com To: "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org, mpreisle@redhat.com Sent: Monday, May 5, 2014 12:34:30 PM Subject: Re: oscap & jboss on Fedora
Martin,
See attachment for oval-results file. Thanks!
I see XCCDF results again, just renamed to val-results.xml.
Please see http://www.open-scap.org/page/Documentation#OVAL
[snip]
No idea what xccdfexec.jar is. Is it a wrapper around oscap? The
arguments
look familiar.
I still need an answer to this.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Still need an answer to the above!
Martin,
I did reply (to the list) but my email has been retained by the moderator for three days now. I'll reply directly to you.
regards,
Ivan
On Tue, Apr 29, 2014 at 1:29 PM, Martin Preisler mpreisle@redhat.comwrote:
----- Original Message -----
From: "Ivan Saez Scheihing" saezscheihing@gmail.com To: "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Tuesday, April 22, 2014 8:00:39 PM Subject: Re: oscap & jboss on Fedora
Martin,
I was able to run xccdf and oscan after editing the eap5-xccdf.xml file.
I
did comment out all '<platform idref="cpe:/a:redhat..' lines (5 lines in total).
java -jar xccdfexec.jar -result bla.xml --report bla.html --profile eap5_full -c eap5-cpe-oval.xml -C eap5-cpe-dictionary.xl -P eap5_full
No idea what xccdfexec.jar is. Is it a wrapper around oscap? The arguments look familiar.
Did run and asked me a lot's of questions. The same questions as can be found in the JBossEAP5_Guide.html document. Based on my answers it generated a few xml files. But am I mistaken or doesn't xccdfexec cheeck anything?
Oscap did check some things by it self (by inspecting jboss xml files I supose). I run it with the following options:
oscap xccdf eval --results bla.xml --report bla.html --profile eap5-full -cpe eap5-cpe-dictionary.xml eap5-xccdf.xml
It generated the bla.html file and most of the checks were done.
Previously
I did check the Jboss by hand and I think oscap is not very meticulous. Some checks did get the passed status and I'm sure it should have failed. Any comments on this/
We need more specifics, else I can't comment. Give us a particular rule that passed and shouldn't have. Post your xccdf result file, post your oval results.
-- Martin Preisler _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org
-
David Smith -
Ivan Saez Scheihing -
Martin Preisler