As far as I know, the CIS materials have non-standard extensions that only their scanner supports.
On Wed, Aug 14, 2019 at 11:47 PM Tim <t...@variosecure.net> wrote: > Another issue has come up while attempting to scan a Fedora-based system > using the quasi-official OVAL collection at CIS: > > https://oval.cisecurity.org/repository/download/5.11.2/all/oval.xml.zip > > After extracting the XML and using a command such as: > > oscap oval eval --report report.html --results results.xml > --fetch-remote-resources oval.xml > > the oscap utility spends about an hour and a half parsing the 213MB of > data, then says in the end that the definitions are invalid and so > refuses to do the scan. > > When I use --fetch-remote-resources, the following message is repeated > 158 times. Alas the code apparently does not contemplate OVAL files with > more than 65535 lines, so the line numbers are all the same (the actual > number of lines is about 3 million): > > File 'oval.xml' line 65535: Element > '{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}version_string': > > This element is not expected. Expected is one of ( > {http://www.w3.org/2000/09/xmldsig#}Signature, > {http://oval.mitre.org/XMLSchema/oval-common-5}notes, > {http://oval.mitre.org/XMLSchema/oval-definitions-5}notes, > {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}platform, > {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}rp, > {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}pkg, > {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}major_release, > {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}release, > {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}rebuild, > {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}ios_release ). > > If I omit --fetch-remote-resources, there are a few different errors, > but I guess those don't matter so much? > > So... what to do? Adding --skip-valid to the command doesn't seem like a > solution. If I do that the scan fails almost immediately with: > > W: oscap: Unknown OVAL family subtype: interim_fix > OpenSCAP Error: Unknown test type oval:org.cisecurity:tst:6710. > [/builddir/build/BUILD/openscap-1.3.1/src/OVAL/oval_test.c:395] > Failed to import the OVAL Definitions from 'oval.xml'. > [/builddir/build/BUILD/openscap-1.3.1/src/OVAL/oval_session.c:248] > > Are there some additional definitions that need to be pulled in somehow? > > Thanks! > > > > > > _______________________________________________ > Open-scap-list mailing list > Open-scap-list@redhat.com > https://www.redhat.com/mailman/listinfo/open-scap-list > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 -- This account not approved for unencrypted proprietary information --
_______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list