Following up, I find that even the unix.xml fails due to the use of 'interim_fix' in tests:
W: oscap: Unknown OVAL family subtype: interim_fix OpenSCAP Error: Unknown test type oval:org.cisecurity:tst:6710. [oval_test.c:395] Failed to import the OVAL Definitions from 'unix.xml'. [oval_session.c:245] Looking at the OVAL file it seems that this element appears in 141 tests intended for AIX, but there doesn't seem to be an easy way to filter those out because of the relationships between tests, definitions, and other elements. Is there a good way around that? Thanks! Tim On 8/16/19 4:51 PM, Tim Burress wrote: > Thanks for looking into this! I didn't realize it was possible to > download anything other than the full OVAL file, and was going to ask if > maybe oscap could add a command-line option to choose the family or > platform when evaluating an OVAL collection. > > But looking more closely at the page I see that there are lots of > categories. I just didn't scroll down far enough to see them, so thanks > for that. It will help immensely. > > Oh, I should say that we're also CIS members, so I thank you from that > perspective as well! > > Tim > > On 8/15/19 10:35 PM, William Munyan wrote: >> Tim, >> >> I guess the first thing I would ask is why you’re downloading the full >> OVAL XML file. That file, as you can see is huge, and contains ALL the >> definitions in the entire repository. I can make an educated guess that >> your Fedora-based system doesn’t need to assess against every Windows >> definition, Cisco IOS definition, etc. You probably only want the ones >> specific to your OS family, which in this case would be “unix”, and a >> particular class of definitions; I would suggest “vulnerability” as this >> is the most prevalent definition class in the repository. >> >> >> >> That bundle can be found here -- >> https://oval.cisecurity.org/repository/download/5.11.2/vulnerability/unix.xml >> -- and is only about 35 MB >> >> >> >> Other definition classes and families are available as well, and I’d >> definitely suggest trying different combinations of files to find the >> correct information you’re looking to assess. The full repository might >> be a little too much to handle. >> >> >> >> I will take a look at the repository source (it’s all in GitHub) and see >> if I can find some ways to parse the full content and see where some of >> the validation issues might be. >> >> >> >> Cheers, >> >> -Bill M >> >> >> >> *Bill Munyan* >> >> Solutions Architect; Security Best Practices >> >> 31 Tech Valley Drive >> >> East Greenbush, NY 12061 >> >> >> >> william.mun...@cisecurity.org <mailto:william.mun...@cisecurity.org> >> >> (518) 516-6128 (w) >> >> (518) 281-1233 (c) >> >> CIS_WEB_Logo_Type_RGB_Flat <https://www.cisecurity.org/> >> >> CIS Email Icons 01_23-02 >> <https://www.facebook.com/CenterforIntSec> CIS Email Icons 01_23-03 >> <https://twitter.com/CISecurity> CIS Email Icons 01_23-04 >> <https://www.youtube.com/user/TheCISecurity> CIS Email Icons 01_23-05 >> <https://www.linkedin.com/company/the-center-for-internet-security> >> >> >> >> *From:*open-scap-list-boun...@redhat.com >> <open-scap-list-boun...@redhat.com> *On Behalf Of *Tim >> *Sent:* Wednesday, August 14, 2019 11:48 PM >> *To:* open-scap-list@redhat.com >> *Subject:* [Open-scap] Trouble Scanning OVAL from CIS Repository >> >> >> >> >> >> >> Another issue has come up while attempting to scan a Fedora-based system >> using the quasi-official OVAL collection at CIS: >> >> https://oval.cisecurity.org/repository/download/5.11.2/all/oval.xml.zip >> >> After extracting the XML and using a command such as: >> >> oscap oval eval --report report.html --results results.xml >> --fetch-remote-resources oval.xml >> >> the oscap utility spends about an hour and a half parsing the 213MB of >> data, then says in the end that the definitions are invalid and so >> refuses to do the scan. >> >> When I use --fetch-remote-resources, the following message is repeated >> 158 times. Alas the code apparently does not contemplate OVAL files with >> more than 65535 lines, so the line numbers are all the same (the actual >> number of lines is about 3 million): >> >> File 'oval.xml' line 65535: Element >> '{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}version_string: >> This element is not expected. Expected is one of ( >> {http://www.w3.org/2000/09/xmldsig#}Signature, >> {http://oval.mitre.org/XMLSchema/oval-common-5}notes, >> {http://oval.mitre.org/XMLSchema/oval-definitions-5}notes, >> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}platform, >> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}rp, >> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}pkg, >> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}major_release, >> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}release, >> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}rebuild, >> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}ios_release ). >> >> If I omit --fetch-remote-resources, there are a few different errors, >> but I guess those don't matter so much? >> >> So... what to do? Adding --skip-valid to the command doesn't seem like a >> solution. If I do that the scan fails almost immediately with: >> >> W: oscap: Unknown OVAL family subtype: interim_fix >> OpenSCAP Error: Unknown test type oval:org.cisecurity:tst:6710. >> [/builddir/build/BUILD/openscap-1.3.1/src/OVAL/oval_test.c:395] >> Failed to import the OVAL Definitions from 'oval.xml'. >> [/builddir/build/BUILD/openscap-1.3.1/src/OVAL/oval_session.c:248] >> >> Are there some additional definitions that need to be pulled in somehow? >> >> Thanks! >> >> >> >> >> >> _______________________________________________ >> Open-scap-list mailing list >> Open-scap-list@redhat.com <mailto:Open-scap-list@redhat.com> >> https://www.redhat.com/mailman/listinfo/open-scap-list >> >> ..... >> >> This message and attachments may contain confidential information. If it >> appears that this message was sent to you by mistake, any retention, >> dissemination, distribution or copying of this message and attachments >> is strictly prohibited. Please notify the sender immediately and >> permanently delete the message and any attachments. >> >> . . . . . > > > > > _______________________________________________ > Open-scap-list mailing list > Open-scap-list@redhat.com > https://www.redhat.com/mailman/listinfo/open-scap-list > _______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
