Greetings,
We're starting to run into this issue. Do you guys know if there's been any
progress on getting SC imports working?
Thanks,
Nathan
On Sun, 2016-12-11 at 04:04 +0000, Todd, Charles wrote:
And I was going to read Seveneves this weekend too. Not when Shawn Wells
throws down the gauntlet though. Good thing I brought the laptop home for
experimentation.
Short answer: No go. Nothing from 0.1.31 will ingest.
Long answer:
- Nessus 6.9.0 (newest ACAS version just released)
- Security Center 5.4.0 (newest ACAS version released in the last month, but I
think 5.4.1 is on the brink)
- oscap-0.1.31 from your helpful link.
- RHEL 6 baseline from ACAS (not patched - yet!)
I tried every configuration of zip files I could imagine and I got one of these
- "Unable to find the specified AuditFile upload" - presented a dropdown for
Data Stream Name but it is empty - error appears after hitting Submit
- Example ZIP had "ssg-rhel7-ds.xml" in the parent directory
- Example ZIP had "ssg-rhel-osp7-ds.xml" in the parent directory
- Example ZIP had both rhel7 files in the parent directory
- Example ZIP had "ssg-firefox-ds.xml" in the parent directory
- "Unable to find the specified AuditFile upload" with no dropdown - error
appears immediately after selecting the audit file
- Example ZIP was the one you pointed me to - unadulerated
- Example ZIP had "ssg-centos7-ds.xml" in the parent directory
Driving the innards of this import is /opt/sc/src/lib/SCAPParser.php. I've
been quite dissatisfied with the the document saying XCCDF/OVAL content must be
"in a ZIP form" as that is relatively non-specific. I've since learned:
1. The top level of the ZIP should contain one or more XML files OR one or more
subdirectories, but not both
2. SCAP 1.2 content is supposed to all be wrapped up into one file (the CentOS
content in 0.1.31 has a schematron-version of 1.2 and the ns0 namespace is for
SCAP 1.2)
3. SCAP 1.0/1.1 must contain XCCDF, CPEDictionary, CPEInventory, and Oval file
(optional patches.xml)
4. The error above actually comes from /opt/sc/src/AuditFiles.php:822 and again
at :1056 (SC 5.4.0)
5. The error comes from some filename being missing, but my droopy eyes haven't
found where the variable is defined.
6. I'm not sold on the PHP files orders above - continued strace tests didn't
make it obvious what was going on when I hit submit and I'm not a PHP guy who
can debug web calls that need authentication
Here was an important find: When scanning with the 0.1.25 SSG files, I got the
"ssg-rhel7-oval.xml failed XML Schema validation." error from SC Plugin 66758
even when I messed up the credentials to the asset. It never scanned the box
and still died from this error. This marries with my test at work where the
scanner took an hour and then kicked back this error. I'm really starting to
think that these errors are all SecurityCenter. If so, I'll take it up with
the ACAS team first thing Monday, unless I get time on Sunday to submit it.
So one variation I've been contemplating - if SecurityCenter won't scan the
CentOS (or RHEL7) box, can I ingest the oscap output to look like a Nessus
scan? I've gotten hints that it will, but my lazy bones haven't done enough
research to know conclusively. That would at least let me work around SSG
content import failures, regardless of who is causing the failure.
Thanks for jumping right in there and taking my issue straight on. Much
appreciate it.
Charlie Todd
Ball Aerospace
________________________________________
From: Shawn Wells [[email protected]<mailto:[email protected]>]
Sent: Friday, December 09, 2016 7:44 PM
To:
[email protected]<mailto:[email protected]>
Subject: Re: Importing to SecurityCenter
On 12/9/16 6:56 PM, Shawn Wells wrote:
On 12/9/16 6:24 PM, [email protected]<mailto:[email protected]>
wrote:
I have tried importing the outputs into Security Center following the guidance
from Tenable.
https://urldefense.proofpoint.com/v2/url?u=http-3A__static.tenable.com_prod-5Fdocs_SecurityCenter-5F5.0-5FSCAP-5FAssessments.pdf&d=DwIGaQ&c=jF7FvYH6t0RX1HrEjVCgHQ&r=EtM8rzsgMR2aFrLOrhF8eg&m=B0lNjhW5ylQGiVgMl6m0MUVs0UrpeZMYi9hzyF8tH98&s=2fQ57bLx86Kfl5izoMoONcewfyvQ6DDKUIdGZ9SwVYM&e=
The problem I encounter is that the scan returns with an "XML Validation
Failed" message on the information module. I tried importing the SCAP content
into a Nessus scanner breaking up the SCAP and OVAL content, but again, the
scan fails.Tenable does not provide much information as to why the XML
validation failed on the SCAP content.
I have successfully imported the DISA STIG for RHEL 7 and run in Security
Center, but the DISA version is not structured for automated checks. That scan
shows all the controls, but with a "Not Checked" status requiring manual review.
Well this is no good. The Tenable team has been very good about
supporting SCAP, including getting Security Center SCAP 1.2 certified:
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.tenable.com_blog_tenable-2Ds-2Dsecuritycenter-2D5-2Dachieves-2Dscap-2D12-2Dcertification&d=DwIGaQ&c=jF7FvYH6t0RX1HrEjVCgHQ&r=EtM8rzsgMR2aFrLOrhF8eg&m=B0lNjhW5ylQGiVgMl6m0MUVs0UrpeZMYi9hzyF8tH98&s=DE4j2Q3uHaxZcpS5WsD29fRvdjF132XaVv1ynO2HsSQ&e=
Even made sure the OpenSCAP JBoss content could be ingested with their
tools a few years ago:
https://urldefense.proofpoint.com/v2/url?u=https-3A__community.tenable.com_thread_5914&d=DwIGaQ&c=jF7FvYH6t0RX1HrEjVCgHQ&r=EtM8rzsgMR2aFrLOrhF8eg&m=B0lNjhW5ylQGiVgMl6m0MUVs0UrpeZMYi9hzyF8tH98&s=5AkKprOA6b8vSG0e5aUjxx_3-jITcRVrio5Lxm2AqWc&e=
I reached out to Ron offline asking who we could work with at Tenable to
troubleshoot.
FYI @Martin - CC'd you on that note.
Heard back from Ron at Tenable who pointed us to members of his team.
Starting the RedHat-Tenable conversations now.
In the mean time, Kelly & Charlie, it looks like Security Center expects
a zip file to be uploaded. What zip are you using?
Could you try with SSG v0.1.31? Specifically, this zip file:
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_OpenSCAP_scap-2Dsecurity-2Dguide_releases_download_v0.1.31_scap-2Dsecurity-2Dguide-2D0.1.31.zip&d=DwIGaQ&c=jF7FvYH6t0RX1HrEjVCgHQ&r=EtM8rzsgMR2aFrLOrhF8eg&m=B0lNjhW5ylQGiVgMl6m0MUVs0UrpeZMYi9hzyF8tH98&s=1S6Dymu5MaWC3jKuFfKfMOkTjBtCutelrhRfz-MiX1Q&e=
Any error messages would be most useful. And what version of Security
Center?
_______________________________________________
scap-security-guide mailing list --
[email protected]<mailto:[email protected]>
To unsubscribe send an email to
[email protected]<mailto:[email protected]>
This message and any enclosures are intended only for the addressee. Please
notify the sender by email if you are not the intended recipient. If you are
not the intended recipient, you may not use, copy, disclose, or distribute this
message or its contents or enclosures to any other person and any such actions
may be unlawful. Ball reserves the right to monitor and review all messages
and enclosures sent to or from this email address.
_______________________________________________
scap-security-guide mailing list --
[email protected]<mailto:[email protected]>
To unsubscribe send an email to
[email protected]<mailto:[email protected]>
_______________________________________________
scap-security-guide mailing list -- [email protected]
To unsubscribe send an email to [email protected]
