Thanks for looking into this! I didn't realize it was possible to download anything other than the full OVAL file, and was going to ask if maybe oscap could add a command-line option to choose the family or platform when evaluating an OVAL collection.
But looking more closely at the page I see that there are lots of categories. I just didn't scroll down far enough to see them, so thanks for that. It will help immensely. Oh, I should say that we're also CIS members, so I thank you from that perspective as well! Tim On 8/15/19 10:35 PM, William Munyan wrote: > Tim, > > I guess the first thing I would ask is why you’re downloading the full > OVAL XML file. That file, as you can see is huge, and contains ALL the > definitions in the entire repository. I can make an educated guess that > your Fedora-based system doesn’t need to assess against every Windows > definition, Cisco IOS definition, etc. You probably only want the ones > specific to your OS family, which in this case would be “unix”, and a > particular class of definitions; I would suggest “vulnerability” as this > is the most prevalent definition class in the repository. > > > > That bundle can be found here -- > https://oval.cisecurity.org/repository/download/5.11.2/vulnerability/unix.xml > -- and is only about 35 MB > > > > Other definition classes and families are available as well, and I’d > definitely suggest trying different combinations of files to find the > correct information you’re looking to assess. The full repository might > be a little too much to handle. > > > > I will take a look at the repository source (it’s all in GitHub) and see > if I can find some ways to parse the full content and see where some of > the validation issues might be. > > > > Cheers, > > -Bill M > > > > *Bill Munyan* > > Solutions Architect; Security Best Practices > > 31 Tech Valley Drive > > East Greenbush, NY 12061 > > > > william.mun...@cisecurity.org <mailto:william.mun...@cisecurity.org> > > (518) 516-6128 (w) > > (518) 281-1233 (c) > > CIS_WEB_Logo_Type_RGB_Flat <https://www.cisecurity.org/> > > CIS Email Icons 01_23-02 > <https://www.facebook.com/CenterforIntSec> CIS Email Icons 01_23-03 > <https://twitter.com/CISecurity> CIS Email Icons 01_23-04 > <https://www.youtube.com/user/TheCISecurity> CIS Email Icons 01_23-05 > <https://www.linkedin.com/company/the-center-for-internet-security> > > > > *From:*open-scap-list-boun...@redhat.com > <open-scap-list-boun...@redhat.com> *On Behalf Of *Tim > *Sent:* Wednesday, August 14, 2019 11:48 PM > *To:* open-scap-list@redhat.com > *Subject:* [Open-scap] Trouble Scanning OVAL from CIS Repository > > > > > > > Another issue has come up while attempting to scan a Fedora-based system > using the quasi-official OVAL collection at CIS: > > https://oval.cisecurity.org/repository/download/5.11.2/all/oval.xml.zip > > After extracting the XML and using a command such as: > > oscap oval eval --report report.html --results results.xml > --fetch-remote-resources oval.xml > > the oscap utility spends about an hour and a half parsing the 213MB of > data, then says in the end that the definitions are invalid and so > refuses to do the scan. > > When I use --fetch-remote-resources, the following message is repeated > 158 times. Alas the code apparently does not contemplate OVAL files with > more than 65535 lines, so the line numbers are all the same (the actual > number of lines is about 3 million): > > File 'oval.xml' line 65535: Element > '{http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}version_string: > This element is not expected. Expected is one of ( > {http://www.w3.org/2000/09/xmldsig#}Signature, > {http://oval.mitre.org/XMLSchema/oval-common-5}notes, > {http://oval.mitre.org/XMLSchema/oval-definitions-5}notes, > {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}platform, > {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}rp, > {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}pkg, > {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}major_release, > {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}release, > {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}rebuild, > {http://oval.mitre.org/XMLSchema/oval-definitions-5#iosxe}ios_release ). > > If I omit --fetch-remote-resources, there are a few different errors, > but I guess those don't matter so much? > > So... what to do? Adding --skip-valid to the command doesn't seem like a > solution. If I do that the scan fails almost immediately with: > > W: oscap: Unknown OVAL family subtype: interim_fix > OpenSCAP Error: Unknown test type oval:org.cisecurity:tst:6710. > [/builddir/build/BUILD/openscap-1.3.1/src/OVAL/oval_test.c:395] > Failed to import the OVAL Definitions from 'oval.xml'. > [/builddir/build/BUILD/openscap-1.3.1/src/OVAL/oval_session.c:248] > > Are there some additional definitions that need to be pulled in somehow? > > Thanks! > > > > > > _______________________________________________ > Open-scap-list mailing list > Open-scap-list@redhat.com <mailto:Open-scap-list@redhat.com> > https://www.redhat.com/mailman/listinfo/open-scap-list > > ..... > > This message and attachments may contain confidential information. If it > appears that this message was sent to you by mistake, any retention, > dissemination, distribution or copying of this message and attachments > is strictly prohibited. Please notify the sender immediately and > permanently delete the message and any attachments. > > . . . . . _______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
