[Open-scap] openscap-utils 0.9.2 not parsing CPE information correctly?
Shawn Wells
shawn at redhat.com
Wed Dec 19 22:37:50 UTC 2012
On 12/19/12 5:33 PM, Shawn Wells wrote:
> Hello,
>
> Upgraded a machine to openscap & openscap 0.9.2 and the parsing of
> --cpe seems broke.
>
> I am using the official DISA RHEL5 STIG. To download the same
> content:
>
> $ wget -O /tmp/u_redhat_5-v1r1_stig_benchmark.zip \
> iase.disa.mil/stigs/os/unix/u_redhat_5-v1r1_stig_benchmark.zip
> $ mkdir /usr/local/scap
> $ unzip /tmp/u_redhat_5-v1r1_stig_benchmark.zip -d /usr/local/scap/
>
>
> # rpm -qv openscap-utils openscap
> openscap-utils-0.9.1-1.el5
> openscap-0.9.1-1.el5
>
> # oscap xccdf eval --profile MAC-1_Sensitive \
> --cpe /usr/local/scap/U_RedHat_5-V1R1_STIG_Benchmark-cpe-dictionary.xml \
> /usr/local/scap/U_RedHat_5-V1R1_STIG_Benchmark-xccdf.xml
> Title System log files must have mode 0640 or less permissive.
> Rule SV-37228r1_rule
> Ident CCI-001314
> Result fail
>
> Title All skeleton files (typically those in /etc/skel) must have
> mode 0644 or less permissive.
> Rule SV-37292r1_rule
> Ident CCI-000225
> Result pass
>
>
> However, when I upgrade to 0.9.2:
>
> # rpm -qv openscap-utils openscap
> openscap-utils-0.9.2-1.el5
> openscap-0.9.2-1.el5
>
> # oscap xccdf eval --profile MAC-1_Sensitive \
> --cpe /usr/local/scap/U_RedHat_5-V1R1_STIG_Benchmark-cpe-dictionary.xml \
> /usr/local/scap/U_RedHat_5-V1R1_STIG_Benchmark-xccdf.xml
>
> File
> '/usr/local/scap/U_RedHat_5-V1R1_STIG_Benchmark-cpe-dictionary.xml'
> line 3: Element '{http://cpe.mitre.org/dictionary/2.0}cpe-item',
> attribute 'name': [facet 'pattern'] The value
> 'cpe:/o:redhat:enterprise_linux:5' is not accepted by the pattern
> '[c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\._\-~%]*){0,6}'.
> File
> '/usr/local/scap/U_RedHat_5-V1R1_STIG_Benchmark-cpe-dictionary.xml'
> line 3: Element '{http://cpe.mitre.org/dictionary/2.0}cpe-item',
> attribute 'name': 'cpe:/o:redhat:enterprise_linux:5' is not a valid
> value of the atomic type '{http://cpe.mitre.org/naming/2.0}cpe22Type'.
> File
> '/usr/local/scap/U_RedHat_5-V1R1_STIG_Benchmark-cpe-dictionary.xml'
> line 3: Element '{http://cpe.mitre.org/dictionary/2.0}cpe-item',
> attribute 'name': Warning: No precomputed value available, the value
> was either invalid or something strange happend.
> File
> '/usr/local/scap/U_RedHat_5-V1R1_STIG_Benchmark-cpe-dictionary.xml'
> line 3: Element '{http://cpe.mitre.org/dictionary/2.0}cpe-item': Not
> all fields of key identity-constraint
> '{http://cpe.mitre.org/dictionary/2.0}itemURIKey' evaluate to a node.
> Invalid CPE Dictionary content(2.3) in
> /usr/local/scap/U_RedHat_5-V1R1_STIG_Benchmark-cpe-dictionary.xml.
Also, I saw in the 0.9.3 release notes [1] that CPE processing was
improved on RHEL5. I'll be sure to test this once 0.9.3 RPMs are available!
[1]
https://www.redhat.com/archives/open-scap-list/2012-December/msg00012.html
More information about the Open-scap-list
mailing list