Hi Gary, Thanks for the detailed explanation. In your experience, is there any tools that could help in customizing the CIS benchmarks?
We would prefer a GUI tool as not all users are technically inclined. Regards, Keng Lim Good security analysts and responders are hard to find. Educate, motivate and compensate yours. From: Gary Gapinski [mailto:[email protected]] Sent: Saturday, November 19, 2016 7:11 PM To: Ng Keng Lim <[email protected]> Cc: [email protected] Subject: Re: [Open-scap] Unable to open CIS Red Hat Enterprise Linux 7 Benchmark Hello, Keng Lim: On 11/19/2016 01:31 AM, Ng Keng Lim wrote: I trying to use SCAP workbench to customize CIS Red Hat Enterprise Linux 7 xccdf. The following exception was encountered: 14:16:56 except Error while opening file. There was a problem with ScanningSession! Failed to reload session. OpenSCAP error message: Unable to open file: '/usr/i686-w64-mingw32/sys-root/mingw/share/openscap/cpe/openscap-cpe-dict.xml' [oscap_source.c:220] Failed to add default CPE to newly created CPE Session. [cpe_session.c:57] Unknown test type oval:org.cisecurity.benchmarks.redhat_redhat_enterprise_linux_7:tst:10003. [oval_test.c:374] Failed to create OVAL definition model from: 'C:/Users/klng5/Downloads/CIS-CAT v3.0.30/benchmarks/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v2.1.0-oval.xml'. [xccdf_session.c:769] Opening other CIS benchmark for Ubuntu, CentOS and Debian encountered similar error. The OVAL content uses an OVAL construct - shell_command_test - that is likely not supported. This can be verified using the command oscap oval validate CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v2.1.0-oval.xml 2>&1|head -3 There are multiple uses of the construct within the OVAL document. The first occurs at line #4557. The command <oscap version> can be used to display the OVAL objects OpenSCAP supports. I suspect those not supported by OpenSCAP are not supported by SCAP Workbench. Use of operating system commands within OVAL to interrogate a ToE was requested<http://making-security-measurable.1364806.n2.nabble.com/Proposed-New-Test-command-test-td22997.html> as early as 2006 but was then and is still considered profound anathema by some (I am not among those). It is still being discussed. A decade later, OVAL remains inadequately expressive since the rather extensive set of potential interrogatory commands (or underlying OS APIs) has not been accommodated. The manner of intended accommodation is explained here<https://ovalproject.github.io/getting-started/best-practices/>. CIS has chosen to use an anathematic OVAL extension (I think it conforms to this<https://github.com/joval/jOVAL/blob/master/scap-extensions/schemas/x-shellcommand-definitions-schema.xsd>) where such use is appropriate. There are forty such constructs in the OVAL document, each serving a purpose not served by OVAL. CIS's choice is one variation. OpenSCAP happens to support SCE<https://www.open-scap.org/features/other-standards/sce/>. Lynis<https://cisofy.com/lynis/> has another approach. DMTF<https://www.dmtf.org/> has another. None of these conforms to the SCAP specifications<https://scap.nist.gov/revision/1.2/>, but they suffice for some. SCAP users blessed with doctrinal purity would eschew such techniques. Regards, Gary ______________________ This email has been scanned by the StarHub Managed Email Security System ______________________
_______________________________________________ Open-scap-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/open-scap-list
