Tim,
I guess the first thing I would ask is why you’re downloading the full OVAL XML 
file.  That file, as you can see is huge, and contains ALL the definitions in 
the entire repository.  I can make an educated guess that your Fedora-based 
system doesn’t need to assess against every Windows definition, Cisco IOS 
definition, etc.  You probably only want the ones specific to your OS family, 
which in this case would be “unix”, and a particular class of definitions; I 
would suggest “vulnerability” as this is the most prevalent definition class in 
the repository.

That bundle can be found here -- 
https://oval.cisecurity.org/repository/download/5.11.2/vulnerability/unix.xml 
-- and is only about 35 MB

Other definition classes and families are available as well, and I’d definitely 
suggest trying different combinations of files to find the correct information 
you’re looking to assess.  The full repository might be a little too much to 
handle.

I will take a look at the repository source (it’s all in GitHub) and see if I 
can find some ways to parse the full content and see where some of the 
validation issues might be.

Cheers,
-Bill M

Bill Munyan
Solutions Architect; Security Best Practices
31 Tech Valley Drive
East Greenbush, NY 12061

william.mun...@cisecurity.org<mailto:william.mun...@cisecurity.org>
(518) 516-6128 (w)
(518) 281-1233 (c)
[CIS_WEB_Logo_Type_RGB_Flat]<https://www.cisecurity.org/>
                           [CIS Email Icons 01_23-02] 
<https://www.facebook.com/CenterforIntSec>     [CIS Email Icons 01_23-03] 
<https://twitter.com/CISecurity>    [CIS Email Icons 01_23-04] 
<https://www.youtube.com/user/TheCISecurity>     [CIS Email Icons 01_23-05] 
<https://www.linkedin.com/company/the-center-for-internet-security>

From: open-scap-list-boun...@redhat.com <open-scap-list-boun...@redhat.com> On 
Behalf Of Tim
Sent: Wednesday, August 14, 2019 11:48 PM
To: open-scap-list@redhat.com
Subject: [Open-scap] Trouble Scanning OVAL from CIS Repository




Another issue has come up while attempting to scan a Fedora-based system
using the quasi-official OVAL collection at CIS:

https://oval.cisecurity.org/repository/download/5.11.2/all/oval.xml.zip

After extracting the XML and using a command such as:

oscap oval eval --report report.html --results results.xml
--fetch-remote-resources oval.xml

the oscap utility spends about an hour and a half parsing the 213MB of
data, then says in the end that the definitions are invalid and so
refuses to do the scan.

When I use --fetch-remote-resources, the following message is repeated
158 times. Alas the code apparently does not contemplate OVAL files with
more than 65535 lines, so the line numbers are all the same (the actual
number of lines is about 3 million):

File 'oval.xml' line 65535: Element
'{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}version_string<http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}version_string>:
This element is not expected. Expected is one of (
{http://www.w3.org/2000/09/xmldsig#}Signature<http://www.w3.org/2000/09/xmldsig#}Signature>,
{http://oval.mitre.org/XMLSchema/oval-common-5}notes<http://oval.mitre.org/XMLSchema/oval-common-5}notes>,
{http://oval.mitre.org/XMLSchema/oval-definitions-5}notes<http://oval.mitre.org/XMLSchema/oval-definitions-5}notes>,
{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}platform<http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}platform>,
{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}rp<http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}rp>,
{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}pkg<http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}pkg>,
{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}major_release<http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}major_release>,
{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}release<http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}release>,
{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}rebuild<http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}rebuild>,
{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}ios_release<http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}ios_release>
 ).

If I omit --fetch-remote-resources, there are a few different errors,
but I guess those don't matter so much?

So... what to do? Adding --skip-valid to the command doesn't seem like a
solution. If I do that the scan fails almost immediately with:

W: oscap: Unknown OVAL family subtype: interim_fix
OpenSCAP Error: Unknown test type oval:org.cisecurity:tst:6710.
[/builddir/build/BUILD/openscap-1.3.1/src/OVAL/oval_test.c:395]
Failed to import the OVAL Definitions from 'oval.xml'.
[/builddir/build/BUILD/openscap-1.3.1/src/OVAL/oval_session.c:248]

Are there some additional definitions that need to be pulled in somehow?

Thanks!





_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com<mailto:Open-scap-list@redhat.com>
https://www.redhat.com/mailman/listinfo/open-scap-list<https://www.redhat.com/mailman/listinfo/open-scap-list>

.....
This message and attachments may contain confidential information. If it 
appears that this message was sent to you by mistake, any retention, 
dissemination, distribution or copying of this message and attachments is 
strictly prohibited. Please notify the sender immediately and permanently 
delete the message and any attachments.

. . . . .
_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Reply via email to