I just took a look at OpenSCAP and ComplianceAsCode.

I obtained results that were at variance with yours, and which failed to attain Glorious Victory.

Some comments inline.

On 1/23/19 10:10 AM, Boucher, William wrote:

OK! I downloaded the latest scap-security-guide source from Git and built it for Ubuntu 1604. It compiles and runs!

Using an Ubuntu 18.04 instance as a platform, I obtained, built, and installed https://github.com/OpenSCAP/openscap.

I also obtained and built https://github.com/ComplianceAsCode/content on the same system.

Next challenge, during the compile it had trouble scanning the Oval file for controls it was to evaluate, and it marked all of those it didn’t find as “not applicable”. So I got a score of 100%, but none of the challenging controls were evaluated. (I used an oval file I found in the source tree but I guess it was not complete.)

Using «oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard --results-arf results-arf.xml --report report.html --results results.xml ssg-ubuntu1804-ds.xml» all results were notapplicable.

I commented out line #10606 (the <platform> designator) in ssg-ubuntu1804-ds.xml and ran the evaluation again. This time some of the rules were evaluated, some passed, some failed, some resulted in error, some were notapplicable (for no apparent reason).

I then ran the same evaluation as root («sudo oscap …»), and obtained passes, fails, and notapplicables, but no errors. The report was at variance with the input data stream with respect to rules selected in the data stream (the profile selects more rules than appear in the eval report — 45 vs 38 respectively).

Note that I am using the data stream (ssg-ubuntu1804-ds.xml) and not, directly, the related OVAL (ssg-ubuntu1804-oval.xml). I have a profound antipathy toward OVAL, and prefer to avoid close contact.

Apparently I need more or better benchmark files for Ubuntu in the OpenSCAP “/usr/share/openscap” and “/usr/share/openscap/cpe” directories (openscap-cpe-dictionary.xml,  openscap-cpe-oval.xml, openscap-ubuntu1604-cpe-dictionary.xml and  openscap-ubuntu1604-cpe-oval.xml in the openscap/cpe directory and scap-ubuntu1604-oval.xml, scap-ubuntu1604-ocil.xml and scap-ubuntu-1604-ds.xml in the openscap directory).

I used git head to build the content I used. The data stream encapsulates the related XCCDF and OVAL documents.

These files do not appear to be in the source from Git and they were not installed with the libopenscap8 package. Google is not helping me with this challenge. Can you guys direct me to where I can find these files so I can build and run a complete scan of my system(s)?

I expect you would obtain similar results on 16.04. Determining why rules end up notapplicable, or seem to be skipped during evaluation, will require additional inspection, as will evaluating the veracity of the passes and fails.



Gary Gapinski — DB Consulting Group
NASA Glenn Research Center
+1 216 433 3959 — office
+1 216 820 1849 — mobile
Open-scap-list mailing list

Reply via email to