[Open-scap] What does this error mean?

Tue Feb 18 17:36:15 UTC 2014

On 2/18/14, 11:28 AM, Shawn Wells wrote:
> On 2/18/14, 4:37 AM, (Alan J. Wylie) wrote:
>> Erinn Looney-Triggs<erinn.looneytriggs at gmail.com>  writes:
>>
>>>> >>If you are doing remote scanning, you need the xccdf, oval, and cpe
>>>> >>files. The tool is expecting the content to be sent as a datastream
>>>> >>which means that all 3 are combined into 1 file using a specific
>>>> >>format (in the SCAP 1.2 specification). What this is saying is the
>>>> >>content being used to scan with is not a data stream and it cannot
>>>> >>resolve the objects in order to do a scan.
>>> >Well having zip for experience with this, how do you make that happen
>>> >with scap-workbench? It doesn't seem to offer enough fields to fulfill
>>> >those requirements, but maybe I am missing something.
>> S(imon Lukas(ík has posted on his blog:
>> "How to convert USGCB to DataStream with OpenSCAP"
>> http://isimluk.livejournal.com/3660.html
>>
>> Here is what I do to run against a remote Centos box:
>>
>> I use the latest version of the SCAP security guide from
>> git://git.fedorahosted.org/scap-security-guide.git
>>
>> After "make rhel6", files are in RHEL/6/output
>>
>>
>> xsltproc xccdf_1.1_remove_dangling_sub.xsl ssg-rhel6-xccdf.xml > ssg-rhel6-xccdf-fixed1.xml
>>
>> xsltproc --stringparam reverse_DNS gov.nist.usgcb xccdf_1.1_to_1.2.xsl ssg-rhel6-xccdf-fixed1.xml > ssg-rhel6-xccdf-fixed2.xml
>>
>> sed -i '/idref="dangling reference to /d' ssg-rhel6-xccdf-fixed2.xml
>>
>> # create datastream
>> oscap ds sds-compose ssg-rhel6-xccdf-fixed2.xml ssg-rhel6-xccdf-ds.xml
>>
>> #rm ssg-rhel6-xccdf-fixed[12].xml
>>
>> oscap ds sds-add ssg-rhel6-cpe-dictionary.xml ssg-rhel6-xccdf-ds.xml
>>
>> # if we don't do this it only targets redhat, not centos, and we don't get any results
>> # with oscap we can use --cpe <file> to force
>> sed -i '/<platform idref="/d' ssg-rhel6-xccdf-ds.xml
>>
>> # generate human readable guide
>> oscap xccdf generate guide --profile xccdf_gov.nist.usgcb_profile_united_states_government_configuration_baseline ssg-rhel6-xccdf.xml > ssg-rhel6-guide.html
>>
>> # run using scap-workbench
>> echo LD_LIBRARY_PATH=/usr/local/lib /usr/local/bin/scap-workbench $PWD/ssg-rhel6-xccdf-ds.xml &
>>
>> # view guide in web browser
>> firefox ssg-rhel6-guide.html
>>
>> # remote scan, then "Results", "Open In Browser"
>> # can tailor and save tailoring file
>>
>> # run on remote using ssh
>> remote="root at 192.168.0.1"
>>
>> ssh $remote "rm -rf scap-tmp; mkdir scap-tmp"
>> rsync -a --no-owner --no-group --copy-links ssg-rhel6-*.xml tailor*.xml $remote:scap-tmp/
>>
>> # use local copy rather than --fetch-remote-resources to download every time
>> ssh $remote "sed -i '/check-content-ref/s|http://www.redhat.com/security/data/oval/||' scap-tmp/ssg-rhel6-xccdf.xml"
>>
>> # creating the datastream changes names, e.g.
>> # service_auditd_enabled => xccdf_gov.nist.usgcb_rule_service_auditd_enabled
>> # so use the datastream file if using a tailoring file generated by scap-workbench.
>> # remember scap-workbench has to use a ds file if working on a remote system
>> # also note how profile name is much longer
>>
>> ssh $remote "cd scap-tmp; \
>> oscap xccdf eval \
>>   --profile     xccdf_gov.nist.usgcb_profile_CS2_tailored \
>>   --cpe         ssg-rhel6-cpe-dictionary.xml \
>>   --report      ssg-rhel6-report.html \
>>   --results     ssg-rhel6-results.xml \
>>   --results-arf ssg-rhel6-results-arf.xml \
>>   --oval-results \
>>   --tailoring-file tailor.xml \
>>   ssg-rhel6-xccdf-ds.xml" > ssg-rhel6-log.txt || true
>
>
> I did mine a slightly different way.... really just using full paths naming schemes and including OVAL in the DS.
>
> [shawn at SSG-RHEL6 6]$ make clean ; make content
> [shawn at SSG-RHEL6 6]$ xsltproc /usr/share/openscap/xsl/xccdf_1.1_remove_dangling_sub.xsl output/ssg-rhel6-xccdf.xml > output/ssg-rhel6-xccdf-nodangles.xml
> [shawn at SSG-RHEL6 6]$ xsltproc --stringparam reverse_DNS org.ssgproject.content /usr/share/openscap/xsl/xccdf_1.1_to_1.2.xsl output/ssg-rhel6-xccdf-nodangles.xml > output/ssg-rhel6-xccdf-1.2.xml
> [shawn at SSG-RHEL6 6]$ sed -i '/idref="dangling reference to /d' output/ssg-rhel6-xccdf-1.2.xml
> [shawn at SSG-RHEL6 6]$ oscap ds sds-compose output/ssg-rhel6-xccdf-1.2.xml output/ssg-rhel6-xccdf-ds.xml
> [shawn at SSG-RHEL6 6]$ oscap ds sds-add output/ssg-rhel6-cpe-dictionary.xml output/ssg-rhel6-xccdf-ds.xml
> [shawn at SSG-RHEL6 6]$ oscap ds sds-add output/ssg-rhel6-oval.xml output/ssg-rhel6-xccdf-ds.xml
>
> If you're willing to patch the SSG build process, we'd be happy to ship as datastream (it's been requested for awhile).

I was convinced (offline) to stop being lazy. Datastream patches 
submitted to SSG. Pending an ACK from someone in the SSG community.

https://lists.fedorahosted.org/pipermail/scap-security-guide/2014-February/004964.html
https://lists.fedorahosted.org/pipermail/scap-security-guide/2014-February/004965.html
https://lists.fedorahosted.org/pipermail/scap-security-guide/2014-February/004966.html
https://lists.fedorahosted.org/pipermail/scap-security-guide/2014-February/004967.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20140218/d7301d76/attachment.htm>