Tim, I guess the first thing I would ask is why you’re downloading the full OVAL XML file. That file, as you can see is huge, and contains ALL the definitions in the entire repository. I can make an educated guess that your Fedora-based system doesn’t need to assess against every Windows definition, Cisco IOS definition, etc. You probably only want the ones specific to your OS family, which in this case would be “unix”, and a particular class of definitions; I would suggest “vulnerability” as this is the most prevalent definition class in the repository.
That bundle can be found here -- https://oval.cisecurity.org/repository/download/5.11.2/vulnerability/unix.xml -- and is only about 35 MB Other definition classes and families are available as well, and I’d definitely suggest trying different combinations of files to find the correct information you’re looking to assess. The full repository might be a little too much to handle. I will take a look at the repository source (it’s all in GitHub) and see if I can find some ways to parse the full content and see where some of the validation issues might be. Cheers, -Bill M Bill Munyan Solutions Architect; Security Best Practices 31 Tech Valley Drive East Greenbush, NY 12061 [email protected]<mailto:[email protected]> (518) 516-6128 (w) (518) 281-1233 (c) [CIS_WEB_Logo_Type_RGB_Flat]<https://www.cisecurity.org/> [CIS Email Icons 01_23-02] <https://www.facebook.com/CenterforIntSec> [CIS Email Icons 01_23-03] <https://twitter.com/CISecurity> [CIS Email Icons 01_23-04] <https://www.youtube.com/user/TheCISecurity> [CIS Email Icons 01_23-05] <https://www.linkedin.com/company/the-center-for-internet-security> From: [email protected] <[email protected]> On Behalf Of Tim Sent: Wednesday, August 14, 2019 11:48 PM To: [email protected] Subject: [Open-scap] Trouble Scanning OVAL from CIS Repository Another issue has come up while attempting to scan a Fedora-based system using the quasi-official OVAL collection at CIS: https://oval.cisecurity.org/repository/download/5.11.2/all/oval.xml.zip After extracting the XML and using a command such as: oscap oval eval --report report.html --results results.xml --fetch-remote-resources oval.xml the oscap utility spends about an hour and a half parsing the 213MB of data, then says in the end that the definitions are invalid and so refuses to do the scan. When I use --fetch-remote-resources, the following message is repeated 158 times. Alas the code apparently does not contemplate OVAL files with more than 65535 lines, so the line numbers are all the same (the actual number of lines is about 3 million): File 'oval.xml' line 65535: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}version_string<http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}version_string>: This element is not expected. Expected is one of ( {http://www.w3.org/2000/09/xmldsig#}Signature<http://www.w3.org/2000/09/xmldsig#}Signature>, {http://oval.mitre.org/XMLSchema/oval-common-5}notes<http://oval.mitre.org/XMLSchema/oval-common-5}notes>, {http://oval.mitre.org/XMLSchema/oval-definitions-5}notes<http://oval.mitre.org/XMLSchema/oval-definitions-5}notes>, {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}platform<http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}platform>, {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}rp<http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}rp>, {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}pkg<http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}pkg>, {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}major_release<http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}major_release>, {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}release<http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}release>, {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}rebuild<http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}rebuild>, {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}ios_release<http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}ios_release> ). If I omit --fetch-remote-resources, there are a few different errors, but I guess those don't matter so much? So... what to do? Adding --skip-valid to the command doesn't seem like a solution. If I do that the scan fails almost immediately with: W: oscap: Unknown OVAL family subtype: interim_fix OpenSCAP Error: Unknown test type oval:org.cisecurity:tst:6710. [/builddir/build/BUILD/openscap-1.3.1/src/OVAL/oval_test.c:395] Failed to import the OVAL Definitions from 'oval.xml'. [/builddir/build/BUILD/openscap-1.3.1/src/OVAL/oval_session.c:248] Are there some additional definitions that need to be pulled in somehow? Thanks! _______________________________________________ Open-scap-list mailing list [email protected]<mailto:[email protected]> https://www.redhat.com/mailman/listinfo/open-scap-list<https://www.redhat.com/mailman/listinfo/open-scap-list> ..... This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments. . . . . .
_______________________________________________ Open-scap-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/open-scap-list
