Re: [Open-scap] Unable to open CIS Red Hat Enterprise Linux 7 Benchmark

Sat, 19 Nov 2016 03:14:05 -0800

Hello, Keng Lim:

On 11/19/2016 01:31 AM, Ng Keng Lim wrote:
I trying to use SCAP workbench to customize CIS Red Hat Enterprise Linux 7 xccdf.

The following exception was encountered:

 

14:16:56

except  

Error while opening file.

 

There was a problem with ScanningSession!

Failed to reload session. OpenSCAP error message:

Unable to open file: '/usr/i686-w64-mingw32/sys-root/mingw/share/openscap/cpe/openscap-cpe-dict.xml' [oscap_source.c:220]

Failed to add default CPE to newly created CPE Session. [cpe_session.c:57]

Unknown test type oval:org.cisecurity.benchmarks.redhat_redhat_enterprise_linux_7:tst:10003. [oval_test.c:374]

Failed to create OVAL definition model from: 'C:/Users/klng5/Downloads/CIS-CAT v3.0.30/benchmarks/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v2.1.0-oval.xml'. [xccdf_session.c:769]

 

Opening other CIS benchmark for Ubuntu, CentOS and Debian encountered similar error.


The OVAL content uses an OVAL construct — shell_command_test — that is likely not supported. This can be verified using the command
oscap oval validate CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v2.1.0-oval.xml 2>&1|head -3
There are multiple uses of the construct within the OVAL document. The first occurs at line #4557.

The command «oscap version» can be used to display the OVAL objects OpenSCAP supports. I suspect those not supported by OpenSCAP are not supported by SCAP Workbench.

Use of operating system commands within OVAL to interrogate a ToE was requested as early as 2006 but was then and is still considered profound anathema by some (I am not among those). It is still being discussed. A decade later, OVAL remains inadequately expressive since the rather extensive set of potential interrogatory commands (or underlying OS APIs) has not been accommodated. The manner of intended accommodation is explained here.

CIS has chosen to use an anathematic OVAL extension (I think it conforms to this) where such use is appropriate. There are forty such constructs in the OVAL document, each serving a purpose not served by OVAL. CIS's choice is one variation. OpenSCAP happens to support SCE. Lynis has another approach. DMTF has another. None of these conforms to the SCAP specifications, but they suffice for some. SCAP users blessed with doctrinal purity would eschew such techniques.

Regards,

Gary

_______________________________________________
Open-scap-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/open-scap-list

Reply via email to