[Open-scap] back port to rhel5.5?

Ted Toth txtoth at gmail.com
Sun Apr 17 14:35:46 UTC 2011 

On Sun, Apr 17, 2011 at 9:02 AM, Steve Grubb <sgrubb at redhat.com> wrote:
> On Saturday, April 16, 2011 12:59:23 PM Ted Toth wrote:
>> On Sat, Apr 16, 2011 at 9:44 AM, Ted Toth <txtoth at gmail.com> wrote:
>> > On Sat, Apr 16, 2011 at 9:33 AM, Steve Grubb <sgrubb at redhat.com> wrote:
>> >> On Friday, April 15, 2011 08:45:30 PM Ted Toth wrote:
>> >> We know of one problem with libxml2 doing validation of content
>> >>
>> >> https://bugzilla.redhat.com/show_bug.cgi?id=644312
>> >>
>> >> So far, there is no solution for the libxml2 problem. Validation works
>> >> on later versions of libxml2, so one thought was to bisect updates
>> >> until we find what changed that makes it work. In the meantime, there
>> >> is a commandline option to not validate the content and just run it.
>> >
>> > Because of some other work I've done I'm using:
>> > libxml2-2.7.7-1
>> > on my rhel 5.5 vm.
>> >
>> > I've built with Steve's spec file and installed. I also downloaded the
>> > usgcb rhel content and tried it with the following command:
>> >
>> > oscap xccdf eval --result-file result.xml --report-file report.html
>> > --oval-results usgcb-rhel5desktop-xccdf.xml
>> > usgcb-rhel5desktop-oval.xml
>> >
>> > Partial result are:
>> > 1 1871 In file 'usgcb-rhel5desktop-oval.xml' on line 6065: Element
>> > '{http://oval.mitre.org/XMLSchema/oval-definitions-5#linux}partition_test
>> > ': This element is not expected.
>
> <snip>
>
>> > I'm pretty new to this so I'm not sure where to go from here,
>> > suggestions?
>>
>> Maybe I need a newer oval (5.8?) schema?
>
> Yes. The Beta content includes some constructs that use OVAL 5.8. The alpha content
> uses OVAL 5.4, though, and should run since openscap supports 5.6. But the alpha
> content has also been removed from the web. There is also RHEL patch content here:
>
> https://www.redhat.com/security/data/oval/
>
> It uses OVAl 5.4, so it should be fine. But getting back to the libxml2 problem, have
> you tried the validation command?
>
> oscap oval validate-xml usgcb-rhel5desktop-oval.xml
>
> Just to be sure that the problem was fixed in 2.7.7-1. Talking with Peter last week,
> OVAL 5.7 support is nearly complete and another update should be coming soon. As soon
> as that's done, work on OVAL 5.8 should start and then USGCB content works again.
>
> Thanks,
> -Steve
>

`oscap oval validate-xml usgcb-rhel5desktop-oval.xml` reports the
sames issues but it doesn't abend. Is this what you wanted to know?

1 1871 In file 'usgcb-rhel5desktop-oval.xml' on line 6065: Element
'{http://oval.mitre.org/XMLSchema/oval-definitions-5#linux}partition_test':
This element is not expected.
1 1871 In file 'usgcb-rhel5desktop-oval.xml' on line 9466: Element
'{http://oval.mitre.org/XMLSchema/oval-definitions-5#linux}partition_object':
This element is not expected.
1 1871 In file 'usgcb-rhel5desktop-oval.xml' on line 10311: Element
'{http://oval.mitre.org/XMLSchema/oval-definitions-5#linux}partition_state':
This element is not expected.
1 1877 In file 'usgcb-rhel5desktop-oval.xml' on line 3794: Element
'{http://oval.mitre.org/XMLSchema/oval-definitions-5}criterion': No
match found for key-sequence ['oval:gov.nist.usgcb.rhel:tst:144120']
of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}testKeyRef'.
1 1877 In file 'usgcb-rhel5desktop-oval.xml' on line 4129: Element
'{http://oval.mitre.org/XMLSchema/oval-definitions-5#unix}state': No
match found for key-sequence ['oval:gov.nist.usgcb.rhel:ste:20007'] of
keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}stateKeyRef'.
1 1877 In file 'usgcb-rhel5desktop-oval.xml' on line 4133: Element
'{http://oval.mitre.org/XMLSchema/oval-definitions-5#unix}state': No
match found for key-sequence ['oval:gov.nist.usgcb.rhel:ste:20007'] of
keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}stateKeyRef'.
1 1877 In file 'usgcb-rhel5desktop-oval.xml' on line 4137: Element
'{http://oval.mitre.org/XMLSchema/oval-definitions-5#unix}state': No
match found for key-sequence ['oval:gov.nist.usgcb.rhel:ste:20007'] of
keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}stateKeyRef'.
1 1877 In file 'usgcb-rhel5desktop-oval.xml' on line 4141: Element
'{http://oval.mitre.org/XMLSchema/oval-definitions-5#unix}state': No
match found for key-sequence ['oval:gov.nist.usgcb.rhel:ste:20007'] of
keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}stateKeyRef'.
...

Regarding the RHEL patch content I'd need a matching xccdf file to be
able to use this with openscap, right? As I type I'm running it
through ovaldi that I built using the CLIP 5.4 stuff from Tresys but
the customer and I would prefer an openscap solution.
What's involved in supporting a new schema? I see the
/usr/share/openscap/schemas/oval directory could I create a 5.8 using
the Mitre xsd files?

Ted

More information about the Open-scap-list mailing list