Thank you, Gary! I will attempt next to duplicate your process with Ubuntu 1604.

If I am building OpenSCAP over my previous install of the libopenscap8 package, 
do I need to remove libopenscap8 first or can I just make-install over it?

William B. Boucher, BSEE
Embedded Systems Software Engineer
Information Systems Security Manager
MZA Associates Corporation
4900 Lang Ave. NE, Suite 100
Albuquerque, NM 87109-9708
Phone: 505.245.9970 x166
Fax: 505.245.9971
Cell: 505.459.7620<>

From: Gary Gapinski []
Sent: Wednesday, January 23, 2019 9:03 PM
To: Boucher, William <>
Subject: Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS

I just took a look at OpenSCAP and ComplianceAsCode.

I obtained results that were at variance with yours, and which failed to attain 
Glorious Victory.

Some comments inline.

On 1/23/19 10:10 AM, Boucher, William wrote:
OK! I downloaded the latest scap-security-guide source from Git and built it 
for Ubuntu 1604. It compiles and runs!

Using an Ubuntu 18.04 instance as a platform, I obtained, built, and installed

I also obtained and built on the 
same system.
Next challenge, during the compile it had trouble scanning the Oval file for 
controls it was to evaluate, and it marked all of those it didn’t find as “not 
applicable”. So I got a score of 100%, but none of the challenging controls 
were evaluated. (I used an oval file I found in the source tree but I guess it 
was not complete.)

Using «oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard 
--results-arf results-arf.xml --report report.html --results results.xml 
ssg-ubuntu1804-ds.xml» all results were notapplicable.

I commented out line #10606 (the <platform> designator) in 
ssg-ubuntu1804-ds.xml and ran the evaluation again. This time some of the rules 
were evaluated, some passed, some failed, some resulted in error, some were 
notapplicable (for no apparent reason).

I then ran the same evaluation as root («sudo oscap …»), and obtained passes, 
fails, and notapplicables, but no errors. The report was at variance with the 
input data stream with respect to rules selected in the data stream (the 
profile selects more rules than appear in the eval report — 45 vs 38 

Note that I am using the data stream (ssg-ubuntu1804-ds.xml) and not, directly, 
the related OVAL (ssg-ubuntu1804-oval.xml). I have a profound antipathy toward 
OVAL, and prefer to avoid close contact.
Apparently I need more or better benchmark files for Ubuntu in the OpenSCAP 
“/usr/share/openscap” and “/usr/share/openscap/cpe” directories 
(openscap-cpe-dictionary.xml,  openscap-cpe-oval.xml, 
openscap-ubuntu1604-cpe-dictionary.xml and  openscap-ubuntu1604-cpe-oval.xml in 
the openscap/cpe directory and scap-ubuntu1604-oval.xml, 
scap-ubuntu1604-ocil.xml and scap-ubuntu-1604-ds.xml in the openscap directory).

I used git head to build the content I used. The data stream encapsulates the 
related XCCDF and OVAL documents.
These files do not appear to be in the source from Git and they were not 
installed with the libopenscap8 package. Google is not helping me with this 
challenge. Can you guys direct me to where I can find these files so I can 
build and run a complete scan of my system(s)?

I expect you would obtain similar results on 16.04. Determining why rules end 
up notapplicable, or seem to be skipped during evaluation, will require 
additional inspection, as will evaluating the veracity of the passes and fails.



Gary Gapinski — DB Consulting Group
NASA Glenn Research Center
℡ +1 216 433 3959<tel:+1%20216%20433%203959> — office
℡ +1 216 820 1849<tel:+1%20216%20820%201849> — mobile<>
Open-scap-list mailing list

Reply via email to