Hi Watson, Thank you for reply and investing time on this.
Agreed, oval code component is missing. Any file you know which can check CIS benchmarking for ubuntu ( with all dependency) ? That was my aim to scan and patch as per cis benchmarking. Best Regards, Ravi Rathore +91-9741288815 On Mon, Mar 2, 2020 at 4:22 PM Watson Sato <ws...@redhat.com> wrote: > > > On Sat, Feb 29, 2020 at 1:26 PM Ravi Rathore <ravi.rathor...@gmail.com> > wrote: > >> Hello Team, >> > > Hello Ravi, > > >> I am using Ubuntu 16.04.6 LTS and want to use openscap to scan against >> DISA Stig fie. >> >> File location - wget >> https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Canonical_Ubuntu_16-04_LTS_V1R3_STIG.zip >> >> The content linked above contains only the XCCDF Benchmark, there are no > OVAL checks, so OpenSCAP can't check anything. > > As far as I know, the STIG content listed in public.cyber.mil doesn't > contain automated checks. > https://public.cyber.mil/stigs/faqs/#toggle-id-19 > > "... to enable STIG consumption by tools where both compliance and > configuration remediation can be automated with the addition of OVAL code." > > >> When I initiate scan "oscap xccdf eval --profile MAC-1_Public >> U_Canonical_Ubuntu_16-04_LTS_STIG_V1R3_Manual-xccdf.xml" --------> I see >> result but all checks are *not checked*. >> >> >> >> Can you someone help me in running this scan successfully ? Thanks in >> advance. >> >> Also the reason why I am failing. >> >> >> >> Out put I see after executing - "oscap xccdf eval --profile >> MAC-1_Public U_Canonical_Ubuntu_16-04_LTS_STIG_V1R3_Manual-xccdf.xml" >> >> >> >> Title *The Ubuntu operating system must be a vendor supported release.* >> >> Rule SV-90069r1_rule >> >> Ident CCI-001230 >> >> Result notchecked *------**not checked* >> >> >> Title *Ubuntu vendor packaged system security patches and updates must >> be installed and up to date.* >> >> Rule SV-90071r5_rule >> >> Ident CCI-000366 >> >> Result *notchecked. **------**not checked* >> >> >> Title *The Ubuntu operating system must display the Standard Mandatory >> DoD Notice and Consent Banner before granting local or remote access to the >> system via a graphical user logon.* >> >> Rule SV-90073r3_rule >> >> Ident CCI-000048 >> >> Ident CCI-001384 >> >> Ident CCI-001385 >> >> Ident CCI-001386 >> >> Ident CCI-001387 >> >> Ident CCI-001388 >> >> Result *notchecked * *------**not checked* >> >> >> >> - > I was able to download openscap base via >> >> apt-get install libopenscap8 >> >> - > I visited openscap home page, I tried to download SCAP Security >> guide via apt install ssg-base ssg-debderived ssg-debian ssg-nondebian >> ssg-applications >> *Unable to locate package!* also it description at website says ubuntu >> 18 + >> >> - >Tried to install workbench hoping SSG will get downloaded as >> dependency via apt-get install scap-workbench >> >> But again - *Unable to locate package* (this time it should have >> worked, website says ubuntu 17 +) >> >> >> >> >> >> *Few detail about Enviroment :- * >> >> *oscap -V* >> >> >> OpenSCAP command line tool (oscap) 1.2.8 >> >> Copyright 2009--2016 Red Hat Inc., Durham, North Carolina. >> >> >> ==== Supported specifications ==== >> >> XCCDF Version: 1.2 >> >> OVAL Version: 5.11.1 >> >> CPE Version: 2.3 >> >> CVSS Version: 2.0 >> >> CVE Version: 2.0 >> >> Asset Identification Version: 1.1 >> >> Asset Reporting Format Version: 1.1 >> >> >> ==== Capabilities added by auto-loaded plugins ==== >> >> SCE Version: 1.0 (from libopenscap_sce.so.8) >> >> >> ==== Paths ==== >> >> Schema files: /usr/share/openscap/schemas >> >> Default CPE files: /usr/share/openscap/cpe >> >> Probes: /usr/lib/x86_64-linux-gnu/openscap >> >> >> ==== Inbuilt CPE names ==== >> >> Red Hat Enterprise Linux - cpe:/o:redhat:enterprise_linux >> >> Red Hat Enterprise Linux 5 - cpe:/o:redhat:enterprise_linux:5 >> >> Red Hat Enterprise Linux 6 - cpe:/o:redhat:enterprise_linux:6 >> >> Red Hat Enterprise Linux 7 - cpe:/o:redhat:enterprise_linux:7 >> >> Community Enterprise Operating System 5 - cpe:/o:centos:centos:5 >> >> Community Enterprise Operating System 6 - cpe:/o:centos:centos:6 >> >> Community Enterprise Operating System 7 - cpe:/o:centos:centos:7 >> >> Scientific Linux 5 - cpe:/o:scientificlinux:scientificlinux:5 >> >> Scientific Linux 6 - cpe:/o:scientificlinux:scientificlinux:6 >> >> Scientific Linux 7 - cpe:/o:scientificlinux:scientificlinux:7 >> >> Fedora 16 - cpe:/o:fedoraproject:fedora:16 >> >> Fedora 17 - cpe:/o:fedoraproject:fedora:17 >> >> Fedora 18 - cpe:/o:fedoraproject:fedora:18 >> >> Fedora 19 - cpe:/o:fedoraproject:fedora:19 >> >> Fedora 20 - cpe:/o:fedoraproject:fedora:20 >> >> Fedora 21 - cpe:/o:fedoraproject:fedora:21 >> >> Fedora 22 - cpe:/o:fedoraproject:fedora:22 >> >> Fedora 23 - cpe:/o:fedoraproject:fedora:23 >> >> Fedora 24 - cpe:/o:fedoraproject:fedora:24 >> >> SUSE Linux Enterprise all versions - cpe:/o:suse:sle >> >> SUSE Linux Enterprise Server 10 - cpe:/o:suse:sles:10 >> >> SUSE Linux Enterprise Desktop 10 - cpe:/o:suse:sled:10 >> >> SUSE Linux Enterprise Server 11 - cpe:/o:suse:sles:11 >> >> SUSE Linux Enterprise Desktop 11 - cpe:/o:suse:sled:11 >> >> SUSE Linux Enterprise Server 12 - cpe:/o:suse:sles:12 >> >> SUSE Linux Enterprise Desktop 12 - cpe:/o:suse:sled:12 >> >> openSUSE 11.4 - cpe:/o:opensuse:opensuse:11.4 >> >> openSUSE 13.1 - cpe:/o:opensuse:opensuse:13.1 >> >> openSUSE 13.2 - cpe:/o:opensuse:opensuse:13.2 >> >> openSUSE All Versions - cpe:/o:opensuse:opensuse >> >> Red Hat Enterprise Linux Optional Productivity Applications - >> cpe:/a:redhat:rhel_productivity >> >> Red Hat Enterprise Linux Optional Productivity Applications 5 - >> cpe:/a:redhat:rhel_productivity:5 >> >> >> >> >> *oscap info U_Canonical_Ubuntu_16-04_LTS_STIG_V1R3_Manual-xccdf.xml* >> >> >> Document type: XCCDF Checklist >> >> Checklist version: 1.1 >> >> Imported: 2019-12-26T06:17:00 >> >> Status: accepted >> >> Generated: 2019-12-23 >> >> Resolved: false >> >> Profiles: >> >> MAC-1_Classified >> >> MAC-1_Public >> >> MAC-1_Sensitive >> >> MAC-2_Classified >> >> MAC-2_Public >> >> MAC-2_Sensitive >> >> MAC-3_Classified >> >> MAC-3_Public >> >> MAC-3_Sensitive >> >> Referenced check files: >> >> DPMS_XCCDF_Benchmark_Canonical_Ubuntu_16-04_LTS.xml >> >> system: C-75133r1_chk >> >> DPMS_XCCDF_Benchmark_Canonical_Ubuntu_16-04_LTS.xml >> ............truncated output-------------------- >> >> >> >> Best Regards, >> Ravi Rathore >> +91-9741288815 >> >> >> _______________________________________________ >> Open-scap-list mailing list >> Open-scap-list@redhat.com >> https://www.redhat.com/mailman/listinfo/open-scap-list > > > > -- > Watson Sato > Security Technologies | Red Hat, Inc >
_______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
