[Open-scap] What does this error mean?

Jan Lieskovsky jlieskov at redhat.com
Wed Feb 19 15:08:56 UTC 2014 

----- Original Message -----
> From: "Shawn Wells" <shawn at redhat.com>
> To: open-scap-list at redhat.com
> Sent: Tuesday, February 18, 2014 6:36:15 PM
> Subject: Re: [Open-scap] What does this error mean?
> 
> On 2/18/14, 11:28 AM, Shawn Wells wrote:
> 
> 
> 
> On 2/18/14, 4:37 AM, (Alan J. Wylie) wrote:
> 
> 
> 
> Erinn Looney-Triggs <erinn.looneytriggs at gmail.com> writes:
> 
> 
> 
> 
> 
> >> If you are doing remote scanning, you need the xccdf, oval, and cpe >>
> >> files. The tool is expecting the content to be sent as a datastream >>
> >> which means that all 3 are combined into 1 file using a specific >>
> >> format (in the SCAP 1.2 specification). What this is saying is the >>
> >> content being used to scan with is not a data stream and it cannot >>
> >> resolve the objects in order to do a scan.
> 
> 
> 
> > Well having zip for experience with this, how do you make that happen >
> > with scap-workbench? It doesn't seem to offer enough fields to fulfill >
> > those requirements, but maybe I am missing something.
> Šimon Lukašík has posted on his blog:
> "How to convert USGCB to DataStream with OpenSCAP"
> http://isimluk.livejournal.com/3660.html Here is what I do to run against a
> remote Centos box:
> 
> I use the latest version of the SCAP security guide from
> git://git.fedorahosted.org/scap-security-guide.git
> 
> After "make rhel6", files are in RHEL/6/output
> 
> 
> xsltproc xccdf_1.1_remove_dangling_sub.xsl ssg-rhel6-xccdf.xml >
> ssg-rhel6-xccdf-fixed1.xml
> 
> xsltproc --stringparam reverse_DNS gov.nist.usgcb xccdf_1.1_to_1.2.xsl
> ssg-rhel6-xccdf-fixed1.xml > ssg-rhel6-xccdf-fixed2.xml
> 
> sed -i '/idref="dangling reference to /d' ssg-rhel6-xccdf-fixed2.xml
> 
> # create datastream
> oscap ds sds-compose ssg-rhel6-xccdf-fixed2.xml ssg-rhel6-xccdf-ds.xml
> 
> #rm ssg-rhel6-xccdf-fixed[12].xml
> 
> oscap ds sds-add ssg-rhel6-cpe-dictionary.xml ssg-rhel6-xccdf-ds.xml
> 
> # if we don't do this it only targets redhat, not centos, and we don't get
> any results
> # with oscap we can use --cpe <file> to force
> sed -i '/<platform idref="/d' ssg-rhel6-xccdf-ds.xml
> 
> # generate human readable guide
> oscap xccdf generate guide --profile
> xccdf_gov.nist.usgcb_profile_united_states_government_configuration_baseline
> ssg-rhel6-xccdf.xml > ssg-rhel6-guide.html
> 
> # run using scap-workbench
> echo LD_LIBRARY_PATH=/usr/local/lib /usr/local/bin/scap-workbench
> $PWD/ssg-rhel6-xccdf-ds.xml &
> 
> # view guide in web browser
> firefox ssg-rhel6-guide.html
> 
> # remote scan, then "Results", "Open In Browser"
> # can tailor and save tailoring file
> 
> # run on remote using ssh
> remote= "root at 192.168.0.1" ssh $remote "rm -rf scap-tmp; mkdir scap-tmp"
> rsync -a --no-owner --no-group --copy-links ssg-rhel6-*.xml tailor*.xml
> $remote:scap-tmp/
> 
> # use local copy rather than --fetch-remote-resources to download every time
> ssh $remote "sed -i ' / check-content-ref/s|
> http://www.redhat.com/security/data/oval / ||' scap-tmp/ssg-rhel6-xccdf.xml"
> 
> # creating the datastream changes names, e.g.
> # service_auditd_enabled => xccdf_gov.nist.usgcb_rule_service_auditd_enabled
> # so use the datastream file if using a tailoring file generated by
> scap-workbench.
> # remember scap-workbench has to use a ds file if working on a remote system
> # also note how profile name is much longer
> 
> ssh $remote "cd scap-tmp; \
> oscap xccdf eval \
>  --profile     xccdf_gov.nist.usgcb_profile_CS2_tailored \
>  --cpe         ssg-rhel6-cpe-dictionary.xml \
>  --report      ssg-rhel6-report.html \
>  --results     ssg-rhel6-results.xml \
>  --results-arf ssg-rhel6-results-arf.xml \
>  --oval-results \
>  --tailoring-file tailor.xml \
>  ssg-rhel6-xccdf-ds.xml" > ssg-rhel6-log.txt || true
> 
> 
> I did mine a slightly different way.... really just using full paths naming
> schemes and including OVAL in the DS.
> 
> [shawn at SSG-RHEL6 6]$ make clean ; make content
> [shawn at SSG-RHEL6 6]$ xsltproc
> /usr/share/openscap/xsl/xccdf_1.1_remove_dangling_sub.xsl
> output/ssg-rhel6-xccdf.xml > output/ssg-rhel6-xccdf-nodangles.xml
> [shawn at SSG-RHEL6 6]$ xsltproc --stringparam reverse_DNS
> org.ssgproject.content /usr/share/openscap/xsl/xccdf_1.1_to_1.2.xsl
> output/ssg-rhel6-xccdf-nodangles.xml > output/ssg-rhel6-xccdf-1.2.xml
> [shawn at SSG-RHEL6 6]$ sed -i '/idref="dangling reference to /d'
> output/ssg-rhel6-xccdf-1.2.xml
> [shawn at SSG-RHEL6 6]$ oscap ds sds-compose output/ssg-rhel6-xccdf-1.2.xml
> output/ssg-rhel6-xccdf-ds.xml
> [shawn at SSG-RHEL6 6]$ oscap ds sds-add output/ssg-rhel6-cpe-dictionary.xml
> output/ssg-rhel6-xccdf-ds.xml
> [shawn at SSG-RHEL6 6]$ oscap ds sds-add output/ssg-rhel6-oval.xml
> output/ssg-rhel6-xccdf-ds.xml
> 
> If you're willing to patch the SSG build process, we'd be happy to ship as
> datastream (it's been requested for awhile).
> 
> I was convinced (offline) to stop being lazy. Datastream patches submitted to
> SSG. Pending an ACK from someone in the SSG community.
> 
> https://lists.fedorahosted.org/pipermail/scap-security-guide/2014-February/004964.html
> https://lists.fedorahosted.org/pipermail/scap-security-guide/2014-February/004965.html
> https://lists.fedorahosted.org/pipermail/scap-security-guide/2014-February/004966.html
> https://lists.fedorahosted.org/pipermail/scap-security-guide/2014-February/004967.html

Thanks for these.

Proposals reviewed, tested (on all three variations of the systems), and acked.

Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team

> 
> _______________________________________________
> Open-scap-list mailing list
> Open-scap-list at redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list

More information about the Open-scap-list mailing list