<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">I just took a look at OpenSCAP and
ComplianceAsCode.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">I obtained results that were at
variance with yours, and which failed to attain Glorious Victory.<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Some comments inline.<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">On 1/23/19 10:10 AM, Boucher, William
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:a7edf90c764e48c28dc1137e01581fe5@ABQ-Ex01.mza.lan">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">OK!
I downloaded the latest scap-security-guide source from Git
and built it for Ubuntu 1604. It compiles and runs!</span></p>
</blockquote>
<p>Using an Ubuntu 18.04 instance as a platform, I obtained, built,
and installed <a href="https://github.com/OpenSCAP/openscap">https://github.com/OpenSCAP/openscap</a>.</p>
<p>I also obtained and built <a
href="https://github.com/ComplianceAsCode/content">https://github.com/ComplianceAsCode/content</a>
on the same system.<br>
</p>
<blockquote type="cite"
cite="mid:a7edf90c764e48c28dc1137e01581fe5@ABQ-Ex01.mza.lan">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p></o:p></span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Next
challenge, during the compile it had trouble scanning the Oval
file for controls it was to evaluate, and it marked all of
those it didn’t find as “not applicable”. So I got a score of
100%, but none of the challenging controls were evaluated. (I
used an oval file I found in the source tree but I guess it
was not complete.)</span></p>
</blockquote>
<p>Using «<tt>oscap xccdf eval --profile
xccdf_org.ssgproject.content_profile_standard --results-arf
results-arf.xml --report report.html --results results.xml
ssg-ubuntu1804-ds.xml</tt>» all results were <tt>notapplicable</tt>.</p>
<p>I commented out line #10606 (the <tt><platform></tt>
designator) in <tt>ssg-ubuntu1804-ds.xml</tt> and ran the
evaluation again. This time some of the rules were evaluated, some
passed, some failed, some resulted in error, some were
notapplicable (for no apparent reason).</p>
<p>I then ran the same evaluation as root («<tt>sudo oscap …</tt>»),
and obtained passes, fails, and notapplicables, but no errors. The
report was at variance with the input data stream with respect to
rules selected in the data stream (the profile selects more rules
than appear in the eval report — 45 <i>vs</i> 38 respectively).</p>
<p>Note that I am using the data stream (<tt>ssg-ubuntu1804-ds.xml</tt>)
and not, directly, the related OVAL (<tt>ssg-ubuntu1804-oval.xml</tt>).
I have a profound antipathy toward OVAL, and prefer to avoid close
contact.<br>
</p>
<blockquote type="cite"
cite="mid:a7edf90c764e48c28dc1137e01581fe5@ABQ-Ex01.mza.lan">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p></o:p></span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Apparently
I need more or better benchmark files for Ubuntu in the
OpenSCAP “/usr/share/openscap” and “/usr/share/openscap/cpe”
directories (openscap-cpe-dictionary.xml,
openscap-cpe-oval.xml, openscap-ubuntu1604-cpe-dictionary.xml
and openscap</span>-<span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">ubuntu1604-cpe-oval.xml
in the openscap/cpe directory and scap-ubuntu1604-oval.xml,
scap-ubuntu1604-ocil.xml and scap-ubuntu-1604-ds.xml in the
openscap directory).</span></p>
</blockquote>
<p>I used git head to build the content I used. The data stream
encapsulates the related XCCDF and OVAL documents.<br>
</p>
<blockquote type="cite"
cite="mid:a7edf90c764e48c28dc1137e01581fe5@ABQ-Ex01.mza.lan">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">These
files do not appear to be in the source from Git and they were
not installed with the libopenscap8 package. Google is not
helping me with this challenge. Can you guys direct me to
where I can find these files so I can build and run a complete
scan of my system(s)?</span></p>
</blockquote>
<p>I expect you would obtain similar results on 16.04. Determining
why rules end up notapplicable, or seem to be skipped during
evaluation, will require additional inspection, as will evaluating
the veracity of the passes and fails.<br>
</p>
<p>Regards,</p>
<p>Gary<br>
</p>
<div class="moz-signature">-- <br>
<title></title>
<address style="font-size: smaller; text-decoration:none;"
xml:lang="en">Gary Gapinski — DB Consulting Group<br>
NASA Glenn Research Center<br>
℡ <a href="tel:+1 216 433 3959" style="text-decoration:none;">+1 216 433 3959</a>
— office<br>
℡ <a href="tel:+1 216 820 1849" style="text-decoration:none;">+1 216 820 1849</a>
— mobile<br>
<a href="mailto:gapinski@nasa.gov" style="text-decoration:none;">gapinski@nasa.gov</a>
</address>
</div>
</body>
</html>