GithubHelp home page GithubHelp logo

openscap / openscap Goto Github PK

View Code? Open in Web Editor NEW
1.3K 1.3K 359.0 30.85 MB

NIST Certified SCAP 1.2 toolkit

Home Page: https://www.open-scap.org/tools/openscap-base

License: GNU Lesser General Public License v2.1

Shell 5.08% C 21.52% XSLT 71.44% Python 0.62% Smarty 0.07% Lua 0.01% Perl 0.07% CSS 0.01% JavaScript 0.11% Roff 0.26% CMake 0.51% Rich Text Format 0.23% SWIG 0.07%
compliance cpe data-stream openscap oval scanning scap xccdf

openscap's Introduction

OpenSCAP

Gating Join the chat at https://gitter.im/OpenSCAP/openscap

Open Source Security Compliance Solution

About

The oscap program is a command line tool that allows users to load, scan, validate, edit, and export SCAP documents.

Contributing

We welcome all contributions to the OpenSCAP project. If you would like to contribute, either by fixing existing issues or adding new features, please check out our contribution guide to get started. If you would like to discuss anything, ask questions, or if you need additional help getting started, you can either send a message to our libera.chat IRC channel, #openscap, or to our mailing list.

Microsoft Windows Support

The Microsoft Windows support is officially void as of Febuary 1, 2022.

Use cases

SCAP Content Validation

  • The following example shows how to validate a given source data stream; all components within the data stream are validated (XCCDF, OVAL, OCIL, CPE, and possibly other components):
oscap ds sds-validate scap-ds.xml

Scanning

  • To evaluate all definitions within the given OVAL Definition file, run the following command:
oscap oval eval --results oval-results.xml scap-oval.xml

where scap-oval.xml is the OVAL Definition file and oval-results.xml is the OVAL Result file.

  • To evaluate all definitions from the OVAL component that are part of a particular data stream within a SCAP data stream collection, run the following command:
oscap oval eval --datastream-id ds.xml --oval-id xccdf.xml --results oval-results.xml scap-ds.xml

where ds.xml is the given data stream, xccdf.xml is an XCCDF file specifying the OVAL component, oval-results.xml is the OVAL Result file, and scap-ds.xml is a file representing the SCAP data stream collection.

  • To evaluate a specific profile in an XCCDF file run this command:
oscap xccdf eval --profile Desktop --results xccdf-results.xml --cpe cpe-dictionary.xml scap-xccdf.xml

where scap-xccdf.xml is the XCCDF document, Desktop is the selected profile from the XCCDF document, xccdf-results.xml is a file storing the scan results, and cpe-dictionary.xml is the CPE dictionary.

  • To evaluate a specific XCCDF benchmark that is part of a data stream within a SCAP data stream collection run the following command:
oscap xccdf eval --datastream-id ds.xml --xccdf-id xccdf.xml --results xccdf-results.xml scap-ds.xml

where scap-ds.xml is a file representing the SCAP data stream collection, ds.xml is the particular data stream, xccdf.xml is ID of the component-ref pointing to the desired XCCDF document, and xccdf-results.xml is a file containing the scan results.

Document generation

  • without XCCDF rules
oscap xccdf generate guide XCCDF-FILE > XCCDF-GUIDE-FILE
  • with XCCDF rules
oscap xccdf generate guide --profile PROFILE XCCDF-FILE > XCCDF-GUIDE-FILE
  • generate report from scanning
oscap xccdf generate report XCCDF-RESULT-FILE > XCCDF-REPORT-FILE

openscap's People

Contributors

0intro avatar bachradsusi avatar cipherboy avatar dahaic avatar dominiquedevinci avatar evgenyz avatar fslavin avatar ggbecker avatar havardaasen avatar isimluk avatar jacobvar avatar jadams-tresys avatar jan-cerny avatar jlcharton avatar maage avatar matejak avatar matusmarhefka avatar mildas avatar mpreisler avatar mtrmac avatar pvrabec avatar redhatrises avatar rfrohl avatar rh-steve-grubb avatar rsprudencio avatar the-mule avatar theinric avatar tom-seewald avatar ybznek avatar yuumasato avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

govready nanonid isimluk gregelin savon-noir jan-cerny galaris santosomar timcordova pombredanne installboy mpreisler roacobb redhatrises thinksabin jacobvar bushong1 linearregression zemb hexadiam baude shlomizadok blakefrantz riteshmahajan expisoft anusornc egbutter mmsrubar mzaoui dahaic electrosenpai swizzley moolitayer tzubal enoodle romanhessel lorweymartin gautamsatish trystuff praving5 chuanchang nevion awesome-security sbilly alexander-manley radzy yuumasato bossadvisors vvinay2 poeblu rsprudencio antonini trabing mikefeneley tbsecure beerandgin bluelinexy chrislundquist yanggongwang puresteelzhang seccraft morrisra iokomin akuster dinkin erickeller garygapinski radoslavsandov kjankov mylespollie bertilla-theodore 2xyo rakesh-k anthelmintics dbuentello balleman hld xiaowawazhao aburan28 jlcharton bachradsusi bruducrot emacslisp jstrange sjtu2008 dylankrul lorenzocipriani optionalg matejak axelnennker amitkumar50 vbatts shawndwells xtreme-nitin-ravindran zakarov neescs raychorn posticarus wolfwhoami jennyyjk

openscap's Issues

Running a custom remediation script results into artificial double quotes to be inserted around the inserted value

Description of problem:

Use the following remediation script (for testing purpose can be used on some artificially failing rule):

# platform = Red Hat Enterprise Linux 7
. /usr/share/scap-security-guide/remediation_functions

# Install required packages
package_command install esc
package_command install pam_pkcs11

# Define constants to be reused below
SP="[[:space:]]"
PAM_PKCS11_CONF="/etc/pam_pkcs11/pam_pkcs11.conf"

# Ensure OCSP is turned on in $PAM_PKCS11_CONF
#1) First replace any occurrence of 'none' value of 'cert_policy' key setting with the correct configuration
sed -i "s/^${SP}*cert_policy${SP}=${SP}none;/cert_policy = ca, ocsp_on, signature;/g" "$PAM_PKCS11_CONF"
#2) Then append 'ocsp_on' value setting to each 'cert_policy' key in $PAM_PKCS11_CONF configuration line,
# which does not contain it yet
sed -i "/^${SP}*cert_policy${SP}=.*;/ {/ocsp_on/! s/^${SP}*cert_policy${SP}=${SP}\(.*\);/cert_policy = \1, ocsp_on;/}" "$PAM_PKCS11_CONF"

# Enable smartcard authentication (but allow also other ways
# to login not to possibly cut off the system in question)
authconfig --enablesmartcard --updateall

Note: Normally this remediation script is present for the smartcard_auth rule of the PCI-DSS profile of scap-security-guide content for RHEL-7 system.

The sed command snippet at line 17 of the aforementioned remediation script:

17 sed -i "/^${SP}*cert_policy${SP}=.*;/ {/ocsp_on/! s/^${SP}*cert_policy${SP}=${SP}\(.*\);/cert_policy = \1, ocsp_on;/}" "$PAM_PKCS11_CONF"

should append ocsp_on value to each row in the cert_policy row of the /etc/pam_pkcs11/pam_pkcs11.conf configuration file, if the oscp_on is not present on that cert_policy row yet. Example:

cert_policy = ca, signature;

should be turned into

cert_policy = ca, signature, ocsp_on;

Running the above remediation script directly in Bash actually performs, what's expected above.

But using it as a remediation script for some XCCDF rule and running it (after failing rule check) within the remediation procedure results into the following line to be created:

cert_policy = ca, signature, "ocsp_on";

Yes, only the double quotes placed around the ocsp_on value being, what's the difference.

Though I understand this is very seldom corner case (we will probably rewrite that remediation script itself for the purpose of the scap-security-guide project it to behave as expected), the reasons for this behaviour should be inspected. Initial assumption being if the remediation spawns another child process, double quotes are placed around arguments of that child process. But this might be completely wrong assumption, and the reason for this behavior might be completely different.

Thank you for the research, Jan.

OpenSCAP and Cisecurity OVALRepo

Hi,

I'm trying to run OpenSCAP and a oval file generated with the OVALRepo (https://github.com/CISecurity/OVALRepo).

I run this command to create my oval file :

python3 build_oval_definitions_file.py --platform "Debian 8" -o debian_test.xml                          
INFO: Found 125 matching OVAL definitions
INFO: Finding downstream OVAL ids for all definitions
INFO: Found 512 downstream OVAL ids
INFO: Finding paths for 637 OVAL elements
INFO: Generating OVAL definition file with 637 elements
INFO: Writing OVAL definitions to debian_test.xml
INFO: Completed in 00:09:02!

I use the validate script :

`--> python3 validate_oval_definitons_files.py debian_test.xml 
INFO: Preparing to validate 1 file(s)
INFO: 1. debian_test.xml
INFO: Performing schema validation
INFO: Schema validation successful
INFO: Completed in 00:00:00!

The file is working on joval (source : CISecurity/OVALRepo#134 last message) , but when i try to use it with OpenSCAP :

File 'debian_test.xml' line 4689: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5#linux}dpkginfo_test': This element is not expected.
File 'debian_test.xml' line 5730: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5#unix}uname_object': This element is not expected.
File 'debian_test.xml' line 6113: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5#linux}dpkginfo_state': This element is not expected.
File 'debian_test.xml' line 45: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}criterion': No match found for key-sequence ['oval:org.cisecurity:tst:42'] of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}testKeyRef'.
File 'debian_test.xml' line 49: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}criterion': No match found for key-sequence ['oval:org.cisecurity:tst:57'] of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}testKeyRef'.
[...]
File 'debian_test.xml' line 4683: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}criterion': No match found for key-sequence ['oval:org.cisecurity:tst:114'] of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}testKeyRef'.
OpenSCAP Error: Invalid OVAL Definition (5.11.1) content in debian_test.xml. [oscap_source.c:266]

My version of OpenSCAP :

OpenSCAP command line tool (oscap) 1.2.7

==== Supported specifications ====
XCCDF Version: 1.2
OVAL Version: 5.11.1
CPE Version: 2.3
CVSS Version: 2.0
CVE Version: 2.0
Asset Identification Version: 1.1
Asset Reporting Format Version: 1.1

And I'm running it on a Debian 8 (Jessie).

OpenSCAP segfaults with fetch remote resources

SCAP Workbench 1.1.1 with OpenSCAP 1.2.5 with fetch remote resources - RHEL5 USGCB content works fine.

SCAP Workbench 1.1.1 with OpenSCAP 1.2.6 with fetch remote resources - RHEL5 USGCB content causes a segfault.

This looks like a regression in 1.2.6!

OVAL Lint-like tool

Rationale: The authors of security policies sometimes struggle with OVAL language. There are certain statements which are valid by OVAL standard, but are not efficient or equals to no-operation.

Deliverable: A command-line tool or oscap oval lint module. The tool will inspect single OVAL file and report errors and warnings. A lot can be achieved by coding schematron-like XSLT.

This is big idea.

'oval eval' does not work properly in version 0.9.3 (RHEL) but does in v1.0.8

Is it correct that oscap oval eval is broken in OpenSCAP version 0.9.3?

On RHEL64 (no yum update) OpenSCAP appears to be version 0.9.3. For rule umask_for_daemons oscap oval eval does not indicate failure.

[root@vagrant fisma3]# oscap oval eval --id oval:ssg:def:221 --variables scans/variables.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-oval.xml
Evaluation done.
[root@vagrant fisma3]# echo $?
0

Subscribing the system to RedHat and updating openscap provides more expected results for oscap oval eval

[root@vagrant fisma3]# oscap oval eval --id oval:ssg:def:221 --variables scans/variables.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-oval.xml
Definition oval:ssg:def:221: false
Evaluation done.

CentOS65 with OpenSCAP version 1.0.8, doing oscap oval eval for umask_for_daemons responds:

oscap oval eval --id oval:ssg:def:221 --variables scans/variables.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-oval.xml
Definition oval:ssg:def:221: false
Evaluation done.
[root@vagrant fismacentos1]# echo $?
0

Parallel Scanning

Rationale: Some of the OpenSCAP actions are CPU bound others are I/O bound. OpenSCAP uses separate processes (probes) for accessing system properties. The study can be made to show that a parallel scanning decreases scan time.

Deliverable: OpenSCAP is able to assess system properties in parallel manner. The part of libopenscap which communicates with probes needs to be modified to allow for parallel execution.

This is a big idea.

declaration of ‘time’ shadows a global declaration

Making all in XCCDF
make[3]: Entering directory `/var/www/html/openscap/src/XCCDF'
CC libxccdf_la-benchmark.lo
CC libxccdf_la-elements.lo
CC libxccdf_la-item.lo
CC libxccdf_la-profile.lo
CC libxccdf_la-value.lo
CC libxccdf_la-resolve.lo
CC libxccdf_la-result.lo
result.c: In function ‘xccdf_rule_result_override’:
result.c:1157: warning: declaration of ‘time’ shadows a global declaration
/usr/include/time.h:186: warning: shadowed declaration is here
CC libxccdf_la-result_scoring.lo
CC libxccdf_la-rule.lo
CC libxccdf_la-tailoring.lo
CC libxccdf_la-xccdf_session.lo

Enable SCE by default in master

I think we can promote SCE in master.

The SCE is build as a separate soname. So, this enabled many downstreams to argue for SCE to be default choice.

[SCAP.R.900] Add option to verify signature of signed XML files

The oscap tool currently supports --fetch-remote-resources option to download remote XCCDF / OVAL content from 3rd-party locations depending on the URL in the check.

Since some XML content might be signed (to ensure data integrity), when fetching remote XCCDF / OVAL content, there should be --verify option to verify the signature of the signed XML content (IOW verify the signed content is truly the authentic one).

Therefore this request for enhancement is filed in order the new --verify option to be added into the oscap command (at appropriate places where --fetch-remote-resources is allowed and where signed XML content can be expected to be provided).

The idea is that --verify option would automatically detect the key, the content has been signed with. It would try to download the public key for that key, and perform the signature verification.

Optionally the --key option could be specified too (if necessary) which would mean to hold the location of the public key, which should be used for signed XML content verification.

In ideal case the --fetch--remote-resources option would be able to detect if the XML content is signed or not. In the case it's not signed, it would proceed as currently. In the case the content is signed, and --verify option was provided, it would try to download the corresponding public key for that content, and verify the integrity of the content. If it wouldn't be able to locate the public key, it would issue Unable to locate public key for content verification. Use --key option to specify the location. message or something similar.

Thank you for the consideration.

Regards, Jan.

Verbose feature: Improve error messages:

(1) One error message reads: "Log file is not specified!". Can you please include advise for the user what he/she needs to do? Something like: "Please provide --verbose-log-file FILE option together with --verbose"

(2) Another message reads: " Inavlid verbosity level!" Please advise user what are the verbosity levels here.

Low priority, moving to 1.2.8.

Weird non-UTF characters in OVAL results

When I run
oscap oval eval --id "oval:ssg:def:445" --results oval-results.xml /usr/share/xml/scap/ssg/content/ssg-fedora-oval.xml
I get not deterministic results. In the OVAL results file, sometimes I get 5 //lin-sys:rpmverifyfile_item/lin-sys:name[text()="ca-certificates"] elements, but sometimes I got 6 of them. The sixth rpmverifyfile_item contains weird non-utf8 characters inside filepath element.

See line 7570 in this file
wrong_utf8_oval_results.txt (GitHub can't upload *.xml, it's just renamed)

This causes that a report can't be generated and it seems to me it is a reason of https://bugzilla.redhat.com/show_bug.cgi?id=1277291

I am using OpenSCAP 1.2.6 and SSG 0.1.25 on Fedora 22 Workstation.

Segfault --oval-results

I have found some openscap segfault during work with openscap-daemon

$ oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_common --oval-results   /tmp/tmplTsI9g.txt

I was suspecting my pullrequest #173, but when I revert its changes, problem is still here.

When I revert this commit 5a8295d, problem disappear. BUT the wrong xml content should not be able to cause segfault, so the main problem is not in this content, but in openscap.

I have attached the content(Yes, it is xml, but with txt extension - github doesn't allow me to upload xml)
tmplTsI9g.txt

Original content from https://github.com/OpenSCAP/openscap-daemon/blob/master/tests/data_dir_template/tasks/1.xml

Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106     movdqu  (%rax), %xmm12
Missing separate debuginfos, use: dnf debuginfo-install nss-3.20.0-1.0.fc22.x86_64 pcre-8.37-4.fc22.x86_64
(gdb) where
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x00007ffff7b4f82d in oval_state_to_dom (state=0x1128460, doc=0x12ea440, parent=0x132c590) at oval_state.c:344
#2  0x00007ffff7b43626 in oval_definition_model_to_dom (definition_model=0x10b5750, doc=0x12ea440, parent=<optimized out>)
    at oval_defModel.c:556
#3  0x00007ffff7b70aa6 in oval_results_to_dom (parent=0x0, doc=0x12ea440, directives_model=0x10b7710, results_model=0x10ba510)
    at oval_resModel.c:257
#4  oval_results_model_export_source (results_model=results_model@entry=0x10ba510, directives_model=directives_model@entry=0x0, 
    name=name@entry=0x12eb450 "/home/zmoravec/gitRepos/openscap/%2Fhome%2Fzmoravec%2FgitRepos%2Fopenscap%2Fcpe%2Fopenscap-cpe-oval.xml.result.xml") at oval_resModel.c:281
#5  0x00007ffff7b91a6f in _xccdf_session_export_oval_result_file (session=session@entry=0x61baf0, oval_session=<optimized out>)
    at xccdf_session.c:1115
#6  0x00007ffff7b93932 in _build_oval_result_sources (session=0x61baf0) at xccdf_session.c:1164
#7  xccdf_session_export_oval (session=session@entry=0x61baf0) at xccdf_session.c:1179
#8  0x000000000040b56c in app_evaluate_xccdf (action=0x7fffffffd540) at oscap-xccdf.c:500
#9  0x0000000000407d5e in oscap_module_call (action=0x7fffffffd540) at oscap-tool.c:260
#10 oscap_module_process (module=0x614480 <XCCDF_EVAL>, module@entry=0x613a00 <OSCAP_ROOT_MODULE>, argc=argc@entry=7, 
    argv=argv@entry=0x7fffffffd7c8) at oscap-tool.c:345
#11 0x0000000000406dff in main (argc=7, argv=0x7fffffffd7c8) at oscap.c:80

RHEL7 O-SCAP needs to check /etc/security/pwquality.conf

I'm hoping I'm putting this in the correct forum.
First issue:
-Basically, all password SCAP checks (lcredit/ocredit/reuse etc.) result in errors or false. The issue is that RHEL7 O-SCAP needs to check /etc/security/pwquality.conf instead of /etc/pam.d/{system-auth, password-auth}. Is there any way this fix can be added in?

Additional Issues on this Topic:
-Password Parameters (such as minimum age/min length etc.) do not pass SCAP. this issue is harder to identify and lies within /etc/login.defs

distcheck fails on double import of OVAL schemas

I have seen jenkins ( https://jenkins.open-scap.org/job/openscap-pull-requests/205/ ) failing in tests/API/XCCDF/applicability

OpenSCAP Error: Element '{http://www.w3.org/2001/XMLSchema}import':
        Skipping import of schema located at '/home/jenkins/workspace/openscap-pull-requests/openscap-1.0.11/schemas/oval/5.10.1/oval-definitions-schema.xsd'
                for the namespace 'http://oval.mitre.org/XMLSchema/oval-definitions-5',
                since this namespace was already imported with the schema located at '/home/jenkins/workspace/openscap-pull-requests/openscap-1.0.11/_build/../schemas/oval/5.10.1/oval-definitions-schema.xsd'.                 [/home/jenkins/workspace/openscap-pull-requests/openscap-1.0.11/schemas/oval/5.10.1/windows-definitions-schema.xsd:4]
                [../../../src/CPE/cpedict_priv.c:1213]

Clearly, we are importing the same schema twice under different locations. I am investigating more.

Feature request: Consider the ability to reshuffle HTML guide's content

The currently generated HTML guide for benchmarks / profiles from SSG always follows the very same structure:

  • Introduction
  • System settings
    • Installing Software section etc.
  • Services

It would be nice if the HTML guide could support providing the very same content, but having the particular sections reshuffled according to the preferences of the user.

Concrete Use Case:

Consider the PCI DSS v3 standard form. Let's suppose the use would want to have a HTML guide in the form of:

  • Display sections / rules for "Req #1 first",
  • Display sections / rules for "Req #2",
  • ... Display sections / rules for "Req #12"

Thank you for your consideration, Jan.

Create tests for --skip-valid options

I think it would be beneficial if we test --skip-valid option in our upstream test suite.
I suggest to create some invalid OVAL content, run oscap without validation and check whether:

  1. content is not validated
  2. oscap starts evaluation
  3. oscap ends with some error message or whatever, but NOT segfault
    If we had such test in past, we would avoid some issues that have appeared recently.

SDS schema shall include OVAL-5.11.1

We have sds schema patched to use 5.11 schemas. See 0aa1a0d and 8da0f0a.

We perhaps should patch SDS schema now to include 5.11.1. However, this needs some testing before it is done.

Test plan:

  • ours make check shall include test that creates datastream from simple 5.11.1 oval file
  • ssg's make validate shall pass when we patch our schema.

Verbose feature: Improve include header dependencies

@jan-cerny, you have recently added include public/oscap_debug.h to src/common/util.h. This fixes the build, however it is not 100% technically accurate. The util.h does not depend on oscap_debug.h. In perfect world we should include oscap_debug.h only from files that require something from it.

A motivation behind this is that, in general, having clear dependencies makes future refactoring much easier. I have learned this last year, when I tried to devouple src/OVAL/results/ folder. There were cyclic dependencies that were not needed that make my job harder. Further the util.h file is already quite complex (ifdefs) so having one less include here makes sense to me.

So what need to be done:
(1) remove that include
(2) try to include oscap_debug.h from other files

I think there will be not many files affected by this (since everyone affected should already include oscap_debug.h, but I may be wrong. If you find you would need to modify each file, please feel free to close this as WONTFIX.

This is very minor issue, @jan-cerny. However, I still feel it makes sense to fix it. It can be postponed to 1.2.8+.

OCIL: The Open Checklist Interactive Language

Rationale: OCIL is a standard from SCAP family. It allows for interaction with auditor by means of questionares. Currently OpenSCAP lacks implementation of this standard.

Deliverable: New OpenSCAP module. Integration with oscap xccdf eval.

This is big idea.

OpenSCAP prints many error messages when building sce-community-content

I have OpenSCAP 1.2.6 installed from Fedora 22 repository. I have installed openscap-sce-engine package. I have cloned the sce-community-content repository from https://github.com/OpenSCAP/sce-community-content The problem is I am not able to build it.
when I do

cd sce-community-content
cd src
make

I got the following error:

[jcerny@thinkpad src{master}]$ make
../utils/xccdf_compose.py .
Rule 'xccdf_org.open-scap.sce-community-content_rule_services_obsolete-disable_finger_server' contains no proper list of affected file(s)
Rule 'xccdf_org.open-scap.sce-community-content_rule_services_obsolete-disable_rsh_server' contains no proper list of affected file(s)
Rule 'xccdf_org.open-scap.sce-community-content_rule_services_obsolete-disable_telnet_server' contains no proper list of affected file(s)
oscap xccdf validate-xml all-xccdf.xml
oscap xccdf resolve -o all-resolved-xccdf.xml all-xccdf.xml
oscap xccdf generate guide all-resolved-xccdf.xml > guide.html
../utils/xml_append.py all-resolved-xccdf.xml dummy-oval-rule.xml > all-resolved-xccdf-dummyoval.xml
oscap ds sds-compose all-resolved-xccdf-dummyoval.xml sds-datastream-unformated.xml
OpenSCAP Error: Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env sh
^
Unable to parse XML at: 'system/authsettings/passwd_file_permissions.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env sh
^
Unable to parse XML at: 'system/authsettings/passwd_file_owner.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env sh
^
Unable to parse XML at: 'system/authsettings/passwd_file_group.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env sh
^
Unable to parse XML at: 'system/authsettings/shadow_file_permissions.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env sh
^
Unable to parse XML at: 'system/authsettings/shadow_file_owner.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env sh
^
Unable to parse XML at: 'system/authsettings/shadow_file_group.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env sh
^
Unable to parse XML at: 'system/authsettings/group_file_permissions.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env sh
^
Unable to parse XML at: 'system/authsettings/group_file_owner.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env sh
^
Unable to parse XML at: 'system/authsettings/group_file_group.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env sh
^
Unable to parse XML at: 'system/authsettings/gshadow_file_permissions.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env sh
^
Unable to parse XML at: 'system/authsettings/gshadow_file_owner.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env sh
^
Unable to parse XML at: 'system/authsettings/gshadow_file_group.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/bin/bash
^
Unable to parse XML at: 'system/authsettings/zero_uid_root.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env sh
^
Unable to parse XML at: 'system/authsettings/k5login_file_permissions.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env sh
^
Unable to parse XML at: 'system/bootloader/grub_conf_permissions.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env sh
^
Unable to parse XML at: 'system/bootloader/grub_conf_owner.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env sh
^
Unable to parse XML at: 'system/bootloader/grub_conf_group.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env bash
^
Unable to parse XML at: 'system/execution/exec_shield.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env bash
^
Unable to parse XML at: 'system/execution/va_randomization.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/bin/bash
^
Unable to parse XML at: 'system/execution/core_disable.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env bash
^
Unable to parse XML at: 'system/execution/core_disable_setuid.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env sh
^
Unable to parse XML at: 'system/file_permissions/root_home_permissions.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env sh
^
Unable to parse XML at: 'system/file_permissions/root_home_owner.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env sh
^
Unable to parse XML at: 'system/file_permissions/home_dirs_permissions.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env sh
^
Unable to parse XML at: 'system/file_permissions/world_writable_dirs_sticky.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env sh
^
Unable to parse XML at: 'system/file_permissions/world_writable_dirs_owner.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env sh
^
Unable to parse XML at: 'system/file_permissions/world_writable_files.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env bash
^
Unable to parse XML at: 'system/selinux/selinux.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/bin/bash
^
Unable to parse XML at: 'system/yum/gpgcheck_default.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/bin/bash
^
Unable to parse XML at: 'system/yum/gpgcheck_repos.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env sh
^
Unable to parse XML at: 'services/cron/cron_allow_deny_permissions.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env sh
^
Unable to parse XML at: 'services/cron/cron_allow_deny_owner.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env sh
^
Unable to parse XML at: 'services/cron/cron_allow_deny_group.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env sh
^
Unable to parse XML at: 'services/cron/crontab_files_permissions.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env sh
^
Unable to parse XML at: 'services/cron/crontab_files_owners.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env sh
^
Unable to parse XML at: 'services/cron/crontab_files_groups.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env sh
^
Unable to parse XML at: 'services/cron/cron_dirs_permissions.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env sh
^
Unable to parse XML at: 'services/cron/cron_dirs_owner.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env sh
^
Unable to parse XML at: 'services/cron/cron_dirs_group.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env bash
^
Unable to parse XML at: 'services/cron/crontab_vars_shell.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env bash
^
Unable to parse XML at: 'services/cron/crontab_vars_path.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/bin/bash
^
Unable to parse XML at: 'services/logging/logs_permissions.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env bash
^
Unable to parse XML at: 'services/logging/logs_owner.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env bash
^
Unable to parse XML at: 'services/logging/logs_group.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env sh
^
Unable to parse XML at: 'services/logging/audits_permissions.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env sh
^
Unable to parse XML at: 'services/logging/audits_owner.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env sh
^
Unable to parse XML at: 'services/logging/audits_group.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/bin/sh
^
Unable to parse XML at: 'services/openssh/home_ssh_sensitive.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/bin/sh
^
Unable to parse XML at: 'services/openssh/home_ssh_pubkey.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env sh
^
Unable to parse XML at: 'services/openssh/sshd_disable_empty_pws.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env sh
^
Unable to parse XML at: 'services/openssh/sshd_disable_root_login.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env sh
^
Unable to parse XML at: 'services/obsolete/disable_finger_server.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/usr/bin/env sh
^
Unable to parse XML at: 'services/obsolete/disable_rsh_server.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/bin/sh
^
Unable to parse XML at: 'services/obsolete/disable_telnet_server.sh' [oscap_source.c:232]
Start tag expected, '<' not found [oscap_source.c:230]
Entity: line 1: parser error : Start tag expected, '<' not found
#!/bin/sh
^
Unable to parse XML at: 'services/obsolete/disable_nfs_exports.sh' [oscap_source.c:232]
xmllint --format sds-datastream-unformated.xml > sds-datastream.xml
rm sds-datastream-unformated.xml
rm all-resolved-xccdf-dummyoval.xml

To avoid confusions, I attach ouput of oscap --version

[jcerny@thinkpad src{master}]$ oscap --version
OpenSCAP command line tool (oscap) 1.2.6
Copyright 2009--2015 Red Hat Inc., Durham, North Carolina.

==== Supported specifications ====
XCCDF Version: 1.2
OVAL Version: 5.11.1
CPE Version: 2.3
CVSS Version: 2.0
CVE Version: 2.0
Asset Identification Version: 1.1
Asset Reporting Format Version: 1.1

==== Capabilities added by auto-loaded plugins ====
SCE Version: 1.0 (from libopenscap_sce.so.8)

==== Paths ====
Schema files: /usr/share/openscap/schemas
Default CPE files: /usr/share/openscap/cpe
Probes: /usr/libexec/openscap

==== Inbuilt CPE names ====
Red Hat Enterprise Linux - cpe:/o:redhat:enterprise_linux
Red Hat Enterprise Linux 5 - cpe:/o:redhat:enterprise_linux:5
Red Hat Enterprise Linux 6 - cpe:/o:redhat:enterprise_linux:6
Red Hat Enterprise Linux 7 - cpe:/o:redhat:enterprise_linux:7
Community Enterprise Operating System 5 - cpe:/o:centos:centos:5
Community Enterprise Operating System 6 - cpe:/o:centos:centos:6
Community Enterprise Operating System 7 - cpe:/o:centos:centos:7
Scientific Linux 5 - cpe:/o:scientificlinux:scientificlinux:5
Scientific Linux 6 - cpe:/o:scientificlinux:scientificlinux:6
Scientific Linux 7 - cpe:/o:scientificlinux:scientificlinux:7
Fedora 16 - cpe:/o:fedoraproject:fedora:16
Fedora 17 - cpe:/o:fedoraproject:fedora:17
Fedora 18 - cpe:/o:fedoraproject:fedora:18
Fedora 19 - cpe:/o:fedoraproject:fedora:19
Fedora 20 - cpe:/o:fedoraproject:fedora:20
Fedora 21 - cpe:/o:fedoraproject:fedora:21
Fedora 22 - cpe:/o:fedoraproject:fedora:22
Fedora 23 - cpe:/o:fedoraproject:fedora:23
Fedora 24 - cpe:/o:fedoraproject:fedora:24
Red Hat Enterprise Linux Optional Productivity Applications - cpe:/a:redhat:rhel_productivity
Red Hat Enterprise Linux Optional Productivity Applications 5 - cpe:/a:redhat:rhel_productivity:5

==== Supported OVAL objects and associated OpenSCAP probes ====
system_info                  probe_system_info           
family                       probe_family                
filehash                     probe_filehash              
environmentvariable          probe_environmentvariable   
textfilecontent54            probe_textfilecontent54     
textfilecontent              probe_textfilecontent       
variable                     probe_variable              
xmlfilecontent               probe_xmlfilecontent        
environmentvariable58        probe_environmentvariable58 
filehash58                   probe_filehash58            
inetlisteningservers         probe_inetlisteningservers  
rpminfo                      probe_rpminfo               
partition                    probe_partition             
iflisteners                  probe_iflisteners           
rpmverify                    probe_rpmverify             
rpmverifyfile                probe_rpmverifyfile         
rpmverifypackage             probe_rpmverifypackage      
selinuxboolean               probe_selinuxboolean        
selinuxsecuritycontext       probe_selinuxsecuritycontext
systemdunitproperty          probe_systemdunitproperty   
systemdunitdependency        probe_systemdunitdependency 
file                         probe_file                  
interface                    probe_interface             
password                     probe_password              
process                      probe_process               
runlevel                     probe_runlevel              
shadow                       probe_shadow                
uname                        probe_uname                 
xinetd                       probe_xinetd                
sysctl                       probe_sysctl                
process58                    probe_process58             
fileextendedattribute        probe_fileextendedattribute 
routingtable                 probe_routingtable          
symlink                      probe_symlink

Docs: Missing build dependency in README.md

When configuring OpenSCAP for a build, the oscar-docker requires bzip2 to be installed.

Build environment:

  • CentOS 7.1: contents of /etc/centos_release is "CentOS Linux release 7.1.1503 (Core)"
  • OpenSCAP: maint-1.2 branch or new branch from 1.2.7 tag
  • Configure command line: ./configure --enable-dependency-tracking --enable-cce --enable-python --enable-regex-posix --enable-ssp --enable-sce

Error messages are the following:
"configure: error: in `/home/mzaoui/Projects/OpenSCAP/openscap':
configure: error: oscap-docker requires bzip2! Either disable oscap-docker or install bzip2."

Problem is solved by installing 'bzip2-devel' package.

Suggestion: add bzip2-devel as a build dependency in the README.md file.

Limited Time Scan

Rationale: Along the lines of parallel scanning, it would be nice to a flag that runs a fast scan, one that ignores any probe that takes longer than a couple seconds. The rationale is that as a newbie, I am frequently just testing may commands and understanding of the tool, or seeing if a remediation significantly improved my compliance score and would like to run a rich scan and produce a report but not wait 8 to 12 minutes each time.

Deliverable: libopenscap should be able to kill the probe if the time exceeds a given constant. Note that OVAL standard well supports a scenario when the items were not collected.

This is a big idea.

[Bug] [bzip2 parser] openscap-1.2.5 doesn't seem to be able to process XCCDF with remotely referenced OVAL provided in *.bz2 format

Description of problem:

OpenSCAP supports *.bz2 format for input data:
    [1] https://fedorahosted.org/openscap/ticket/473
    [2] #94

But it does not seem to be supporting the scenario, when particular XCCDF / DS references a remote OVAL provided in *.bzip2 format.

Version tested at:

openscap-1.2.5-3.el7.x86_64

How reproducible:

Always

Steps to reproduce:

  1. Provide XCCDF / DS to OpenSCAP referencing remote OVAL check in *.bz2 format, e.g. something like:
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
  <check-content-ref href="http://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2" />
</check>

Current result:

[root@localhost ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.2 (Maipo)
[root@localhost ~]# rpm -q openscap
openscap-1.2.5-3.el7.x86_64
[root@localhost ~]# oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_common_customized --tailoring-file /root/updated.xml --report /tmp/report.html --fetch-remote-resources /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Downloading: http://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 ... ok
/tmp/oscap.FONsN3/downloaded.MJ0qnu:1: parser error : Start tag expected, '<' not found
BZh91AY&SY�L���6K��x�_����������
^
OpenSCAP Error: Start tag expected, '<' not found [/tmp/oscap.FONsN3/downloaded.MJ0qnu:1] [oscap_source.c:186]
Unable to parse XML at: '/tmp/oscap.FONsN3/downloaded.MJ0qnu' [oscap_source.c:187]
Failed to create OVAL definition model from: '/tmp/oscap.FONsN3/downloaded.MJ0qnu'. [xccdf_session.c:749]

Expected result:

Scanning a system using XCCDF / DS referencing OVAL in *.bzip2 format when --fetch-remote-resources option is provided works fine.

Additional information:

I will check the behaviour of the current upstream master yet.

OpenSCAP segfault (xslt)

when you run

cd tests/oval_details
oscap xccdf eval --results  `mktemp` --oval-results --report `mktemp` ./rpminfo.xccdf.xml

It can have three different (random) results

  • Some error message
runtime error: file /home/zmoravec/gitRepos/openscap/xsl/xccdf-report-oval-details.xsl line 44 element key
Failed to evaluate the 'match' expression.
  • Segmentation fault gdb.txt
  • don't exit

It seems to be ok, when I revert 6b278aa.
But this is probably not caused by wrong content.

Rpmverifyfile probe can't verify files from /bin directory

Hello, I was writing a small test for rpmverifyfile probe. I tried to find a filepath that exists on every system so it is suitable for an upstream test. I suggested /usr/bin/sh, which worked well, but @mpreisler thought that /bin/sh would be better, because not all the distros do the usrmove.

Unfortunately, setting /bin/sh as filepath in //lin-def:rpmverifyfile_object/lin-def:filepath does not work! I got that object does not exist in OVAL results. The same problem I have for /bin/bash, /bin/python, /bin/diff. I think it is very likely that this issue affects whole /bin directory.

The problem is that this behavior is not consistent with running rpm -Vf command manually. For example:

[jcerny@thinkpad ~]$ rpm -Vf /bin/bash
[jcerny@thinkpad ~]$ echo $?
0

Works OK.

If the object does not exist in a rpm package, I got an error message that file is not owned by any package:

[jcerny@thinkpad ~]$ rpm -Vf /home/jcerny/pokus.txt
soubor /home/jcerny/pokus.txt nevlastní žádný balíček
[jcerny@thinkpad ~]$ echo $?
1

This issue might be related to https://fedorahosted.org/openscap/ticket/512

My problem is with OpenSCAP 1.2.5 on Fedora 22 and also with current maint-1.2

<Rule> with <refine-rule role="unchecked"> gets checked

Tested with oscap version 1.0.8.

A <refine-rule> element specifying role="unchecked" does not prevent the target <Rule> from undergoing evaluation.

I have specifically tested this using a <Rule selected="false"> , a <select selected="true">, and a <refine-rule role="unchecked">.

I also tested with a <Rule role="unchecked"> and found the check also occurs.

Non UTF-8 encoding in RPM verify when using --oval-results flag

Using oscap 1.2.1 and running with the --oval-results flag the end of the scan report reports this error multiple times:

/tmp/ssg-rhel7-oval.xml.result.xml:38166: parser error : Input is not proper UTF-8, indicate encoding !
Bytes: 0xE1 0x3F 0x3B 0x10
            <lin-sys:filepath>▒?;</lin-sys:filepath>
                              ^
/tmp/ssg-rhel7-oval.xml.result.xml:38166: parser error : PCDATA invalid Char value 16
            <lin-sys:filepath>▒?;</lin-sys:filepath>

the application it's failing on is Security Center
In notepad++ the line looks like:

<lin-sys:filepath>xE1?;DLExAE�</lin-sys:filepath>

Other info:
OS: RHEL7.0
Command used (xxx are paths or names): oscap xccdf eval --profile xxx --cpe xxx --results xxx --oval-results --check-engine-results --report xxx xxx

OpenSCAP Shell

Rationale: The rationale is to avoid copying and pasting a set of parameters and values and file paths and to be able to share and track a configuration file that captures specific tailoring files or xsl sheets more easily among individuals.

̈́Deliverable: Similarly as there is a lvm shell or virsh, we could build a shell like capability.

This is a big idea.

Get result "notchecked"

Hi,

When I launch a scan, I get result "notchecked" for all rules.
I run the following command :

oscap xccdf eval --results xccdf-results.xml --cpe guide-cpe-dictionary.xml guide-xccdf.xml

What can be the reasons to get results "notchecked"?

Thank you

OpenSCAP reports not applicable for RHEL 7 Docker images/containers in offline mode.

I run OpenSCAP on RHEL7 trying to do a OVALS scan of the official RHEL7 docker image.
All the definitions are turning up as not applicable for RHEL 7 image. Whereas the same definitions work for the official RHEL 6.5 image.
Was using this set of defintions http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml.
To debug the issue I cut down on all the definitions and kept only definition, in this I tried various things such as removing CPE attached to this definition, changing the CPE to RHEL 7. All of this still results in "Not Applicable"

I finally removed the open scap rpm and downloaded the sources, compiled open scap in debug mode using this http://www.open-scap.org/page/Debug and then set OSCAP_DEBUG_LEVEL=2.
And then ran open scap.
In the debug logs I see this:
(4338:7fce0ff84840) E:error.c:57:oscap_err_new Probe has been killed with signal 11
(4338:7fce0ff84840) E:error.c:57:oscap_err_new Probe has core dumped.

Open Scap Version is 1.2.6
Details of openscap --version is in this gist. https://gist.github.com/user987654/78de180917c52d3f202a

Supporting files as gists:

  1. Debug log of successful offline run against a rhel6.5 Container. https://gist.github.com/user987654/0e3342b0983f211fa228
  2. Debug log of offline run against a rhel7 container:
    https://gist.github.com/user987654/a585aa19862dd205355c
  3. Sample definition file
    https://gist.github.com/user987654/96d929b7f3e14cdd6031

Edit #1:
I tried the same definition to be run by not using offline mode and that works. So this seems to be an issue limited to the RHEL7 Image and open scap offline mode.

Conversion error on rhel 6.7

I faced an error while evaluating the pci-dss profile on rhel 6.7 using upstream's ssg and oscap.

cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.7 (Santiago)

oscap xccdf eval --remediate --profile pci-dss --report /root/oscap_pci-dss_remediation_report.html scap-security-guide/RHEL/6/output/ssg-rhel6-xccdf.xml

....

itle^M Enable the NTP Daemon
Rule^M  service_ntpd_enabled
Ident^M CCE-27093-4
Ident^M DISA FSO RHEL-06-000247
/tmp/oscap.86u1ve/xccdf-result.xml:27283: parser error : PCDATA invalid Char value 27
      <message severity="info">Starting ntpd: ^[[60G[^[[0;32m  OK  ^[[0;39m]&#13;
                                              ^
/tmp/oscap.86u1ve/xccdf-result.xml:27283: parser error : PCDATA invalid Char value 27
      <message severity="info">Starting ntpd: ^[[60G[^[[0;32m  OK  ^[[0;39m]&#13;
                                                    ^
/tmp/oscap.86u1ve/xccdf-result.xml:27283: parser error : PCDATA invalid Char value 27
      <message severity="info">Starting ntpd: ^[[60G[^[[0;32m  OK  ^[[0;39m]&#13;
                                                                 ^
OpenSCAP Error: Conversion of the string "" to an integer (64 bits) failed: Invalid argument [oval_cmp.c:113]
Conversion of the string "" to an integer (64 bits) failed: Invalid argument [oval_cmp.c:113]
Conversion of the string "" to an integer (64 bits) failed: Invalid argument [oval_cmp.c:113]
Conversion of the string "" to an integer (64 bits) failed: Invalid argument [oval_cmp.c:113]
Conversion of the string "" to an integer (64 bits) failed: Invalid argument [oval_cmp.c:113]
Could not parse the XML document '/tmp/oscap.86u1ve/xccdf-result.xml' [oscapxml.c:429]
Result^M        fixed

Evaluation without remediation is fine.

Segmentation fault during evaluating sectool content

Hello. I tried to reproduce the regression https://bugzilla.redhat.com/show_bug.cgi?id=1275369 in Fedora. I could not reproduce it on Fedora, because I didn't know which content was used. However I have found a nice segmentation fault, which seems related to it. The segfault happened when I tried to evaluate sectool conetent from openscap repository.

The segmentation fault appears on current maint-1.2 and also on OpenSCAP 1.2.6 from Fedora 22 repository.

How to reproduce:

./run utils/.libs/oscap xccdf eval --check-engine-results --report report.html dist/fedora/sectool-xccdf/sectool-xccdf.xml

It gives a lovely backtrace:

#0  0x00007ff83e14b4ba in ___vfprintf_chk (fp=0x175c9c0, flag=flag@entry=1, format=format@entry=0x7ff83e719f85 "I/O ", ap=ap@entry=0x7fff1a72a150) at vfprintf_chk.c:29
#1  0x00007ff83e63cf93 in vfprintf (__ap=0x7fff1a72a150, __fmt=0x7ff83e719f85 "I/O ", __stream=<optimized out>) at /usr/include/bits/stdio2.h:127
#2  xmlGenericErrorDefaultFunc (ctx=<optimized out>, msg=0x7ff83e719f85 "I/O ") at error.c:78
#3  0x00007ff83e63d473 in xmlReportError (err=err@entry=0x194a838, ctxt=ctxt@entry=0x194a5e0, 
    str=str@entry=0x194b380 "failed to load external entity \"/home/jcerny/openscap/.result.xml\"\n", channel=0x7ff83e63cee0 <xmlGenericErrorDefaultFunc>, channel@entry=0x0, 
    data=0x175c9c0, data@entry=0x0) at error.c:325
#4  0x00007ff83e63eb85 in __xmlRaiseError (schannel=0x0, channel=0x7ff83e63da90 <xmlParserWarning__internal_alias>, data=0x194a5e0, ctx=0x194a5e0, nod=nod@entry=0x0, domain=domain@entry=8, 
    code=1549, level=XML_ERR_WARNING, file=0x0, line=0, str1=0x19585c0 "/home/jcerny/openscap/.result.xml", str2=0x0, str3=0x0, int1=0, col=0, 
    msg=0x7ff83e71a598 "failed to load external entity \"%s\"\n") at error.c:631
#5  0x00007ff83e66b880 in __xmlLoaderErr (ctx=ctx@entry=0x194a5e0, msg=msg@entry=0x7ff83e71a598 "failed to load external entity \"%s\"\n", 
    filename=filename@entry=0x19585c0 "/home/jcerny/openscap/.result.xml") at xmlIO.c:482
#6  0x00007ff83e640cb7 in xmlNewInputFromFile__internal_alias (ctxt=ctxt@entry=0x194a5e0, filename=filename@entry=0x19585c0 "/home/jcerny/openscap/.result.xml") at parserInternals.c:1518
#7  0x00007ff83e66e3a7 in xmlDefaultExternalEntityLoader (URL=0x193c7c0 "/home/jcerny/openscap/.result.xml", ID=0x0, ctxt=0x194a5e0) at xmlIO.c:4077
#8  0x00007ff83e66e1ff in xmlLoadExternalEntity__internal_alias (URL=<optimized out>, ID=0x0, ctxt=0x194a5e0) at xmlIO.c:4133
#9  0x00007ff8400d81bd in xsltDocDefaultLoaderFunc (URI=0x194a580 "/home/jcerny/openscap/.result.xml", dict=0x18dbf40, options=16398, ctxt=<optimized out>, type=<optimized out>)
    at documents.c:85
#10 0x00007ff8400d8586 in xsltLoadDocument (ctxt=0x18dbd30, URI=0x194a580 "/home/jcerny/openscap/.result.xml") at documents.c:318
#11 0x00007ff8400d52e4 in xsltDocumentFunctionLoadDocument (URI=0x194a580 "/home/jcerny/openscap/.result.xml", ctxt=0x193c830) at functions.c:142
#12 xsltDocumentFunction (ctxt=0x193c830, nargs=<optimized out>) at functions.c:341
#13 0x00007ff83e6990ae in xmlXPathCompOpEval (ctxt=0x193c830, op=0x1808798) at xpath.c:13586
#14 0x00007ff83e6992f0 in xmlXPathCompOpEval (ctxt=0x193c830, op=0x18087d0) at xpath.c:13475
#15 0x00007ff83e6992f0 in xmlXPathCompOpEval (ctxt=0x193c830, op=0x1808808) at xpath.c:13475
#16 0x00007ff83e6992f0 in xmlXPathCompOpEval (ctxt=0x193c830, op=0x1808840) at xpath.c:13475
#17 0x00007ff83e698bb6 in xmlXPathCompOpEval (ctxt=ctxt@entry=0x193c830, op=0x1808878) at xpath.c:13977
#18 0x00007ff83e69bce1 in xmlXPathCompOpEval (op=<optimized out>, ctxt=0x193c830) at xpath.c:13281
#19 xmlXPathRunEval (ctxt=ctxt@entry=0x193c830, toBool=toBool@entry=0) at xpath.c:14552
#20 0x00007ff83e69be52 in xmlXPathCompiledEvalInternal (comp=comp@entry=0x17be7f0, ctxt=ctxt@entry=0x18dd060, resObj=resObj@entry=0x7fff1a72a9e0, toBool=toBool@entry=0) at xpath.c:14915
#21 0x00007ff83e6a0186 in xmlXPathCompiledEval__internal_alias (comp=comp@entry=0x17be7f0, ctx=ctx@entry=0x18dd060) at xpath.c:14978
#22 0x00007ff8400cc1ee in xsltEvalVariable (ctxt=ctxt@entry=0x18dbd30, variable=variable@entry=0x1908580, castedComp=castedComp@entry=0x17bf850) at variables.c:903
#23 0x00007ff8400cc542 in xsltBuildVariable (ctxt=ctxt@entry=0x18dbd30, castedComp=castedComp@entry=0x17bf850, tree=tree@entry=0x0) at variables.c:1759
#24 0x00007ff8400cc6a3 in xsltRegisterVariable (ctxt=ctxt@entry=0x18dbd30, castedComp=0x17bf850, tree=0x0, isParam=isParam@entry=0) at variables.c:1821
#25 0x00007ff8400cde63 in xsltParseStylesheetVariable (ctxt=ctxt@entry=0x18dbd30, inst=inst@entry=0x17bfc00) at variables.c:2144
#26 0x00007ff8400dc352 in xsltApplySequenceConstructor (ctxt=0x18dbd30, contextNode=0x1728540, list=0x17bfc00, templ=0x0) at transform.c:2667
#27 0x00007ff8400dbf33 in xsltApplySequenceConstructor (ctxt=0x18dbd30, contextNode=0x1728540, list=0x17bef60, templ=0x0) at transform.c:2647
#28 0x00007ff8400dbf33 in xsltApplySequenceConstructor (ctxt=ctxt@entry=0x18dbd30, contextNode=contextNode@entry=0x1728540, list=list@entry=0x17be1c0, templ=templ@entry=0x18cd4c0)
    at transform.c:2647
#29 0x00007ff8400dea92 in xsltApplyXSLTTemplate (ctxt=0x18dbd30, contextNode=0x1728540, list=0x17be1c0, templ=0x18cd4c0, withParams=0x19072d0) at transform.c:3108
#30 0x00007ff8400e035a in xsltCallTemplate (ctxt=0x175c9c0, node=0x1, inst=0x7fff1a72a150, castedComp=0x7fff1a72a150) at transform.c:4758
#31 0x00007ff8400dbf33 in xsltApplySequenceConstructor (ctxt=0x18dbd30, contextNode=0x1728540, list=0x17c28a0, templ=0x0) at transform.c:2647
#32 0x00007ff8400dbf33 in xsltApplySequenceConstructor (ctxt=ctxt@entry=0x18dbd30, contextNode=contextNode@entry=0x1728540, list=list@entry=0x17c16b0, templ=templ@entry=0x18cd970)
    at transform.c:2647
#33 0x00007ff8400dea92 in xsltApplyXSLTTemplate (ctxt=0x18dbd30, contextNode=0x1728540, list=0x17c16b0, templ=0x18cd970, withParams=0x1907110) at transform.c:3108
#34 0x00007ff8400e035a in xsltCallTemplate (ctxt=0x175c9c0, node=0x1, inst=0x7fff1a72a150, castedComp=0x7fff1a72a150) at transform.c:4758
#35 0x00007ff8400dbf33 in xsltApplySequenceConstructor (ctxt=0x18dbd30, contextNode=0x1728540, list=0x17d0c80, templ=0x0) at transform.c:2647
#36 0x00007ff8400cc330 in xsltEvalVariable (ctxt=ctxt@entry=0x18dbd30, variable=variable@entry=0x1906eb0, castedComp=castedComp@entry=0x18111e0) at variables.c:977
#37 0x00007ff8400cc542 in xsltBuildVariable (ctxt=ctxt@entry=0x18dbd30, castedComp=castedComp@entry=0x18111e0, tree=tree@entry=0x17d0c80) at variables.c:1759
#38 0x00007ff8400cc6a3 in xsltRegisterVariable (ctxt=ctxt@entry=0x18dbd30, castedComp=0x18111e0, tree=0x17d0c80, isParam=isParam@entry=0) at variables.c:1821
#39 0x00007ff8400cde63 in xsltParseStylesheetVariable (ctxt=ctxt@entry=0x18dbd30, inst=inst@entry=0x17d0a60) at variables.c:2144
#40 0x00007ff8400dc352 in xsltApplySequenceConstructor (ctxt=ctxt@entry=0x18dbd30, contextNode=contextNode@entry=0x1728540, list=list@entry=0x17c3cc0, templ=templ@entry=0x18cda10)
    at transform.c:2667
#41 0x00007ff8400dea92 in xsltApplyXSLTTemplate (ctxt=0x18dbd30, contextNode=0x1728540, list=0x17c3cc0, templ=0x18cda10, withParams=0x18f91c0) at transform.c:3108
#42 0x00007ff8400e035a in xsltCallTemplate (ctxt=0x175c9c0, node=0x1, inst=0x7fff1a72a150, castedComp=0x7fff1a72a150) at transform.c:4758
#43 0x00007ff8400dbf33 in xsltApplySequenceConstructor (ctxt=ctxt@entry=0x18dbd30, contextNode=0x1728540, list=list@entry=0x17d9cf0, templ=templ@entry=0x0) at transform.c:2647
#44 0x00007ff8400dd44a in xsltForEach (ctxt=0x18dbd30, contextNode=<optimized out>, inst=<optimized out>, castedComp=<optimized out>) at transform.c:5738
#45 0x00007ff8400dbf33 in xsltApplySequenceConstructor (ctxt=ctxt@entry=0x18dbd30, contextNode=contextNode@entry=0x171c0b0, list=list@entry=0x17d8c70, templ=templ@entry=0x18cf780)
    at transform.c:2647
#46 0x00007ff8400dea92 in xsltApplyXSLTTemplate (ctxt=0x18dbd30, contextNode=0x171c0b0, list=0x17d8c70, templ=0x18cf780, withParams=0x18edc40) at transform.c:3108
#47 0x00007ff8400e035a in xsltCallTemplate (ctxt=0x175c9c0, node=0x1, inst=0x7fff1a72a150, castedComp=0x7fff1a72a150) at transform.c:4758
#48 0x00007ff8400dbf33 in xsltApplySequenceConstructor (ctxt=ctxt@entry=0x18dbd30, contextNode=0x171c0b0, list=list@entry=0x17d8e80, templ=templ@entry=0x0) at transform.c:2647
#49 0x00007ff8400dd44a in xsltForEach (ctxt=0x18dbd30, contextNode=<optimized out>, inst=<optimized out>, castedComp=<optimized out>) at transform.c:5738
#50 0x00007ff8400dbf33 in xsltApplySequenceConstructor (ctxt=ctxt@entry=0x18dbd30, contextNode=contextNode@entry=0x1719660, list=list@entry=0x17d8c70, templ=templ@entry=0x18cf780)
    at transform.c:2647
#51 0x00007ff8400dea92 in xsltApplyXSLTTemplate (ctxt=0x18dbd30, contextNode=0x1719660, list=0x17d8c70, templ=0x18cf780, withParams=0x18ed910) at transform.c:3108
#52 0x00007ff8400e035a in xsltCallTemplate (ctxt=0x175c9c0, node=0x1, inst=0x7fff1a72a150, castedComp=0x7fff1a72a150) at transform.c:4758
#53 0x00007ff8400dbf33 in xsltApplySequenceConstructor (ctxt=ctxt@entry=0x18dbd30, contextNode=contextNode@entry=0x1719660, list=list@entry=0x17db200, templ=templ@entry=0x18cf820)
    at transform.c:2647
#54 0x00007ff8400dea92 in xsltApplyXSLTTemplate (ctxt=0x18dbd30, contextNode=0x1719660, list=0x17db200, templ=0x18cf820, withParams=0x18ed2a0) at transform.c:3108
#55 0x00007ff8400e035a in xsltCallTemplate (ctxt=0x175c9c0, node=0x1, inst=0x7fff1a72a150, castedComp=0x7fff1a72a150) at transform.c:4758
#56 0x00007ff8400dbf33 in xsltApplySequenceConstructor (ctxt=ctxt@entry=0x18dbd30, contextNode=contextNode@entry=0x1719660, list=list@entry=0x17dd050, templ=templ@entry=0x18cfb90)
    at transform.c:2647
#57 0x00007ff8400dea92 in xsltApplyXSLTTemplate (ctxt=0x18dbd30, contextNode=0x1719660, list=0x17dd050, templ=0x18cfb90, withParams=0x18e6a60) at transform.c:3108
#58 0x00007ff8400e035a in xsltCallTemplate (ctxt=0x175c9c0, node=0x1, inst=0x7fff1a72a150, castedComp=0x7fff1a72a150) at transform.c:4758
#59 0x00007ff8400dbf33 in xsltApplySequenceConstructor (ctxt=ctxt@entry=0x18dbd30, contextNode=contextNode@entry=0x1719660, list=list@entry=0x176c6d0, templ=templ@entry=0x18cff90)
    at transform.c:2647
#60 0x00007ff8400dea92 in xsltApplyXSLTTemplate (ctxt=ctxt@entry=0x18dbd30, contextNode=contextNode@entry=0x1719660, list=0x176c6d0, templ=templ@entry=0x18cff90, 
    withParams=withParams@entry=0x0) at transform.c:3108
#61 0x00007ff8400df0c4 in xsltProcessOneNode (ctxt=ctxt@entry=0x18dbd30, contextNode=contextNode@entry=0x1719660, withParams=withParams@entry=0x0) at transform.c:2097
#62 0x00007ff8400e222c in xsltApplyStylesheetInternal (style=0x1768be0, doc=doc@entry=0x1719660, params=params@entry=0x7fff1a72bd20, output=output@entry=0x0, profile=profile@entry=0x0, 
    userCtxt=userCtxt@entry=0x0) at transform.c:6159
#63 0x00007ff8400e284d in xsltApplyStylesheet (style=<optimized out>, doc=doc@entry=0x1719660, params=params@entry=0x7fff1a72bd20) at transform.c:6352
#64 0x00007ff840acddf0 in apply_xslt_path_internal (source=0x175c980, xsltfile=<optimized out>, params=0x7fff1a72be70, path_to_xslt=<optimized out>, 
    stylesheet=stylesheet@entry=0x7fff1a72be38) at xslt.c:167
#65 0x00007ff840ace016 in oscap_source_apply_xslt_path (source=<optimized out>, xsltfile=<optimized out>, outfile=0x17069e0 "report.html", params=<optimized out>, 
    path_to_xslt=<optimized out>) at xslt.c:187
#66 0x00007ff840b28ca1 in _app_xslt (infile=infile@entry=0x175c980, outfile=outfile@entry=0x17069e0 "report.html", params=params@entry=0x7fff1a72cf70, 
    xsltfile=0x7ff840b333fb "xccdf-report.xsl") at xccdf_session.c:969
#67 0x00007ff840b2a4e1 in _xccdf_gen_report (show=0x7ff840b3ead3 "", profile=0x7ff840b3ead3 "", sce_template=0x7ff840b40a96 "%.result.xml", outfile=<optimized out>, id=<optimized out>, 
    infile=0x175c980) at xccdf_session.c:984
#68 xccdf_session_export_xccdf (session=session@entry=0x1676af0) at xccdf_session.c:1046
#69 0x000000000040ba13 in app_evaluate_xccdf (action=0x7fff1a72d090) at oscap-xccdf.c:524
#70 0x0000000000407e0e in oscap_module_call (action=0x7fff1a72d090) at oscap-tool.c:261
#71 oscap_module_process (module=0x6154a0 <XCCDF_EVAL>, module@entry=0x614a20 <OSCAP_ROOT_MODULE>, argc=argc@entry=7, argv=argv@entry=0x7fff1a72d328) at oscap-tool.c:346
#72 0x0000000000406eaf in main (argc=7, argv=0x7fff1a72d328) at oscap.c:80

Remote Assessment Report does not get copied back on the assessor machine

I have setup oscap 1.2.5 on the assessor machine and my target machine has oscap 1.1.0. I can evaluate the results remotely but the report.html file is not getting copied back to the assessor machine.

I did some investigation and found that report.html file isn't even getting created on the target machine under /tmp/tmp.<>/ directory. I can however see the oval results at console of the assessor machine.
assessor machine
target machine

Any pointers? Please check out the attached snapshot.

Please help.

Thanks and regards,
Pravin Goyal

pcre-devel needed in configure 

make[4]: Entering directory `/var/www/html/openscap/src/OVAL/results'
  CC     libovalcmp_la-oval_cmp.lo
  CC     libovalcmp_la-oval_cmp_basic.lo
oval_cmp_basic.c:31:18: error: pcre.h: No such file or directory
oval_cmp_basic.c: In function ‘strregcomp’:
oval_cmp_basic.c:132: error: ‘pcre’ undeclared (first use in this function)
oval_cmp_basic.c:132: error: (Each undeclared identifier is reported only once
oval_cmp_basic.c:132: error: for each function it appears in.)
oval_cmp_basic.c:132: error: ‘re’ undeclared (first use in this function)
oval_cmp_basic.c:136: warning: implicit declaration of function ‘pcre_compile’
oval_cmp_basic.c:136: error: ‘PCRE_UTF8’ undeclared (first use in this function)
oval_cmp_basic.c:143: warning: implicit declaration of function ‘pcre_exec’
oval_cmp_basic.c:154: warning: implicit declaration of function ‘pcre_free’
make[4]: *** [libovalcmp_la-oval_cmp_basic.lo] Error 1
make[4]: Leaving directory `/var/www/html/openscap/src/OVAL/results'
make[3]: *** [all-recursive] Error 1
make[3]: Leaving directory `/var/www/html/openscap/src/OVAL'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/var/www/html/openscap/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/var/www/html/openscap'
make: *** [all] Error 2
[root@ssg-rhel6-devbox openscap]# yum install pcre-devel
Loaded plugins: product-id, refresh-packagekit, rhnplugin, security, subscription-manager
This system is receiving updates from RHN Classic or RHN Satellite.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package pcre-devel.x86_64 0:7.8-6.el6 will be installed
--> Finished Dependency Resolution

MS Windows Support

Rationale: Current OpenSCAP community are POSIX enthusiasts. There is a demand for OpenSCAP on MS Windows platform.

Deliverable: OpenSCAP runs on Windows, executables are distributed, tests are set-up.

Note: Consider implementing Cygwin support in the ./run script

This is a big idea.

Cannot generate documentation of a profile contained in a tailoring file

Hi all,
I recently created a tailoring file with oscap-workbench based on a profile contained in the SSG.
I wanted to generate the documentation with the following command:

oscap xccdf generate guide --tailoring-file -pci-rhel6-tailoring.xml --profile Mypersonalised_profile ../content/ssg-centos6-xccdf.xml > guide/MyprofileDocumentation.html

Unfortuantely, the " --tailoring-file" do not exist...

I do know if this is really an issue, maybe there is another way, but i could not find out how

Regards
Mike

OpenSCAP for USB Flash Drive

Rationale: Auditors often need to not install additional software on the audited machine. OpenSCAP currently cannot be statically linked and carried on USB.

Deliverable: prepare static build of OpenSCAP (modify current build system), prepare process to re-create this static build

This is a big idea.

Feature request: HTML guide -- consider ability to filter the list of displayed rules per requirement

HTML report in current OpenSCAP can filter out the displayed rules depending on the result (PASS, FAIL, NOTCHECKED) and display only rules having one concrete result.

It would be nice (RFE) if the generated HTML guide for particular profile and benchmark could also filter out only rules e.g.:

  • per concrete PCI DSS identifier, DISA STIG / NIST identifier etc.

Example use case: Show me only rules in the guide mapping to PCI DSS Req #5.

The author of this idea is Zbynek (proper attribution is important). I just formatted the idea into a ticket.

Thank you for your consideration, Jan.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.