[Open-scap] Trouble Scanning OVAL from CIS Repository

Thu Aug 15 11:53:27 UTC 2019

Ah, good to know. Thanks!

On Thu, Aug 15, 2019 at 7:51 AM William Munyan <
William.Munyan at cisecurity.org> wrote:

> Those extensions are only in the CIS benchmark content and not part of the
> OVAL repository.  I plan on taking a look at the specific content mentioned
> in the thread to see what I can see.
>
> Cheers
> Bill M (CIS)
>
> Get Outlook for iOS <https://aka.ms/o0ukef>
>
>
>
> On Thu, Aug 15, 2019 at 7:49 AM -0400, "Trevor Vaughan" <
> tvaughan at onyxpoint.com> wrote:
>
>
>>
>>
>> As far as I know, the CIS materials have non-standard extensions that
>> only their scanner supports.
>>
>> On Wed, Aug 14, 2019 at 11:47 PM Tim <tim at variosecure.net> wrote:
>>
>>> Another issue has come up while attempting to scan a Fedora-based system
>>> using the quasi-official OVAL collection at CIS:
>>>
>>> https://oval.cisecurity.org/repository/download/5.11.2/all/oval.xml.zip
>>>
>>> After extracting the XML and using a command such as:
>>>
>>> oscap oval eval --report report.html --results results.xml
>>> --fetch-remote-resources oval.xml
>>>
>>> the oscap utility spends about an hour and a half parsing the 213MB of
>>> data, then says in the end that the definitions are invalid and so
>>> refuses to do the scan.
>>>
>>> When I use --fetch-remote-resources, the following message is repeated
>>> 158 times. Alas the code apparently does not contemplate OVAL files with
>>> more than 65535 lines, so the line numbers are all the same (the actual
>>> number of lines is about 3 million):
>>>
>>> File 'oval.xml' line 65535: Element
>>> '{
>>> http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}version_string':
>>>
>>> This element is not expected. Expected is one of (
>>> {http://www.w3.org/2000/09/xmldsig#}Signature,
>>> {http://oval.mitre.org/XMLSchema/oval-common-5}notes,
>>> {http://oval.mitre.org/XMLSchema/oval-definitions-5}notes,
>>> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}platform,
>>> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}rp,
>>> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}pkg,
>>> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}major_release,
>>>
>>> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}release,
>>> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}rebuild,
>>> {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}ios_release ).
>>>
>>> If I omit --fetch-remote-resources, there are a few different errors,
>>> but I guess those don't matter so much?
>>>
>>> So... what to do? Adding --skip-valid to the command doesn't seem like a
>>> solution. If I do that the scan fails almost immediately with:
>>>
>>> W: oscap: Unknown OVAL family subtype: interim_fix
>>> OpenSCAP Error: Unknown test type oval:org.cisecurity:tst:6710.
>>> [/builddir/build/BUILD/openscap-1.3.1/src/OVAL/oval_test.c:395]
>>> Failed to import the OVAL Definitions from 'oval.xml'.
>>> [/builddir/build/BUILD/openscap-1.3.1/src/OVAL/oval_session.c:248]
>>>
>>> Are there some additional definitions that need to be pulled in somehow?
>>>
>>> Thanks!
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Open-scap-list mailing list
>>> Open-scap-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/open-scap-list
>>>
>>
>>
>> --
>> Trevor Vaughan
>> Vice President, Onyx Point, Inc
>> (410) 541-6699 x788
>>
>> -- This account not approved for unencrypted proprietary information --
>>
>> .....
>>
> This message and attachments may contain confidential information. If it
> appears that this message was sent to you by mistake, any retention,
> dissemination, distribution or copying of this message and attachments is
> strictly prohibited. Please notify the sender immediately and permanently
> delete the message and any attachments.
>
> . . . . .
>

-- 
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788

-- This account not approved for unencrypted proprietary information --
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20190815/bdd69781/attachment.htm>