[Open-scap] Using scap workbench to scan Debian on Beaglebone Black

Luther Goh Lu Feng elfgoh at yahoo.com
Fri Apr 7 08:04:12 UTC 2017 

Thanks for the patient explanation!


<quote>The file at https://www.debian.org/security/oval/oval-definitions-2014.xml
uses OVAL 5.3</quote>

Any idea what is Debian's efforts/stand with regards to OVAl 5.11? Where do I find a bug or find relevant discussion threads/documentation? 


--Luther




On Friday, April 7, 2017 3:51 PM, Jan Cerny <jcerny at redhat.com> wrote:



Hi,

ad 1) Does this successful run mean that OpenSCAP 1.0.9 supports OVAL 5.11
without issues?

No, it doesn't.

The file at https://www.debian.org/security/oval/oval-definitions-2014.xml
uses OVAL 5.3, that's an older version of the OVAL language standard. The
OVAL documents version is in <oval:schema_version> element,
located at the beginning of the file.

Last version supported by OpenSCAP 1.0.9 is OVAL 5.10.1. You can check that
by running: $ oscap --version . OVAL is a backward compatible language, so that
means all versions before 5.10.1 are supported as well.

On the other hand, OpenSCAP 1.2.9 supports OVAL version 5.11.1.
The difference between OVAL 5.10.x and 5.11.x is that 5.11 adds
systemd related stuff and offers new built-in macros, eg. glob_to_regex.
Most of the things remained the same, but unfortunately this new stuff
is widely used in security community, because almost every Linux distro
started using systemd.


ad 2) Is OpenSCAP cli on par functionality wise with SCAP workbench?

SCAP Workbench uses OpenSCAP cli under the hood. Workbench is just
a simple GUI on the top of OpenSCAP. That means scanning
either by Workbench or "oscap" cli will give you the same results.

In SCAP Workbench, you can customize the benchmarks to fit your needs
(click on Customize button). The cli tool can't create a new customization
file (that would be very awkward anyway), but it can process it.

At opposite, oscap cli tool has a lot of advanced command line options
and arguments that SCAP Workbench doesn't have, because
SCAP Workbench aims to be an easy-to-use application.


Hope that helps

Regards

Jan Černý
Security Technologies | Red Hat, Inc.


----- Original Message -----
> From: "Luther Goh Lu Feng" <elfgoh at yahoo.com>
> To: "Jan Cerny" <jcerny at redhat.com>
> Sent: Thursday, April 6, 2017 4:20:17 PM
> Subject: Re: [Open-scap] Using scap workbench to scan Debian on Beaglebone Black
> 
> Thanks for the suggestion! I will most certainly attempt to install  OpenSCAP
> 1.2.9 from testing.
> 
> I am still very much a noob figuring out my way around the various security
> concepts such as OVAL, XCCDF. So pardon me if I indicate any wrong
> assumptions as I have not fully yet read the manual.
> 
> 
> In my debugging, I have ran $ oscap oval eval --results debian-2014.xml
> --report debian-2014.html oval-definitions-2014.xml, and managed to get a
> proper report. The oval definitions are from debian[1].
> 
> So questions:
> 
> - Does this successful run mean that OpenSCAP 1.0.9 supports OVAL 5.11
> without issues?
> - Is OpenSCAP cli on par functionality wise with SCAP workbench?
> 
> 
> [1] https://www.debian.org/security/oval/
> 
> 
> 
> On Thursday, April 6, 2017 4:50 PM, Jan Cerny <jcerny at redhat.com> wrote:
> 
> 
> 
> Hi,
> 
> That is pretty cool that you want to run OpenSCAP on such a device.
> I like it! You're the first person that I know running it on ARM :)
> 
> I think the problem is that Debian Jessie has OpenSCAP 1.0.9,
> which is an old version that doesn't support systemd related tests
> and it also can't process OVAL documents using OVAL standard 5.11,
> which we use to write security policies. The error messages
> look like that's the problem.
> 
> I suggest trying to backport OpenSCAP packages from Debian Testing (Stretch)
> Debian Testing has OpenSCAP 1.2.9 that supports those new standards
> and systemd.
> 
> Or you might try to compile the latest upstream release 1.2.14 directly from
> the sources on Github [1] and install that on your device.
> 
> However I don't have an ARM machine with Debian, so I haven't verified
> if there is any other issue :) If you encounter a problem,
> please inform us. Thank you.
> 
> 
> [1]
> https://github.com/OpenSCAP/openscap/releases/download/1.2.14/openscap-1.2.14.tar.gz
> 
> 
> Best regards
> 
> Jan Černý
> Security Technologies | Red Hat, Inc.
> 
> 
> 
> 
> 
> ----- Original Message -----
> > From: "Luther Goh Lu Feng" <elfgoh at yahoo.com>
> > To: open-scap-list at redhat.com
> > Sent: Thursday, April 6, 2017 6:07:18 AM
> > Subject: [Open-scap] Using scap workbench to scan Debian on Beaglebone
> > Black
> > 
> > I have installed SCAP Workbench on Mac OS X[1] and attempted to scan a
> > Beaglebone Black with Debian installed remotely. Debian has been installed
> > with OpenSCAP[2]. However the scan threw up a lot of errors and didn't
> > complete. I am only including a small subset of the errors so as not to
> > overwhelm readers with the amount of text. But am happy to furnish the full
> > logs in pastebin if it is helpful. Hope to have some tips. Thanks!
> > 
> > 
> > 13:28:47
> > info
> > Connection established.
> > 
> > 
> > 13:28:47
> > info
> > Checking if oscap is available on remote machine...
> > 
> > 
> > 13:28:59
> > info
> > Querying capabilities on remote machine...
> > 
> > 
> > 13:29:13
> > info
> > Copying input data to remote target...
> > 
> > 
> > 13:30:32
> > info
> > Starting the remote process...
> > 
> > 
> > 13:30:32
> > info
> > Processing on the remote machine...
> > 
> > 
> > 13:30:47
> > error
> > The 'oscap' process has written the following content to stderr: OpenSCAP
> > Error: File '/tmp/tmp.3WyW7Kt0Aa' line 1835: Element
> > '{http://oval.mitre.org/XMLSchema/oval-definitions-5#linux}systemdunitdependency_test':
> > This element is not expected.
> > 
> > 
> > 13:30:47
> > error
> > The 'oscap' process has written the following content to stderr:
> > [../../../src/XCCDF/xccdf_session.c:342]
> > 
> > 
> > 13:30:47
> > error
> > The 'oscap' process has written the following content to stderr: File
> > '/tmp/tmp.3WyW7Kt0Aa' line 2482: Element
> > '{http://oval.mitre.org/XMLSchema/oval-definitions-5#linux}systemdunitdependency_object':
> > This element is not expected.
> > 
> > 
> > 13:30:47
> > error
> > The 'oscap' process has written the following content to stderr:
> > [../../../src/XCCDF/xccdf_session.c:342]
> > 
> > 
> > 13:30:47
> > error
> > The 'oscap' process has written the following content to stderr: File
> > '/tmp/tmp.3WyW7Kt0Aa' line 3427: Element
> > '{http://oval.mitre.org/XMLSchema/oval-definitions-5#linux}systemdunitdependency_state':
> > This element is not expected.
> > 
> > 
> > 13:30:47
> > error
> > The 'oscap' process has written the following content to stderr:
> > [../../../src/XCCDF/xccdf_session.c:342]
> > 
> > 
> > 13:30:47
> > error
> > The 'oscap' process has written the following content to stderr: File
> > '/tmp/tmp.3WyW7Kt0Aa' line 3653: Element
> > '{http://oval.mitre.org/XMLSchema/oval-definitions-5}glob_to_regex': This
> > element is not expected. Expected is one of (
> > {http://www.w3.org/2000/09/xmldsig#}Signature,
> > {http://oval.mitre.org/XMLSchema/oval-definitions-5}object_component,
> > {http://oval.mitre.org/XMLSchema/oval-definitions-5}variable_component,
> > {http://oval.mitre.org/XMLSchema/oval-definitions-5}literal_component,
> > {http://oval.mitre.org/XMLSchema/oval-definitions-5}arithmetic,
> > {http://oval.mitre.org/XMLSchema/oval-definitions-5}begin,
> > {http://oval.mitre.org/XMLSchema/oval-definitions-5}concat,
> > {http://oval.mitre.org/XMLSchema/oval-definitions-5}end,
> > {http://oval.mitre.org/XMLSchema/oval-definitions-5}escape_regex,
> > {http://oval.mitre.org/XMLSchema/oval-definitions-5}split ).
> > 
> > 
> > 
> > 
> > [1] https://www.open-scap.org/tools/scap-workbench/
> > [2] https://packages.debian.org/jessie/python-openscap
> > 
> > _______________________________________________
> > Open-scap-list mailing list
> > Open-scap-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/open-scap-list
> 
> > 
>

More information about the Open-scap-list mailing list