subject:"\[Open\-scap\] Trouble Scanning OVAL from CIS Repository"

Re: [Open-scap] Trouble Scanning OVAL from CIS Repository

2019-08-18 Thread Tim Burress

Thanks for your note and expecially the code! I looked at the
OS-specific files but they seem to be little more than placeholders:
many of the ones I looked at don't seem to have any content at all
unless it's being pulled in by reference somehow.

The openscap tests have already proven very useful for compliance
checking, so I thought it would be good to try the vulnerability class
as well. I will try this transform. Thanks very much!

Tim

On 8/17/19 1:07 AM, Gary Gapinski wrote:
> On 8/16/19 4:32 AM, Tim Burress wrote:
>> Following up, I find that even the unix.xml fails due to the use of
>> 'interim_fix' in tests:
>>
>> W: oscap: Unknown OVAL family subtype: interim_fix
>>
>> OpenSCAP Error: Unknown test type oval:org.cisecurity:tst:6710.
>> [oval_test.c:395]
>>
>> Failed to import the OVAL Definitions from 'unix.xml'. [oval_session.c:245]
>>
>> Looking at the OVAL file it seems that this element appears in 141 tests
>> intended for AIX, but there doesn't seem to be an easy way to filter
>> those out because of the relationships between tests, definitions, and
>> other elements. Is there a good way around that?
> 
> A more polite way to accommodate such tests would be for oscap to handle
> such as a soft error.
> 
> That unix.xml file is likely more and less than you want. Try using one
> of the more specific files appropriate for the operating system to be
> evaluated.
> 
> oscap fails to run if AIX related content is present. The following XSL
> transform will discard AIX-related content (in unix.xml if you must use
> that).
> 
> 
> http://www.w3.org/1999/XSL/Transform"; 
> version="1.0" 
> xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5";
> xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"; 
> xmlns:aix="http://oval.mitre.org/XMLSchema/oval-definitions-5#aix";>
>  match="oval-def:definition[descendant::oval-def:criterion/@test_ref = 
> //aix:*/@id]">
> Definition  select="@id"/> removed
> 
> 
>  
>  
> removed
> 
> 
> 
> 
> 
> 
> 
> 
> 
> The transform is XSLT 1.0 in order to allow xsltproc to be used. Be
> advised that the transform takes quite a while to process with xsltproc.
> 
> gapinski@nuc7i7bnh:~/OVAL$ time xsltproc --novalid --output test.xml 
> strip.xsl unix.xml
> 
> real  3m15.891s
> user  3m14.355s
> sys   0m0.564s
> 
> And when using oscap to evaluate, skip the validation step to save time:
> 
> gapinski@nuc7i7bnh:~/OVAL$ time oscap oval validate test.xml
> 
> real  0m51.636s
> user  0m51.458s
> sys   0m0.104s
> gapinski@nuc7i7bnh:~/OVAL$ time oscap oval eval --skip-valid --report 
> report.html test.xml >/dev/null 2>&1
> 
> real  0m5.757s
> user  0m2.673s
> sys   0m1.571s
> 
> Finally, it appears (to me) that the evaluation results are not
> pleasant. YMMV.
> 
> Regards,
> 
> Gary
> 




___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] Trouble Scanning OVAL from CIS Repository

2019-08-16 Thread Gary Gapinski

On 8/16/19 4:32 AM, Tim Burress wrote:

Following up, I find that even the unix.xml fails due to the use of
'interim_fix' in tests:

W: oscap: Unknown OVAL family subtype: interim_fix

OpenSCAP Error: Unknown test type oval:org.cisecurity:tst:6710.
[oval_test.c:395]

Failed to import the OVAL Definitions from 'unix.xml'. [oval_session.c:245]

Looking at the OVAL file it seems that this element appears in 141 tests
intended for AIX, but there doesn't seem to be an easy way to filter
those out because of the relationships between tests, definitions, and
other elements. Is there a good way around that?

A more polite way to accommodate such tests would be for oscap
to handle such as a soft error.

That unix.xml file is likely more and less than you want. Try
using one of the more specific files appropriate for the operating
system to be evaluated.
oscap fails to run if AIX related content is present.
The following XSL transform will discard AIX-related content (in
unix.xml if you must use that).

"http://www.w3.org/1999/XSL/Transform" version="1.0" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5"
xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:aix="http://oval.mitre.org/XMLSchema/oval-definitions-5#aix">

Definition removed

removed

The transform is XSLT 1.0 in order to allow xsltproc to
be used. Be advised that the transform takes quite a while to
process with xsltproc.
gapinski@nuc7i7bnh:~/OVAL$ time xsltproc --novalid --output test.xml strip.xsl unix.xml

real 3m15.891s
user 3m14.355s
sys 0m0.564s

And when using oscap to evaluate, skip the validation
step to save time:
gapinski@nuc7i7bnh:~/OVAL$ time oscap oval validate test.xml

real 0m51.636s
user 0m51.458s
sys 0m0.104s
gapinski@nuc7i7bnh:~/OVAL$ time oscap oval eval --skip-valid --report report.html test.xml >/dev/null 2>&1

real 0m5.757s
user 0m2.673s
sys 0m1.571s

Finally, it appears (to me) that the evaluation results are not
pleasant. YMMV.
Regards,
Gary

___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] Trouble Scanning OVAL from CIS Repository

2019-08-16 Thread Tim Burress

Following up, I find that even the unix.xml fails due to the use of
'interim_fix' in tests:

W: oscap: Unknown OVAL family subtype: interim_fix

OpenSCAP Error: Unknown test type oval:org.cisecurity:tst:6710.
[oval_test.c:395]

Failed to import the OVAL Definitions from 'unix.xml'. [oval_session.c:245]

Looking at the OVAL file it seems that this element appears in 141 tests
intended for AIX, but there doesn't seem to be an easy way to filter
those out because of the relationships between tests, definitions, and
other elements. Is there a good way around that?

Thanks!

Tim

On 8/16/19 4:51 PM, Tim Burress wrote:
> Thanks for looking into this! I didn't realize it was possible to
> download anything other than the full OVAL file, and was going to ask if
> maybe oscap could add a command-line option to choose the family or
> platform when evaluating an OVAL collection.
> 
> But looking more closely at the page I see that there are lots of
> categories. I just didn't scroll down far enough to see them, so thanks
> for that. It will help immensely.
> 
> Oh, I should say that we're also CIS members, so I thank you from that
> perspective as well!
> 
> Tim
> 
> On 8/15/19 10:35 PM, William Munyan wrote:
>> Tim,
>>
>> I guess the first thing I would ask is why you’re downloading the full
>> OVAL XML file.  That file, as you can see is huge, and contains ALL the
>> definitions in the entire repository.  I can make an educated guess that
>> your Fedora-based system doesn’t need to assess against every Windows
>> definition, Cisco IOS definition, etc.  You probably only want the ones
>> specific to your OS family, which in this case would be “unix”, and a
>> particular class of definitions; I would suggest “vulnerability” as this
>> is the most prevalent definition class in the repository.
>>
>>  
>>
>> That bundle can be found here --
>> https://oval.cisecurity.org/repository/download/5.11.2/vulnerability/unix.xml
>> -- and is only about 35 MB
>>
>>  
>>
>> Other definition classes and families are available as well, and I’d
>> definitely suggest trying different combinations of files to find the
>> correct information you’re looking to assess.  The full repository might
>> be a little too much to handle.
>>
>>  
>>
>> I will take a look at the repository source (it’s all in GitHub) and see
>> if I can find some ways to parse the full content and see where some of
>> the validation issues might be.
>>
>>  
>>
>> Cheers,
>>
>> -Bill M
>>
>>  
>>
>> *Bill Munyan*
>>
>> Solutions Architect; Security Best Practices
>>
>> 31 Tech Valley Drive
>>
>> East Greenbush, NY 12061
>>
>>  
>>
>> william.mun...@cisecurity.org <mailto:william.mun...@cisecurity.org>
>>
>> (518) 516-6128 (w)
>>
>> (518) 281-1233 (c)
>>
>> CIS_WEB_Logo_Type_RGB_Flat <https://www.cisecurity.org/>
>>
>>    CIS Email Icons 01_23-02
>> <https://www.facebook.com/CenterforIntSec>    CIS Email Icons 01_23-03
>> <https://twitter.com/CISecurity>   CIS Email Icons 01_23-04
>> <https://www.youtube.com/user/TheCISecurity>CIS Email Icons 01_23-05
>> <https://www.linkedin.com/company/the-center-for-internet-security>
>>
>>  
>>
>> *From:*open-scap-list-boun...@redhat.com
>>  *On Behalf Of *Tim
>> *Sent:* Wednesday, August 14, 2019 11:48 PM
>> *To:* open-scap-list@redhat.com
>> *Subject:* [Open-scap] Trouble Scanning OVAL from CIS Repository
>>
>>  
>>
>>
>>
>>
>> Another issue has come up while attempting to scan a Fedora-based system
>> using the quasi-official OVAL collection at CIS:
>>
>> https://oval.cisecurity.org/repository/download/5.11.2/all/oval.xml.zip
>>
>> After extracting the XML and using a command such as:
>>
>> oscap oval eval --report report.html --results results.xml
>> --fetch-remote-resources oval.xml
>>
>> the oscap utility spends about an hour and a half parsing the 213MB of
>> data, then says in the end that the definitions are invalid and so
>> refuses to do the scan.
>>
>> When I use --fetch-remote-resources, the following message is repeated
>> 158 times. Alas the code apparently does not contemplate OVAL files with
>> more than 65535 lines, so the line numbers are all the same (the actual
>> number of lines is about 3 million):
>>
>> File 'oval.xml' line 65535: Element
>> '{http://oval.mitre.org/XMLSc

Re: [Open-scap] Trouble Scanning OVAL from CIS Repository

2019-08-16 Thread Tim Burress

Thanks for looking into this! I didn't realize it was possible to
download anything other than the full OVAL file, and was going to ask if
maybe oscap could add a command-line option to choose the family or
platform when evaluating an OVAL collection.

But looking more closely at the page I see that there are lots of
categories. I just didn't scroll down far enough to see them, so thanks
for that. It will help immensely.

Oh, I should say that we're also CIS members, so I thank you from that
perspective as well!

Tim

On 8/15/19 10:35 PM, William Munyan wrote:
> Tim,
> 
> I guess the first thing I would ask is why you’re downloading the full
> OVAL XML file.  That file, as you can see is huge, and contains ALL the
> definitions in the entire repository.  I can make an educated guess that
> your Fedora-based system doesn’t need to assess against every Windows
> definition, Cisco IOS definition, etc.  You probably only want the ones
> specific to your OS family, which in this case would be “unix”, and a
> particular class of definitions; I would suggest “vulnerability” as this
> is the most prevalent definition class in the repository.
> 
>  
> 
> That bundle can be found here --
> https://oval.cisecurity.org/repository/download/5.11.2/vulnerability/unix.xml
> -- and is only about 35 MB
> 
>  
> 
> Other definition classes and families are available as well, and I’d
> definitely suggest trying different combinations of files to find the
> correct information you’re looking to assess.  The full repository might
> be a little too much to handle.
> 
>  
> 
> I will take a look at the repository source (it’s all in GitHub) and see
> if I can find some ways to parse the full content and see where some of
> the validation issues might be.
> 
>  
> 
> Cheers,
> 
> -Bill M
> 
>  
> 
> *Bill Munyan*
> 
> Solutions Architect; Security Best Practices
> 
> 31 Tech Valley Drive
> 
> East Greenbush, NY 12061
> 
>  
> 
> william.mun...@cisecurity.org <mailto:william.mun...@cisecurity.org>
> 
> (518) 516-6128 (w)
> 
> (518) 281-1233 (c)
> 
> CIS_WEB_Logo_Type_RGB_Flat <https://www.cisecurity.org/>
> 
>    CIS Email Icons 01_23-02
> <https://www.facebook.com/CenterforIntSec>CIS Email Icons 01_23-03
> <https://twitter.com/CISecurity>   CIS Email Icons 01_23-04
> <https://www.youtube.com/user/TheCISecurity>CIS Email Icons 01_23-05
> <https://www.linkedin.com/company/the-center-for-internet-security>
> 
>  
> 
> *From:*open-scap-list-boun...@redhat.com
>  *On Behalf Of *Tim
> *Sent:* Wednesday, August 14, 2019 11:48 PM
> *To:* open-scap-list@redhat.com
> *Subject:* [Open-scap] Trouble Scanning OVAL from CIS Repository
> 
>  
> 
> 
> 
> 
> Another issue has come up while attempting to scan a Fedora-based system
> using the quasi-official OVAL collection at CIS:
> 
> https://oval.cisecurity.org/repository/download/5.11.2/all/oval.xml.zip
> 
> After extracting the XML and using a command such as:
> 
> oscap oval eval --report report.html --results results.xml
> --fetch-remote-resources oval.xml
> 
> the oscap utility spends about an hour and a half parsing the 213MB of
> data, then says in the end that the definitions are invalid and so
> refuses to do the scan.
> 
> When I use --fetch-remote-resources, the following message is repeated
> 158 times. Alas the code apparently does not contemplate OVAL files with
> more than 65535 lines, so the line numbers are all the same (the actual
> number of lines is about 3 million):
> 
> File 'oval.xml' line 65535: Element
> '{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}version_string:
> This element is not expected. Expected is one of (
> {http://www.w3.org/2000/09/xmldsig#}Signature,
> {http://oval.mitre.org/XMLSchema/oval-common-5}notes,
> {http://oval.mitre.org/XMLSchema/oval-definitions-5}notes,
> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}platform,
> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}rp,
> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}pkg,
> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}major_release,
> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}release,
> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}rebuild,
> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}ios_release ).
> 
> If I omit --fetch-remote-resources, there are a few different errors,
> but I guess those don't matter so much?
> 
> So... what to do? Adding --skip-valid to the command doesn't seem like a
> solution. If I do that the scan fails almost immedi

Re: [Open-scap] Trouble Scanning OVAL from CIS Repository

2019-08-15 Thread William Munyan

Tim,
I guess the first thing I would ask is why you’re downloading the full OVAL XML 
file.  That file, as you can see is huge, and contains ALL the definitions in 
the entire repository.  I can make an educated guess that your Fedora-based 
system doesn’t need to assess against every Windows definition, Cisco IOS 
definition, etc.  You probably only want the ones specific to your OS family, 
which in this case would be “unix”, and a particular class of definitions; I 
would suggest “vulnerability” as this is the most prevalent definition class in 
the repository.

That bundle can be found here -- 
https://oval.cisecurity.org/repository/download/5.11.2/vulnerability/unix.xml 
-- and is only about 35 MB

Other definition classes and families are available as well, and I’d definitely 
suggest trying different combinations of files to find the correct information 
you’re looking to assess.  The full repository might be a little too much to 
handle.

I will take a look at the repository source (it’s all in GitHub) and see if I 
can find some ways to parse the full content and see where some of the 
validation issues might be.

Cheers,
-Bill M

Bill Munyan
Solutions Architect; Security Best Practices
31 Tech Valley Drive
East Greenbush, NY 12061

william.mun...@cisecurity.org<mailto:william.mun...@cisecurity.org>
(518) 516-6128 (w)
(518) 281-1233 (c)
[CIS_WEB_Logo_Type_RGB_Flat]<https://www.cisecurity.org/>
   [CIS Email Icons 01_23-02] 
<https://www.facebook.com/CenterforIntSec> [CIS Email Icons 01_23-03] 
<https://twitter.com/CISecurity>[CIS Email Icons 01_23-04] 
<https://www.youtube.com/user/TheCISecurity> [CIS Email Icons 01_23-05] 
<https://www.linkedin.com/company/the-center-for-internet-security>

From: open-scap-list-boun...@redhat.com  On 
Behalf Of Tim
Sent: Wednesday, August 14, 2019 11:48 PM
To: open-scap-list@redhat.com
Subject: [Open-scap] Trouble Scanning OVAL from CIS Repository




Another issue has come up while attempting to scan a Fedora-based system
using the quasi-official OVAL collection at CIS:

https://oval.cisecurity.org/repository/download/5.11.2/all/oval.xml.zip

After extracting the XML and using a command such as:

oscap oval eval --report report.html --results results.xml
--fetch-remote-resources oval.xml

the oscap utility spends about an hour and a half parsing the 213MB of
data, then says in the end that the definitions are invalid and so
refuses to do the scan.

When I use --fetch-remote-resources, the following message is repeated
158 times. Alas the code apparently does not contemplate OVAL files with
more than 65535 lines, so the line numbers are all the same (the actual
number of lines is about 3 million):

File 'oval.xml' line 65535: Element
'{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}version_string<http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}version_string>:
This element is not expected. Expected is one of (
{http://www.w3.org/2000/09/xmldsig#}Signature<http://www.w3.org/2000/09/xmldsig#}Signature>,
{http://oval.mitre.org/XMLSchema/oval-common-5}notes<http://oval.mitre.org/XMLSchema/oval-common-5}notes>,
{http://oval.mitre.org/XMLSchema/oval-definitions-5}notes<http://oval.mitre.org/XMLSchema/oval-definitions-5}notes>,
{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}platform<http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}platform>,
{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}rp<http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}rp>,
{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}pkg<http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}pkg>,
{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}major_release<http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}major_release>,
{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}release<http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}release>,
{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}rebuild<http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}rebuild>,
{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}ios_release<http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}ios_release>
 ).

If I omit --fetch-remote-resources, there are a few different errors,
but I guess those don't matter so much?

So... what to do? Adding --skip-valid to the command doesn't seem like a
solution. If I do that the scan fails almost immediately with:

W: oscap: Unknown OVAL family subtype: interim_fix
OpenSCAP Error: Unknown test type oval:org.cisecurity:tst:6710.
[/builddir/build/BUILD/openscap-1.3.1/src/OVAL/oval_test.c:395]
Failed to import the OVAL Definitions from 'oval.xml'.
[/builddir/build/BUILD/openscap-1.3.1/src/OVAL/oval_session.c:248]

Are there some additional definitions that need to be pulled in somehow?

Thanks!

Re: [Open-scap] Trouble Scanning OVAL from CIS Repository

2019-08-15 Thread Trevor Vaughan

Ah, good to know. Thanks!

On Thu, Aug 15, 2019 at 7:51 AM William Munyan <
william.mun...@cisecurity.org> wrote:

> Those extensions are only in the CIS benchmark content and not part of the
> OVAL repository.  I plan on taking a look at the specific content mentioned
> in the thread to see what I can see.
>
> Cheers
> Bill M (CIS)
>
> Get Outlook for iOS 
>
>
>
> On Thu, Aug 15, 2019 at 7:49 AM -0400, "Trevor Vaughan" <
> tvaug...@onyxpoint.com> wrote:
>
>
>>
>>
>> As far as I know, the CIS materials have non-standard extensions that
>> only their scanner supports.
>>
>> On Wed, Aug 14, 2019 at 11:47 PM Tim  wrote:
>>
>>> Another issue has come up while attempting to scan a Fedora-based system
>>> using the quasi-official OVAL collection at CIS:
>>>
>>> https://oval.cisecurity.org/repository/download/5.11.2/all/oval.xml.zip
>>>
>>> After extracting the XML and using a command such as:
>>>
>>> oscap oval eval --report report.html --results results.xml
>>> --fetch-remote-resources oval.xml
>>>
>>> the oscap utility spends about an hour and a half parsing the 213MB of
>>> data, then says in the end that the definitions are invalid and so
>>> refuses to do the scan.
>>>
>>> When I use --fetch-remote-resources, the following message is repeated
>>> 158 times. Alas the code apparently does not contemplate OVAL files with
>>> more than 65535 lines, so the line numbers are all the same (the actual
>>> number of lines is about 3 million):
>>>
>>> File 'oval.xml' line 65535: Element
>>> '{
>>> http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}version_string':
>>>
>>> This element is not expected. Expected is one of (
>>> {http://www.w3.org/2000/09/xmldsig#}Signature,
>>> {http://oval.mitre.org/XMLSchema/oval-common-5}notes,
>>> {http://oval.mitre.org/XMLSchema/oval-definitions-5}notes,
>>> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}platform,
>>> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}rp,
>>> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}pkg,
>>> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}major_release,
>>>
>>> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}release,
>>> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}rebuild,
>>> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}ios_release ).
>>>
>>> If I omit --fetch-remote-resources, there are a few different errors,
>>> but I guess those don't matter so much?
>>>
>>> So... what to do? Adding --skip-valid to the command doesn't seem like a
>>> solution. If I do that the scan fails almost immediately with:
>>>
>>> W: oscap: Unknown OVAL family subtype: interim_fix
>>> OpenSCAP Error: Unknown test type oval:org.cisecurity:tst:6710.
>>> [/builddir/build/BUILD/openscap-1.3.1/src/OVAL/oval_test.c:395]
>>> Failed to import the OVAL Definitions from 'oval.xml'.
>>> [/builddir/build/BUILD/openscap-1.3.1/src/OVAL/oval_session.c:248]
>>>
>>> Are there some additional definitions that need to be pulled in somehow?
>>>
>>> Thanks!
>>>
>>>
>>>
>>>
>>>
>>> ___
>>> Open-scap-list mailing list
>>> Open-scap-list@redhat.com
>>> https://www.redhat.com/mailman/listinfo/open-scap-list
>>>
>>
>>
>> --
>> Trevor Vaughan
>> Vice President, Onyx Point, Inc
>> (410) 541-6699 x788
>>
>> -- This account not approved for unencrypted proprietary information --
>>
>> .
>>
> This message and attachments may contain confidential information. If it
> appears that this message was sent to you by mistake, any retention,
> dissemination, distribution or copying of this message and attachments is
> strictly prohibited. Please notify the sender immediately and permanently
> delete the message and any attachments.
>
> . . . . .
>


-- 
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788

-- This account not approved for unencrypted proprietary information --
___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] Trouble Scanning OVAL from CIS Repository

2019-08-15 Thread William Munyan

Those extensions are only in the CIS benchmark content and not part of the OVAL 
repository.  I plan on taking a look at the specific content mentioned in the 
thread to see what I can see.

Cheers
Bill M (CIS)

Get Outlook for iOS



On Thu, Aug 15, 2019 at 7:49 AM -0400, "Trevor Vaughan" 
mailto:tvaug...@onyxpoint.com>> wrote:




As far as I know, the CIS materials have non-standard extensions that only 
their scanner supports.

On Wed, Aug 14, 2019 at 11:47 PM Tim 
mailto:t...@variosecure.net>> wrote:
Another issue has come up while attempting to scan a Fedora-based system
using the quasi-official OVAL collection at CIS:

https://oval.cisecurity.org/repository/download/5.11.2/all/oval.xml.zip

After extracting the XML and using a command such as:

oscap oval eval --report report.html --results results.xml
--fetch-remote-resources oval.xml

the oscap utility spends about an hour and a half parsing the 213MB of
data, then says in the end that the definitions are invalid and so
refuses to do the scan.

When I use --fetch-remote-resources, the following message is repeated
158 times. Alas the code apparently does not contemplate OVAL files with
more than 65535 lines, so the line numbers are all the same (the actual
number of lines is about 3 million):

File 'oval.xml' line 65535: Element
'{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}version_string':
This element is not expected. Expected is one of (
{http://www.w3.org/2000/09/xmldsig#}Signature,
{http://oval.mitre.org/XMLSchema/oval-common-5}notes,
{http://oval.mitre.org/XMLSchema/oval-definitions-5}notes,
{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}platform,
{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}rp,
{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}pkg,
{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}major_release,
{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}release,
{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}rebuild,
{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}ios_release
 ).

If I omit --fetch-remote-resources, there are a few different errors,
but I guess those don't matter so much?

So... what to do? Adding --skip-valid to the command doesn't seem like a
solution. If I do that the scan fails almost immediately with:

W: oscap: Unknown OVAL family subtype: interim_fix
OpenSCAP Error: Unknown test type oval:org.cisecurity:tst:6710.
[/builddir/build/BUILD/openscap-1.3.1/src/OVAL/oval_test.c:395]
Failed to import the OVAL Definitions from 'oval.xml'.
[/builddir/build/BUILD/openscap-1.3.1/src/OVAL/oval_session.c:248]

Are there some additional definitions that need to be pulled in somehow?

Thanks!





___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list


--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788

-- This account not approved for unencrypted proprietary information --

.
This message and attachments may contain confidential information. If it 
appears that this message was sent to you by mistake, any retention, 
dissemination, distribution or copying of this message and attachments is 
strictly prohibited. Please notify the sender immediately and permanently 
delete the message and any attachments.

. . . . .
___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] Trouble Scanning OVAL from CIS Repository

2019-08-15 Thread Trevor Vaughan

As far as I know, the CIS materials have non-standard extensions that only
their scanner supports.

On Wed, Aug 14, 2019 at 11:47 PM Tim  wrote:

> Another issue has come up while attempting to scan a Fedora-based system
> using the quasi-official OVAL collection at CIS:
>
> https://oval.cisecurity.org/repository/download/5.11.2/all/oval.xml.zip
>
> After extracting the XML and using a command such as:
>
> oscap oval eval --report report.html --results results.xml
> --fetch-remote-resources oval.xml
>
> the oscap utility spends about an hour and a half parsing the 213MB of
> data, then says in the end that the definitions are invalid and so
> refuses to do the scan.
>
> When I use --fetch-remote-resources, the following message is repeated
> 158 times. Alas the code apparently does not contemplate OVAL files with
> more than 65535 lines, so the line numbers are all the same (the actual
> number of lines is about 3 million):
>
> File 'oval.xml' line 65535: Element
> '{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}version_string':
>
> This element is not expected. Expected is one of (
> {http://www.w3.org/2000/09/xmldsig#}Signature,
> {http://oval.mitre.org/XMLSchema/oval-common-5}notes,
> {http://oval.mitre.org/XMLSchema/oval-definitions-5}notes,
> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}platform,
> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}rp,
> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}pkg,
> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}major_release,
> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}release,
> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}rebuild,
> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}ios_release ).
>
> If I omit --fetch-remote-resources, there are a few different errors,
> but I guess those don't matter so much?
>
> So... what to do? Adding --skip-valid to the command doesn't seem like a
> solution. If I do that the scan fails almost immediately with:
>
> W: oscap: Unknown OVAL family subtype: interim_fix
> OpenSCAP Error: Unknown test type oval:org.cisecurity:tst:6710.
> [/builddir/build/BUILD/openscap-1.3.1/src/OVAL/oval_test.c:395]
> Failed to import the OVAL Definitions from 'oval.xml'.
> [/builddir/build/BUILD/openscap-1.3.1/src/OVAL/oval_session.c:248]
>
> Are there some additional definitions that need to be pulled in somehow?
>
> Thanks!
>
>
>
>
>
> ___
> Open-scap-list mailing list
> Open-scap-list@redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list
>


-- 
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788

-- This account not approved for unencrypted proprietary information --
___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

[Open-scap] Trouble Scanning OVAL from CIS Repository

2019-08-14 Thread Tim

Another issue has come up while attempting to scan a Fedora-based system 
using the quasi-official OVAL collection at CIS:


https://oval.cisecurity.org/repository/download/5.11.2/all/oval.xml.zip

After extracting the XML and using a command such as:

oscap oval eval --report report.html --results results.xml 
--fetch-remote-resources oval.xml


the oscap utility spends about an hour and a half parsing the 213MB of 
data, then says in the end that the definitions are invalid and so 
refuses to do the scan.


When I use --fetch-remote-resources, the following message is repeated 
158 times. Alas the code apparently does not contemplate OVAL files with 
more than 65535 lines, so the line numbers are all the same (the actual 
number of lines is about 3 million):


File 'oval.xml' line 65535: Element 
'{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}version_string': 
This element is not expected. Expected is one of ( 
{http://www.w3.org/2000/09/xmldsig#}Signature, 
{http://oval.mitre.org/XMLSchema/oval-common-5}notes, 
{http://oval.mitre.org/XMLSchema/oval-definitions-5}notes, 
{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}platform, 
{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}rp, 
{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}pkg, 
{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}major_release, 
{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}release, 
{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}rebuild, 
{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}ios_release ).


If I omit --fetch-remote-resources, there are a few different errors, 
but I guess those don't matter so much?


So... what to do? Adding --skip-valid to the command doesn't seem like a 
solution. If I do that the scan fails almost immediately with:


W: oscap: Unknown OVAL family subtype: interim_fix
OpenSCAP Error: Unknown test type oval:org.cisecurity:tst:6710. 
[/builddir/build/BUILD/openscap-1.3.1/src/OVAL/oval_test.c:395]
Failed to import the OVAL Definitions from 'oval.xml'. 
[/builddir/build/BUILD/openscap-1.3.1/src/OVAL/oval_session.c:248]


Are there some additional definitions that need to be pulled in somehow?

Thanks!





___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] Trouble Scanning OVAL from CIS Repository

Re: [Open-scap] Trouble Scanning OVAL from CIS Repository

Re: [Open-scap] Trouble Scanning OVAL from CIS Repository

Re: [Open-scap] Trouble Scanning OVAL from CIS Repository

Re: [Open-scap] Trouble Scanning OVAL from CIS Repository

Re: [Open-scap] Trouble Scanning OVAL from CIS Repository

Re: [Open-scap] Trouble Scanning OVAL from CIS Repository

Re: [Open-scap] Trouble Scanning OVAL from CIS Repository

[Open-scap] Trouble Scanning OVAL from CIS Repository

9 matches

Site Navigation

Mail list logo

Footer information