Hi Todd and Jan,

Please excuse me, I do not intend to hijack Jan's thread but I believe the 
following may be related enough to be helpful.

These OpenSCAP CPE files exist on my system at /usr/local/share/openscap/cpe/, 
after compiling openscap from source on my machine. But neither they nor the 
versions available via the links provided below have any references to Ubuntu 
in them. Browsing through the files I see, for example, sections in the xml 
files for various flavors of rhel, opensuse, fedora, etc. but Ubuntu is not 
there.

Compiling the ssg from source (at /usr/local/src/ComplianceAsCode/content/) 
does put Ubuntu-specific cpe files {ssg-ubuntu1604-cpe-dictionary.xml, 
ssg-ubuntu1604-cpe-oval.xml, ssg-ubuntu1804-cpe-dictionary.xml, 
ssg-ubuntu1804-cpe-oval.xml} in /usr/local/share/xml/scap/ssg/content, as well 
as similarly named ds, ocil, oval and xccdf files.

Running scap using these files, however, with the command:

sudo oscap xccdf eval –profile standard –results-arf ./results-arf.xml –report 
./report-ds.html –results ./results-ds.xml 
/usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml

results in 15 rules passed, 6 inconclusive (unknown) and 24 notapplicable. The 
notapplicable rules (ignored by oscap) seem to refer to the STIG controls I 
would consider the most applicable for evaluation.

Since my install is Ubuntu 16.04.5, not Ubuntu 18, I would be interested to see 
the results Todd Williams would get running this on his install. In an earlier 
thread (Benchmark for Canonical Ubuntu 16.04 LTS), Gary did get similar results 
with Ubuntu 18 and stated "Determining why rules end up notapplicable, or seem 
to be skipped during evaluation, will require additional inspection, as will 
evaluating the veracity of the passes and fails".

Is anybody looking at this on the development side (determining why rules end 
up nonapplicable)?

Thanks,

        --Bill

William B. Boucher, BSEE
Embedded Systems Software Engineer 
Information Systems Security Manager
MZA Associates Corporation
4900 Lang Ave. NE, Suite 100
Albuquerque, NM 87109-9708
Phone: 505.245.9970 x166
Fax: 505.245.9971
Cell: 505.459.7620
william.bouc...@mza.com


-----Original Message-----
From: open-scap-list-boun...@redhat.com 
[mailto:open-scap-list-boun...@redhat.com] On Behalf Of Jan Cerny
Sent: Monday, February 4, 2019 2:01 AM
To: Todd Williams <tod...@us.ibm.com>
Cc: Open-scap-list <open-scap-list@redhat.com>
Subject: Re: [Open-scap] Ubuntu Security Guide content

Hi,

You're correct it's missing CPE dictionary and CPE OVAL. 
The files are located here:
https://github.com/OpenSCAP/openscap/blob/maint-1.2/cpe/openscap-cpe-dict.xml
https://github.com/OpenSCAP/openscap/blob/maint-1.2/cpe/openscap-cpe-oval.xml
They're list of platform definitions based on which the platform applicability 
of SCAP content is determined.
OpenSCAP expect them to be present in '/usr/share/openscap/cpe/'

I'm not an Ubuntu user, so I'm only guessing, but I think that downloading 
these files and saving them to '/usr/share/openscap/cpe/' should help.

This is probably a bug in Ubuntu packaging, because it seems Ubuntu doesn't 
ship these files in its packages, but they are required by OpenSCAP to work 
correctly. You can try to file a bug report on Ubuntu.

Regards

Jan Černý
Security Technologies | Red Hat, Inc.

----- Original Message -----
> From: "Todd Williams" <tod...@us.ibm.com>
> To: "Jan Cerny" <jce...@redhat.com>
> Sent: Friday, February 1, 2019 4:35:50 PM
> Subject: Re: [Open-scap] Ubuntu Security Guide content
> 
> 
> Hi Jan,
> 
> So I was able to use ssg-ubuntu1804-ds.xml in scap-workbench on Ubuntu 
> 18.4, and I got this error when I ran the scan
> 
> 
> 14:27:38
> info
> SCAP Workbench 1.1.5, compiled with Qt 4.8.7, using OpenSCAP 1.2.15
> 
> 
> 14:28:16
> info
> Opened file '/root/scap-security-guide-0.1.42/ssg-ubuntu1804-ds.xml'.
> 
> 
> 14:28:25
> info
> Querying capabilities...
> 
> 
> 14:28:25
> info
> Creating temporary files...
> 
> 
> 14:28:25
> info
> Starting the oscap process...
> 
> 
> 14:28:25
> info
> Processing...
> 
> 
> 14:28:30
> error
> The 'oscap' process has written the following content to stderr: 
> OpenSCAP
> Error: Unable to open file:
> '/usr/share/openscap/cpe/openscap-cpe-dict.xml'
> [../../../src/source/oscap_source.c:284]
> 
> 
> 
> 14:28:30
> error
> The 'oscap' process has written the following content to stderr: 
> Failed to add default CPE to newly created CPE Session.
> [../../../src/CPE/cpe_session.c:58]
> 
> 
> 14:28:30
> info
> The oscap tool has finished. Reading results...
> 
> 
> 14:28:30
> info
> Processing has been finished!
> 
> 
> 14:28:58
> info
> Querying capabilities...
> 
> 
> 14:28:58
> info
> Creating temporary files...
> 
> 
> 14:28:58
> info
> Starting the oscap process...
> 
> 
> 14:28:58
> info
> Processing...
> 
> 
> 14:29:00
> error
> The 'oscap' process has written the following content to stderr: 
> OpenSCAP
> Error: Unable to open file:
> '/usr/share/openscap/cpe/openscap-cpe-dict.xml'
> [../../../src/source/oscap_source.c:284]
> 
> 
> 
> 14:29:00
> error
> The 'oscap' process has written the following content to stderr: 
> Failed to add default CPE to newly created CPE Session.
> [../../../src/CPE/cpe_session.c:58]
> 
> 
> 14:29:00
> info
> The oscap tool has finished. Reading results...
> 
> 
> 14:29:00
> info
> Processing has been finished!
> 
> 
> So I went to /usr/share/openscap/cpe and the only file there is the 
> README, so I read it and it pointed me to 
> https://nvd.nist.gov/Products/CPE.  I found these files there:
> official-cpe-dictionary_v2.3.xml.gz
> official-cpe-dictionary_v2.2.xml.gz
> Can I rename and use 1 of these?
> 
> I have it setup and running on RHEL 7.6 and when I look at that dir on 
> that system it has 2 files, can I use them?
> openscap-cpe-dict.xml
> openscap-cpe-oval.xml
> 
> 
> BTW, the setup for RHEL goes much smoother than Ubuntu..
> 
>                                                                   
>                                                                   
>                                                                   
>                        Thanks,
>                        Todd M. Williams
>                        Unix System Admin, devIT-US,
>                        AIX/Linux/CC/CQ/SPoRT/DB2
>                        Phone: 772-257-5706 | Mobile: 772-925-2042
>                        E-Mail: tod...@us.ibm.com
>                        devIT
>                                                                   
> 
> 
> 
> 
> 
> 
> From: Jan Cerny <jce...@redhat.com>
> To:   Todd Williams <tod...@us.ibm.com>
> Cc:   open-scap-list@redhat.com
> Date: 01/31/2019 03:57 AM
> Subject:      Re: [Open-scap] Ubuntu Security Guide content
> 
> 
> 
> Hi Todd,
> 
> The security content is provided by "ComplianceAsCode" project, which 
> was up until recently known as "SCAP Security Guide" or "SSG".
> See
> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_Compli
> anceAsCode_content&d=DwIFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=4BwPnN3sPgNQjva
> J-rrOQD9wYgWK1vlNlqk921f9rTw&m=barf9ggX12ptwUtL39Zr4DrVw-plD8VA-rt4jH2
> TyNY&s=vNHYFU2k7A2CSeZR_c_PoqpDjWzZyFy8U9Hlze2Zwis&e=
> 
> 
> The security content is packaged in Ubuntu since Ubuntu 18.04 (Bionic 
> Beaver).
> The packages are: ssg-base, ssg-debderived, ssg-debian,  
> ssg-nondebian, ssg-applications.
> 
> However, the packages contain outdated versions of upstream content, 
> and AFAIK the content in the packages is applicable to Ubuntu 16.04 an 
> 14.04. That is kind of useless on 18.04 :)
> 
> Therefore, I suggest downloading the latest upstream release from GitHub:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_Compli
> anceAsCode_content_releases_download_v0.1.42_scap-2Dsecurity-2Dguide-2
> D0.1.42.zip&d=DwIFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=4BwPnN3sPgNQjvaJ-rrOQD
> 9wYgWK1vlNlqk921f9rTw&m=barf9ggX12ptwUtL39Zr4DrVw-plD8VA-rt4jH2TyNY&s=
> GptJ9IxTd3-Np6P-SIHAUZuzbMwBN7Wb8PtIx3KameE&e=
> 
> Extract the archive and then open ssg-ubuntu1804-ds.xml in SCAP Workbench.
> 
> Thank you very much for reminding us about the outdated web site. I 
> will try to update the web soon.
> 
> Best Regards
> 
> Jan Černý
> Security Technologies | Red Hat, Inc.
> 
> 
> 
> ----- Original Message -----
> > From: "Todd Williams" <tod...@us.ibm.com>
> > To: open-scap-list@redhat.com
> > Sent: Wednesday, January 30, 2019 6:58:40 PM
> > Subject: [Open-scap] Ubuntu Security Guide content
> >
> >
> >
> > Hello,
> >
> > I am new to SCAP and have been tasked with setting it up on a Ubuntu 
> > test system. It is running Ubuntu 18.04.1 LTS. I have these 2 
> > packages
> installed:
> >
> > libopenscap8/bionic,now 1.2.15-1build1 amd64 [installed] 
> > scap-workbench/bionic,now 1.1.5-1 amd64 [installed]
> >
> > I can bring up the GUI for the workbench, but with no security 
> > content I
> am
> > stuck as far as being able to run a scan and/or editing the security 
> > requirements. According to the web site there is no security guide 
> > for Ubuntu.
> >
> >
> >
> > But I have been told that there is a package for Ubuntu out there,
> "apt-get
> > list" did not return anything, can someone tell if there is or not?
> >
> >
> >
> >              Thanks,
> > Todd M. Williams
> > Unix System Admin, devIT-US, AIX/Linux/CC/CQ/SPoRT/DB2
> > Phone: 772-257-5706 | Mobile: 772-925-2042
> > E-Mail: tod...@us.ibm.com
> > devIT
> >
> >
> > _______________________________________________
> > Open-scap-list mailing list
> > Open-scap-list@redhat.com
> >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.redhat.com_ma
> ilman_listinfo_open-2Dscap-2Dlist&d=DwIFaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=
> 4BwPnN3sPgNQjvaJ-rrOQD9wYgWK1vlNlqk921f9rTw&m=barf9ggX12ptwUtL39Zr4DrV
> w-plD8VA-rt4jH2TyNY&s=kdZJkE-OdFBK63L1uDxwv2iEG2aif_xR_Ad9o_xmqhQ&e=
> 
> 
> 
> 
> 

_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Reply via email to