Has this always been the case that the CPE/Dictionary is needed for oscap execution? I ask because if this is a new feature, I will ping the SecState list about when they will be including the Dictionary as an argument to their program. Currently, secstate imports only an xccdf and will not work with the SSG v0.1-10....trying to resolve why this is.
Logan Rodrian ________________________________ From: scap-security-guide-bounces@lists.fedorahosted.org [scap-security-guide-bounces@lists.fedorahosted.org] on behalf of Shawn Wells [shawn@redhat.com] Sent: Thursday, March 07, 2013 11:05 To: scap-security-guide@lists.fedorahosted.org Subject: EXT :Re: scap-security-guide 0.1-10 help
On 3/7/13 8:51 AM, Rodrian, Logan P (IS) wrote: It appears that the full command is needed. The scan won't run without the cpe/dictionary reference. The minimal command needed is as follows:
oscap xccdf eval --profile <profile> \ --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml \ /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
Ah, yes. The --cpe is *very* much needed as it provides some platform checks. The others (--report, etc) are optional.
On 3/7/13 8:51 AM, Rodrian, Logan P (IS) wrote:
Has this always been the case that the CPE/Dictionary is needed for oscap execution? I ask because if this is a new feature, I will ping the SecState list about when they will be including the Dictionary as an argument to their program. Currently, secstate imports only an xccdf and will not work with the SSG v0.1-10....trying to resolve why this is.
Hey Logan, Sorry the messages were held up on the secstate list, I had to do some admin-approval thing; should be moving along. We can jump the specific follow-up over there shortly, but to hit the quick points in this thread: Last I checked the CPE stuff got auto-resolved by the backend OpenSCAP stuff that SecState was using. I know that we had content which would not work on CentOS by default because the CPE flags specified RHEL. I need to update to the latest OpenSCAP API and see if all of that still works, but with the versions you have I would not anticipate an issue.
If you do a 'secstate list -ar' it should show you all of your selections marked with [X], and nonselected content with [ ]. If everything is nonselected then you can use 'secstate select -r <benchmark-id> <rule/group-id>' to do recursive group selections.
- Francisco
Logan Rodrian
On 03/07/2013 08:21 PM, Rodrian, Logan P (IS) wrote:
Has this always been the case that the CPE/Dictionary is needed for oscap execution?
No.
The CPE dictionary is needed only by openscap-0.9.1 and openscap-0.9.2.
Since 0.9.3, the openscap has a build-in CPE dictionary, thus for the most common cases --cpe option shall not be needed.
I ask because if this is a new feature, I will pingthe SecState list about when they will be including the Dictionary as an argument to their program. Currently, secstate imports only an xccdf and will not work with the SSG v0.1-10....trying to resolve why this is.
Logan Rodrian
*From:* scap-security-guide-bounces@lists.fedorahosted.org [scap-security-guide-bounces@lists.fedorahosted.org] on behalf of Shawn Wells [shawn@redhat.com] *Sent:* Thursday, March 07, 2013 11:05 *To:* scap-security-guide@lists.fedorahosted.org *Subject:* EXT :Re: scap-security-guide 0.1-10 help
On 3/7/13 8:51 AM, Rodrian, Logan P (IS) wrote:
It appears that the full command is needed. The scan won't run without the cpe/dictionary reference. The minimal command needed is as follows: oscap xccdf eval --profile <profile> \ --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml \ /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
Ah, yes. The --cpe is *very* much needed as it provides some platform checks. The others (--report, etc) are optional.
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org
-
Francisco Slavin -
Rodrian, Logan P (IS) -
Šimon Lukašík