[Open-scap] openscap-utils 0.9.2 not parsing CPE information correctly?

Shawn Wells shawn at redhat.com
Wed Dec 19 22:37:50 UTC 2012


On 12/19/12 5:33 PM, Shawn Wells wrote:
> Hello,
>
>     Upgraded a machine to openscap & openscap 0.9.2 and the parsing of 
> --cpe seems broke.
>
>     I am using the official DISA RHEL5 STIG. To download the same 
> content:
>
> $ wget -O /tmp/u_redhat_5-v1r1_stig_benchmark.zip \
> iase.disa.mil/stigs/os/unix/u_redhat_5-v1r1_stig_benchmark.zip
> $ mkdir /usr/local/scap
> $ unzip /tmp/u_redhat_5-v1r1_stig_benchmark.zip -d /usr/local/scap/
>
>
> # rpm -qv openscap-utils openscap
> openscap-utils-0.9.1-1.el5
> openscap-0.9.1-1.el5
>
> # oscap xccdf eval --profile MAC-1_Sensitive \
> --cpe /usr/local/scap/U_RedHat_5-V1R1_STIG_Benchmark-cpe-dictionary.xml \
> /usr/local/scap/U_RedHat_5-V1R1_STIG_Benchmark-xccdf.xml
> Title   System log files must have mode 0640 or less permissive.
> Rule    SV-37228r1_rule
> Ident   CCI-001314
> Result  fail
>
> Title   All skeleton files (typically those in /etc/skel) must have 
> mode 0644 or less permissive.
> Rule    SV-37292r1_rule
> Ident   CCI-000225
> Result  pass
>
>
> However, when I upgrade to 0.9.2:
>
> # rpm -qv openscap-utils openscap
> openscap-utils-0.9.2-1.el5
> openscap-0.9.2-1.el5
>
> # oscap xccdf eval --profile MAC-1_Sensitive \
> --cpe /usr/local/scap/U_RedHat_5-V1R1_STIG_Benchmark-cpe-dictionary.xml \
> /usr/local/scap/U_RedHat_5-V1R1_STIG_Benchmark-xccdf.xml
>
> File 
> '/usr/local/scap/U_RedHat_5-V1R1_STIG_Benchmark-cpe-dictionary.xml' 
> line 3: Element '{http://cpe.mitre.org/dictionary/2.0}cpe-item', 
> attribute 'name': [facet 'pattern'] The value 
> 'cpe:/o:redhat:enterprise_linux:5' is not accepted by the pattern 
> '[c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\._\-~%]*){0,6}'.
> File 
> '/usr/local/scap/U_RedHat_5-V1R1_STIG_Benchmark-cpe-dictionary.xml' 
> line 3: Element '{http://cpe.mitre.org/dictionary/2.0}cpe-item', 
> attribute 'name': 'cpe:/o:redhat:enterprise_linux:5' is not a valid 
> value of the atomic type '{http://cpe.mitre.org/naming/2.0}cpe22Type'.
> File 
> '/usr/local/scap/U_RedHat_5-V1R1_STIG_Benchmark-cpe-dictionary.xml' 
> line 3: Element '{http://cpe.mitre.org/dictionary/2.0}cpe-item', 
> attribute 'name': Warning: No precomputed value available, the value 
> was either invalid or something strange happend.
> File 
> '/usr/local/scap/U_RedHat_5-V1R1_STIG_Benchmark-cpe-dictionary.xml' 
> line 3: Element '{http://cpe.mitre.org/dictionary/2.0}cpe-item': Not 
> all fields of key identity-constraint 
> '{http://cpe.mitre.org/dictionary/2.0}itemURIKey' evaluate to a node.
> Invalid CPE Dictionary content(2.3) in 
> /usr/local/scap/U_RedHat_5-V1R1_STIG_Benchmark-cpe-dictionary.xml. 

Also, I saw in the 0.9.3 release notes [1] that CPE processing was 
improved on RHEL5. I'll be sure to test this once 0.9.3 RPMs are available!

[1] 
https://www.redhat.com/archives/open-scap-list/2012-December/msg00012.html




More information about the Open-scap-list mailing list