Re: [Open-scap] Unable to open CIS Red Hat Enterprise Linux 7 Benchmark

[Gary Gapinski]

Hello, Keng Lim: SCAP Workbench is quite good for customization, but as you have seen it has problems with the CIS content because of use of non-SCAP extensions. There are some alternatives cited here, but may encounter the same shortcomings. The SCAP Security Guide content for Red Hat Linux and derivatives is, in my opinion, excellent content from which customizations can be made, and can be manipulated using SCAP Workbench. The SCAP Security Guide content for Debian is not yet at parity with the Red Hat content. In the absence of a suitable GUI-based customization tool, the only advice I can provide is to use a good schema-driven editor to manually edit the content. An alternative would be to excise non-SCAP constructs and use SCAP Workbench to manipulate the content that remains. The constructs would have to be removed from both the OVAL document, and the references thereto removed from the XCCDF document. The latter would be a deletion of the <complex-check> or <check> elements from the XCCDF <Rule>s which reference the non-SCAP constructs. Regards, Gary On 11/20/2016 10:35 PM, Ng Keng Lim wrote: Hi Gary,   Thanks for the detailed explanation. In your experience, is there any tools that could help in customizing the CIS benchmarks?   We would prefer a GUI tool as not all users are technically inclined.   Regards, Keng Lim   Good security analysts and responders are hard to find. Educate, motivate and compensate yours.   From: Gary Gapinski [mailto:gapin...@nasa.gov] Sent: Saturday, November 19, 2016 7:11 PM To: Ng Keng Lim <kenglim...@starhub.com> Cc: open-scap-list@redhat.com Subject: Re: [Open-scap] Unable to open CIS Red Hat Enterprise Linux 7 Benchmark   Hello, Keng Lim: On 11/19/2016 01:31 AM, Ng Keng Lim wrote: I trying to use SCAP workbench to customize CIS Red Hat Enterprise Linux 7 xccdf. The following exception was encountered:   14:16:56 except   Error while opening file.   There was a problem with ScanningSession! Failed to reload session. OpenSCAP error message: Unable to open file: '/usr/i686-w64-mingw32/sys-root/mingw/share/openscap/cpe/openscap-cpe-dict.xml' [oscap_source.c:220] Failed to add default CPE to newly created CPE Session. [cpe_session.c:57] Unknown test type oval:org.cisecurity.benchmarks.redhat_redhat_enterprise_linux_7:tst:10003. [oval_test.c:374] Failed to create OVAL definition model from: 'C:/Users/klng5/Downloads/CIS-CAT v3.0.30/benchmarks/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v2.1.0-oval.xml'. [xccdf_session.c:769]   Opening other CIS benchmark for Ubuntu, CentOS and Debian encountered similar error. The OVAL content uses an OVAL construct — shell_command_test — that is likely not supported. This can be verified using the command oscap oval validate CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v2.1.0-oval.xml 2>&1|head -3 There are multiple uses of the construct within the OVAL document. The first occurs at line #4557. The command «oscap version» can be used to display the OVAL objects OpenSCAP supports. I suspect those not supported by OpenSCAP are not supported by SCAP Workbench. Use of operating system commands within OVAL to interrogate a ToE was requested as early as 2006 but was then and is still considered profound anathema by some (I am not among those). It is still being discussed. A decade later, OVAL remains inadequately expressive since the rather extensive set of potential interrogatory commands (or underlying OS APIs) has not been accommodated. The manner of intended accommodation is explained here. CIS has chosen to use an anathematic OVAL extension (I think it conforms to this) where such use is appropriate. There are forty such constructs in the OVAL document, each serving a purpose not served by OVAL. CIS's choice is one variation. OpenSCAP happens to support SCE. Lynis has another approach. DMTF has another. None of these conforms to the SCAP specifications, but they suffice for some. SCAP users blessed with doctrinal purity would eschew such techniques. Regards, Gary ______________________ This email has been scanned by the StarHub Managed Email Security System ______________________

_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list