Re: [Open-scap] Trouble Scanning OVAL from CIS Repository

2019-08-18 Thread Tim Burress 
Thanks for your note and expecially the code! I looked at the
OS-specific files but they seem to be little more than placeholders:
many of the ones I looked at don't seem to have any content at all
unless it's being pulled in by reference somehow.

The openscap tests have already proven very useful for compliance
checking, so I thought it would be good to try the vulnerability class
as well. I will try this transform. Thanks very much!

Tim

On 8/17/19 1:07 AM, Gary Gapinski wrote:
> On 8/16/19 4:32 AM, Tim Burress wrote:
>> Following up, I find that even the unix.xml fails due to the use of
>> 'interim_fix' in tests:
>>
>> W: oscap: Unknown OVAL family subtype: interim_fix
>>
>> OpenSCAP Error: Unknown test type oval:org.cisecurity:tst:6710.
>> [oval_test.c:395]
>>
>> Failed to import the OVAL Definitions from 'unix.xml'. [oval_session.c:245]
>>
>> Looking at the OVAL file it seems that this element appears in 141 tests
>> intended for AIX, but there doesn't seem to be an easy way to filter
>> those out because of the relationships between tests, definitions, and
>> other elements. Is there a good way around that?
> 
> A more polite way to accommodate such tests would be for oscap to handle
> such as a soft error.
> 
> That unix.xml file is likely more and less than you want. Try using one
> of the more specific files appropriate for the operating system to be
> evaluated.
> 
> oscap fails to run if AIX related content is present. The following XSL
> transform will discard AIX-related content (in unix.xml if you must use
> that).
> 
> 
> http://www.w3.org/1999/XSL/Transform"; 
> version="1.0" 
> xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5";
> xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"; 
> xmlns:aix="http://oval.mitre.org/XMLSchema/oval-definitions-5#aix";>
>  match="oval-def:definition[descendant::oval-def:criterion/@test_ref = 
> //aix:*/@id]">
> Definition  select="@id"/> removed
> 
> 
>  
>  
> removed
> 
> 
> 
> 
> 
> 
> 
> 
> 
> The transform is XSLT 1.0 in order to allow xsltproc to be used. Be
> advised that the transform takes quite a while to process with xsltproc.
> 
> gapinski@nuc7i7bnh:~/OVAL$ time xsltproc --novalid --output test.xml 
> strip.xsl unix.xml
> 
> real  3m15.891s
> user  3m14.355s
> sys   0m0.564s
> 
> And when using oscap to evaluate, skip the validation step to save time:
> 
> gapinski@nuc7i7bnh:~/OVAL$ time oscap oval validate test.xml
> 
> real  0m51.636s
> user  0m51.458s
> sys   0m0.104s
> gapinski@nuc7i7bnh:~/OVAL$ time oscap oval eval --skip-valid --report 
> report.html test.xml >/dev/null 2>&1
> 
> real  0m5.757s
> user  0m2.673s
> sys   0m1.571s
> 
> Finally, it appears (to me) that the evaluation results are not
> pleasant. YMMV.
> 
> Regards,
> 
> Gary
> 




___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] Trouble Scanning OVAL from CIS Repository

2019-08-16 Thread Tim Burress 
Following up, I find that even the unix.xml fails due to the use of
'interim_fix' in tests:

W: oscap: Unknown OVAL family subtype: interim_fix

OpenSCAP Error: Unknown test type oval:org.cisecurity:tst:6710.
[oval_test.c:395]

Failed to import the OVAL Definitions from 'unix.xml'. [oval_session.c:245]

Looking at the OVAL file it seems that this element appears in 141 tests
intended for AIX, but there doesn't seem to be an easy way to filter
those out because of the relationships between tests, definitions, and
other elements. Is there a good way around that?

Thanks!

Tim

On 8/16/19 4:51 PM, Tim Burress wrote:
> Thanks for looking into this! I didn't realize it was possible to
> download anything other than the full OVAL file, and was going to ask if
> maybe oscap could add a command-line option to choose the family or
> platform when evaluating an OVAL collection.
> 
> But looking more closely at the page I see that there are lots of
> categories. I just didn't scroll down far enough to see them, so thanks
> for that. It will help immensely.
> 
> Oh, I should say that we're also CIS members, so I thank you from that
> perspective as well!
> 
> Tim
> 
> On 8/15/19 10:35 PM, William Munyan wrote:
>> Tim,
>>
>> I guess the first thing I would ask is why you’re downloading the full
>> OVAL XML file.  That file, as you can see is huge, and contains ALL the
>> definitions in the entire repository.  I can make an educated guess that
>> your Fedora-based system doesn’t need to assess against every Windows
>> definition, Cisco IOS definition, etc.  You probably only want the ones
>> specific to your OS family, which in this case would be “unix”, and a
>> particular class of definitions; I would suggest “vulnerability” as this
>> is the most prevalent definition class in the repository.
>>
>>  
>>
>> That bundle can be found here --
>> https://oval.cisecurity.org/repository/download/5.11.2/vulnerability/unix.xml
>> -- and is only about 35 MB
>>
>>  
>>
>> Other definition classes and families are available as well, and I’d
>> definitely suggest trying different combinations of files to find the
>> correct information you’re looking to assess.  The full repository might
>> be a little too much to handle.
>>
>>  
>>
>> I will take a look at the repository source (it’s all in GitHub) and see
>> if I can find some ways to parse the full content and see where some of
>> the validation issues might be.
>>
>>  
>>
>> Cheers,
>>
>> -Bill M
>>
>>  
>>
>> *Bill Munyan*
>>
>> Solutions Architect; Security Best Practices
>>
>> 31 Tech Valley Drive
>>
>> East Greenbush, NY 12061
>>
>>  
>>
>> william.mun...@cisecurity.org <mailto:william.mun...@cisecurity.org>
>>
>> (518) 516-6128 (w)
>>
>> (518) 281-1233 (c)
>>
>> CIS_WEB_Logo_Type_RGB_Flat <https://www.cisecurity.org/>
>>
>>    CIS Email Icons 01_23-02
>> <https://www.facebook.com/CenterforIntSec>CIS Email Icons 01_23-03
>> <https://twitter.com/CISecurity>   CIS Email Icons 01_23-04
>> <https://www.youtube.com/user/TheCISecurity>CIS Email Icons 01_23-05
>> <https://www.linkedin.com/company/the-center-for-internet-security>
>>
>>  
>>
>> *From:*open-scap-list-boun...@redhat.com
>>  *On Behalf Of *Tim
>> *Sent:* Wednesday, August 14, 2019 11:48 PM
>> *To:* open-scap-list@redhat.com
>> *Subject:* [Open-scap] Trouble Scanning OVAL from CIS Repository
>>
>>  
>>
>>
>>
>>
>> Another issue has come up while attempting to scan a Fedora-based system
>> using the quasi-official OVAL collection at CIS:
>>
>> https://oval.cisecurity.org/repository/download/5.11.2/all/oval.xml.zip
>>
>> After extracting the XML and using a command such as:
>>
>> oscap oval eval --report report.html --results results.xml
>> --fetch-remote-resources oval.xml
>>
>> the oscap utility spends about an hour and a half parsing the 213MB of
>> data, then says in the end that the definitions are invalid and so
>> refuses to do the scan.
>>
>> When I use --fetch-remote-resources, the following message is repeated
>> 158 times. Alas the code apparently does not contemplate OVAL files with
>> more than 65535 lines, so the line numbers are all the same (the actual
>> number of lines is about 3 million):
>>
>> File 'oval.xml' line 65535: Element
>> '{http://oval.mitre.org/XMLSc

Re: [Open-scap] Questions about OVAL

2019-08-16 Thread Tim Burress 
Thanks for your help. I can see that becoming "fluent" in this is going
to take some time, but it certainly looks worth doing.

Tim

On 8/15/19 8:58 PM, Jan Cerny wrote:
> Hi,
> 
> On Tue, Aug 13, 2019 at 4:53 AM Tim Burress  wrote:
>>
>> Hello,
>>
>> I'm trying to learn my way around SCAP just now, with the main focus
>> right now on scans of Linux-based systems using oscap and the related
>> tools. I'm hitting a bit of a wall when it comes to writing OVAL content
>> and just wondered if someone could point me to resources that unpack
>> things from the perspective of someone accustomed to writing software in
>> "normal" programming languages?
> 
> I'm not aware of any comprehensive book about that.
> 
> The official website can be a good start:
> - https://oval.mitre.org/
> 
> We have created a tutorial for Red Hat Summit about ComplianceAsCode,
> which also mentions OVAL:
> - 
> https://github.com/RedHatDemos/SecurityDemos/tree/master/2019Labs/CustomSecurityContent/documentation
> 
>>
>> Some more-or-less specific questions:
>>
>> o In an object definition like this (condensed from OVAL found in SSG,
>> where B is a local variable containing a set of file paths):
>>
>> 
>> 
>> ^0$
>> 1
>> 
>>
>> what is the function of var_check="at least one"? I assume that this is
>> a condition being applied to the value of the variable B, saying that it
>> must have at least one member, but what happens if the variable B is an
>> empty set?
> 
> When var_check is set to "at least one" it means that for a file to be
> matched its file path must be equal to at least one of the members of
> variable B.
> 
> If the variable B is an empty set, the object will be evaluated as
> "does not exist".
> 
> var_check is described here:
> https://oval.mitre.org/language/version5.11/ovaldefinition/documentation/oval-definitions-schema.html
> - search for var_check in section
> EntityAttributeGroup.
> 
>>
>> o Basic question: is the order in which entities appear in a file of
>> OVAL content irrelevant? Given that they are all tagged with types and
>> ID strings it seems like this would be the case, but OVAL is a new world
>> where many things are not what they seem, so I thought I would check.
> 
> The order of objects, states, variables etc. is irrelevant. For
> example, it doesn't matter if object id=1 is defined before or after
> object id=2.
> 
> However, the order of different child elements matters. For example,
> within  element the 
> element must always be before  element. OpenSCAP will
> tell you if you put elements in a wrong order, because it performs XML
> validation each time.
> 
>>
>> o Is there a tool that allows you to debug OVAL at runtime? That is,
>> much like any other debugger, to set breakpoints and examine the values
>> of objects/variables/etc at runtime?
> 
> We don't have any tool. We usually run OpenSCAP with --verbose, or we
> generate the XML results and we analyse the results.
> 
>>
>> o Is there a document/book/tutorial that guides a person through
>> creating complex OVAL rules (preferably on Linux systems)? Most of the
>> examples I've found on the web are of the very simple "Hello World"
>> variety, so lead to more questions than they answer. Something that
>> walks through even just how to *think* about solving problems in OVAL
>> would be helpful at this point.
> 
> I also wish there was something like that. Try to get inspired by the
> existing rules in SSG. If you have any further question, feel free to
> ask here anytime.
> 
> Regards
> 
> 
>>
>> Thanks!
>>
>>
>>
>> ___
>> Open-scap-list mailing list
>> Open-scap-list@redhat.com
>> https://www.redhat.com/mailman/listinfo/open-scap-list
> 
> 
> 




___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] Trouble Scanning OVAL from CIS Repository

2019-08-16 Thread Tim Burress 
Thanks for looking into this! I didn't realize it was possible to
download anything other than the full OVAL file, and was going to ask if
maybe oscap could add a command-line option to choose the family or
platform when evaluating an OVAL collection.

But looking more closely at the page I see that there are lots of
categories. I just didn't scroll down far enough to see them, so thanks
for that. It will help immensely.

Oh, I should say that we're also CIS members, so I thank you from that
perspective as well!

Tim

On 8/15/19 10:35 PM, William Munyan wrote:
> Tim,
> 
> I guess the first thing I would ask is why you’re downloading the full
> OVAL XML file.  That file, as you can see is huge, and contains ALL the
> definitions in the entire repository.  I can make an educated guess that
> your Fedora-based system doesn’t need to assess against every Windows
> definition, Cisco IOS definition, etc.  You probably only want the ones
> specific to your OS family, which in this case would be “unix”, and a
> particular class of definitions; I would suggest “vulnerability” as this
> is the most prevalent definition class in the repository.
> 
>  
> 
> That bundle can be found here --
> https://oval.cisecurity.org/repository/download/5.11.2/vulnerability/unix.xml
> -- and is only about 35 MB
> 
>  
> 
> Other definition classes and families are available as well, and I’d
> definitely suggest trying different combinations of files to find the
> correct information you’re looking to assess.  The full repository might
> be a little too much to handle.
> 
>  
> 
> I will take a look at the repository source (it’s all in GitHub) and see
> if I can find some ways to parse the full content and see where some of
> the validation issues might be.
> 
>  
> 
> Cheers,
> 
> -Bill M
> 
>  
> 
> *Bill Munyan*
> 
> Solutions Architect; Security Best Practices
> 
> 31 Tech Valley Drive
> 
> East Greenbush, NY 12061
> 
>  
> 
> william.mun...@cisecurity.org 
> 
> (518) 516-6128 (w)
> 
> (518) 281-1233 (c)
> 
> CIS_WEB_Logo_Type_RGB_Flat 
> 
>    CIS Email Icons 01_23-02
> CIS Email Icons 01_23-03
>    CIS Email Icons 01_23-04
> CIS Email Icons 01_23-05
> 
> 
>  
> 
> *From:*open-scap-list-boun...@redhat.com
>  *On Behalf Of *Tim
> *Sent:* Wednesday, August 14, 2019 11:48 PM
> *To:* open-scap-list@redhat.com
> *Subject:* [Open-scap] Trouble Scanning OVAL from CIS Repository
> 
>  
> 
> 
> 
> 
> Another issue has come up while attempting to scan a Fedora-based system
> using the quasi-official OVAL collection at CIS:
> 
> https://oval.cisecurity.org/repository/download/5.11.2/all/oval.xml.zip
> 
> After extracting the XML and using a command such as:
> 
> oscap oval eval --report report.html --results results.xml
> --fetch-remote-resources oval.xml
> 
> the oscap utility spends about an hour and a half parsing the 213MB of
> data, then says in the end that the definitions are invalid and so
> refuses to do the scan.
> 
> When I use --fetch-remote-resources, the following message is repeated
> 158 times. Alas the code apparently does not contemplate OVAL files with
> more than 65535 lines, so the line numbers are all the same (the actual
> number of lines is about 3 million):
> 
> File 'oval.xml' line 65535: Element
> '{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}version_string:
> This element is not expected. Expected is one of (
> {http://www.w3.org/2000/09/xmldsig#}Signature,
> {http://oval.mitre.org/XMLSchema/oval-common-5}notes,
> {http://oval.mitre.org/XMLSchema/oval-definitions-5}notes,
> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}platform,
> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}rp,
> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}pkg,
> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}major_release,
> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}release,
> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}rebuild,
> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}ios_release ).
> 
> If I omit --fetch-remote-resources, there are a few different errors,
> but I guess those don't matter so much?
> 
> So... what to do? Adding --skip-valid to the command doesn't seem like a
> solution. If I do that the scan fails almost immediately with:
> 
> W: oscap: Unknown OVAL family subtype: interim_fix
> OpenSCAP Error: Unknown test type oval:org.cisecurity:tst:6710.
> [/builddir/build/BUILD/openscap-1.3.1/src/OVAL/oval_test.c:395]
> Failed to import the OVAL Definitions from 'oval.xml'.
> [/builddir/build/BUILD/openscap-1.3.1/src/OVAL/oval_session.c:248]
> 
> Are there some additional definitions that need to be pulled in somehow?
> 
> Thanks!
> 
> 
> 
> 
> 
> _

[Open-scap] Questions about OVAL

2019-08-12 Thread Tim Burress 
Hello,

I'm trying to learn my way around SCAP just now, with the main focus
right now on scans of Linux-based systems using oscap and the related
tools. I'm hitting a bit of a wall when it comes to writing OVAL content
and just wondered if someone could point me to resources that unpack
things from the perspective of someone accustomed to writing software in
"normal" programming languages?

Some more-or-less specific questions:

o In an object definition like this (condensed from OVAL found in SSG,
where B is a local variable containing a set of file paths):



^0$
1


what is the function of var_check="at least one"? I assume that this is
a condition being applied to the value of the variable B, saying that it
must have at least one member, but what happens if the variable B is an
empty set?

o Basic question: is the order in which entities appear in a file of
OVAL content irrelevant? Given that they are all tagged with types and
ID strings it seems like this would be the case, but OVAL is a new world
where many things are not what they seem, so I thought I would check.

o Is there a tool that allows you to debug OVAL at runtime? That is,
much like any other debugger, to set breakpoints and examine the values
of objects/variables/etc at runtime?

o Is there a document/book/tutorial that guides a person through
creating complex OVAL rules (preferably on Linux systems)? Most of the
examples I've found on the web are of the very simple "Hello World"
variety, so lead to more questions than they answer. Something that
walks through even just how to *think* about solving problems in OVAL
would be helpful at this point.

Thanks!



___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list