[Open-scap] Open SCAP with RHEL5 USGCB content (UNCLASSIFIED)

Simon Lukasik slukasik at redhat.com
Tue Nov 27 19:15:46 UTC 2012 

On 11/27/2012 07:17 PM, Shaw, Ray V CTR (US) wrote:
> Classification: UNCLASSIFIED
> Caveats: NONE
> 
> Not sure if anyone else is still exploring this (I see one thread from June
> regarding this content), but I did a comparison of SPAWAR SCC and Open SCAP
> 0.9.2 scanning a RHEL5 system using the RHEL5 USGCB 1.0.5.0 XCCDF content.
> 

Thank you very much for comparison and especially for sharing this.

> I had to strip the platform information; attempting to specify the
> dictionary with --cpe gave me an error with this content.  I had to use
> something slightly different, because they have a commented-out platform
> line in the content, and the comment spans lines, and well...it gets messy
> if I use the previous sed statement.  But this works (and should hopefully
> work for other things as well):
> 
> perl -p -i -e 's/[^<!--]<platform.*[^-->]$//g'
> /opt/scc/Resources/Content/USGCB-RHEL5-1.0.5.0/usgcb-rhel5desktop-xccdf.xml 
> 
> I then scanned it using the following:
> 
> oscap xccdf eval --profile "united_states_government_configuration_baseline"
> --results `hostname`_desktop.xml --report `hostname`_desktop.html
> /opt/scc/Resources/Content/USGCB-RHEL5-1.0.5.0/usgcb-rhel5desktop-xccdf.xml
> 
> YMMV; for me, the results were extremely close.  The primary differences I
> noticed were that all of the "Ensure <x> has its own partition" checks were
> "not selected" by Open SCAP (SCC marked them as "failed", which is correct
> for this particular test system):
> 
> CCE-14011-1
> CCE-14161-4
> CCE-14171-3
> CCE-14559-9
> CCE-14777-7
> 

Correct me if I am wrong, but I believe that behavior of OpenSCAP is
correct. These rules shall indeed became notselected. That's caused by
surrounding group usgcb-rhel5desktop-group-2.1.1.1 which is not
selected. As per nistir-7275r4:

"""
An unselected group SHALL NOT be processed, and its contents SHALL NOT
be processed either (i.e., all descendants of an unselected group are
implicitly unselected).
"""

and

"""
An <xccdf:Group> allows benchmark users to select and deselect related
<xccdf:Rule> elements together; since a deselected <xccdf:Group> is not
processed, none of its contained items are processed either.
"""

> Also, "Ensure software is up to date" resulted in "notchecked" on Open SCAP
> and "error" on SCC.
> 

It is not clear to me whether the "notchecked" or "error" result is the
most accurate in cases when OVAL is missing.

The OVAL is missing because the security_patches_up_to_date rule uses
remote OVAL content which is not enabled by default in OpenSCAP.

Anyway, OpenSCAP can process this remote OVAL content. The very first
lines of OpenSCAP output suggest it:

"""
    This content points out to the remote resources. Use
`--fetch-remote-resources' option to download them.
    WARNING: Skipping
http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml file
which is referenced from XCCDF content
"""

> --
> Ray Shaw
> Contractor, STG
> Unix support, Army Research Labs
> 
> Classification: UNCLASSIFIED
> Caveats: NONE
> 

Best regards,

-- 
Simon Lukasik
Security Technologies

More information about the Open-scap-list mailing list