Re: [Open-scap] Using scap workbench to scan Debian on Beaglebone Black
Hi, That is pretty cool that you want to run OpenSCAP on such a device. I like it! You're the first person that I know running it on ARM :) I think the problem is that Debian Jessie has OpenSCAP 1.0.9, which is an old version that doesn't support systemd related tests and it also can't process OVAL documents using OVAL standard 5.11, which we use to write security policies. The error messages look like that's the problem. I suggest trying to backport OpenSCAP packages from Debian Testing (Stretch) Debian Testing has OpenSCAP 1.2.9 that supports those new standards and systemd. Or you might try to compile the latest upstream release 1.2.14 directly from the sources on Github [1] and install that on your device. However I don't have an ARM machine with Debian, so I haven't verified if there is any other issue :) If you encounter a problem, please inform us. Thank you. [1] https://github.com/OpenSCAP/openscap/releases/download/1.2.14/openscap-1.2.14.tar.gz Best regards Jan Černý Security Technologies | Red Hat, Inc. - Original Message - > From: "Luther Goh Lu Feng" > To: open-scap-list@redhat.com > Sent: Thursday, April 6, 2017 6:07:18 AM > Subject: [Open-scap] Using scap workbench to scan Debian on Beaglebone Black > > I have installed SCAP Workbench on Mac OS X[1] and attempted to scan a > Beaglebone Black with Debian installed remotely. Debian has been installed > with OpenSCAP[2]. However the scan threw up a lot of errors and didn't > complete. I am only including a small subset of the errors so as not to > overwhelm readers with the amount of text. But am happy to furnish the full > logs in pastebin if it is helpful. Hope to have some tips. Thanks! > > > 13:28:47 > info > Connection established. > > > 13:28:47 > info > Checking if oscap is available on remote machine... > > > 13:28:59 > info > Querying capabilities on remote machine... > > > 13:29:13 > info > Copying input data to remote target... > > > 13:30:32 > info > Starting the remote process... > > > 13:30:32 > info > Processing on the remote machine... > > > 13:30:47 > error > The 'oscap' process has written the following content to stderr: OpenSCAP > Error: File '/tmp/tmp.3WyW7Kt0Aa' line 1835: Element > '{http://oval.mitre.org/XMLSchema/oval-definitions-5#linux}systemdunitdependency_test': > This element is not expected. > > > 13:30:47 > error > The 'oscap' process has written the following content to stderr: > [../../../src/XCCDF/xccdf_session.c:342] > > > 13:30:47 > error > The 'oscap' process has written the following content to stderr: File > '/tmp/tmp.3WyW7Kt0Aa' line 2482: Element > '{http://oval.mitre.org/XMLSchema/oval-definitions-5#linux}systemdunitdependency_object': > This element is not expected. > > > 13:30:47 > error > The 'oscap' process has written the following content to stderr: > [../../../src/XCCDF/xccdf_session.c:342] > > > 13:30:47 > error > The 'oscap' process has written the following content to stderr: File > '/tmp/tmp.3WyW7Kt0Aa' line 3427: Element > '{http://oval.mitre.org/XMLSchema/oval-definitions-5#linux}systemdunitdependency_state': > This element is not expected. > > > 13:30:47 > error > The 'oscap' process has written the following content to stderr: > [../../../src/XCCDF/xccdf_session.c:342] > > > 13:30:47 > error > The 'oscap' process has written the following content to stderr: File > '/tmp/tmp.3WyW7Kt0Aa' line 3653: Element > '{http://oval.mitre.org/XMLSchema/oval-definitions-5}glob_to_regex': This > element is not expected. Expected is one of ( > {http://www.w3.org/2000/09/xmldsig#}Signature, > {http://oval.mitre.org/XMLSchema/oval-definitions-5}object_component, > {http://oval.mitre.org/XMLSchema/oval-definitions-5}variable_component, > {http://oval.mitre.org/XMLSchema/oval-definitions-5}literal_component, > {http://oval.mitre.org/XMLSchema/oval-definitions-5}arithmetic, > {http://oval.mitre.org/XMLSchema/oval-definitions-5}begin, > {http://oval.mitre.org/XMLSchema/oval-definitions-5}concat, > {http://oval.mitre.org/XMLSchema/oval-definitions-5}end, > {http://oval.mitre.org/XMLSchema/oval-definitions-5}escape_regex, > {http://oval.mitre.org/XMLSchema/oval-definitions-5}split ). > > > > > [1] https://www.open-scap.org/tools/scap-workbench/ > [2] https://packages.debian.org/jessie/python-openscap > > ___ > Open-scap-list mailing list > Open-scap-list@redhat.com > https://www.redhat.com/mailman/listinfo/open-scap-list > ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
[Open-scap] fetch remote resources on RHEL7 fails
On a fresh-out-of-the-box+updated RHEL7 (with openscap-scanner-1.2.10-3.el7_3.x86_64) oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_common --report /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml This content points out to the remote resources. Use `--fetch-remote-resources' option to download them. WARNING: Skipping http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml file which is referenced from XCCDF content The scan goes off/generates reports, but in order to heed the the WARNING, I try to get the latest remote OVAL file oscap xccdf eval --fetch-remote-resources --profile xccdf_org.ssgproject.content_profile_common --report /tmp/report-remote.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml Downloading: http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml ... ok OpenSCAP Error: Unable to parse XML from user memory buffer [oscap_source.c:254] Failed to create OVAL definition model from: 'http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml'. [xccdf_session.c:787] and the scan terminates. Is that a problem with the remote file (Red_Hat_Enterprise_Linux_7.xml) or an 'oscap' bug? ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
Re: [Open-scap] Using scap workbench to scan Debian on Beaglebone Black
On Thursday, April 6, 2017 10:20 PM, Luther Goh Lu Feng wrote: Thanks for the suggestion! I will most certainly attempt to install OpenSCAP 1.2.9 from testing. I am still very much a noob figuring out my way around the various security concepts such as OVAL, XCCDF. So pardon me if I indicate any wrong assumptions as I have not fully yet read the manual. In my debugging, I have ran $ oscap oval eval --results debian-2014.xml --report debian-2014.html oval-definitions-2014.xml, and managed to get a proper report. The oval definitions are from debian[1]. So questions: - Does this successful run mean that OpenSCAP 1.0.9 supports OVAL 5.11 without issues? - Is OpenSCAP cli on par functionality wise with SCAP workbench? [1] https://www.debian.org/security/oval/ On Thursday, April 6, 2017 4:50 PM, Jan Cerny wrote: Hi, That is pretty cool that you want to run OpenSCAP on such a device. I like it! You're the first person that I know running it on ARM :) I think the problem is that Debian Jessie has OpenSCAP 1.0.9, which is an old version that doesn't support systemd related tests and it also can't process OVAL documents using OVAL standard 5.11, which we use to write security policies. The error messages look like that's the problem. I suggest trying to backport OpenSCAP packages from Debian Testing (Stretch) Debian Testing has OpenSCAP 1.2.9 that supports those new standards and systemd. Or you might try to compile the latest upstream release 1.2.14 directly from the sources on Github [1] and install that on your device. However I don't have an ARM machine with Debian, so I haven't verified if there is any other issue :) If you encounter a problem, please inform us. Thank you. [1] https://github.com/OpenSCAP/openscap/releases/download/1.2.14/openscap-1.2.14.tar.gz Best regards Jan Černý Security Technologies | Red Hat, Inc. - Original Message - > From: "Luther Goh Lu Feng" > To: open-scap-list@redhat.com > Sent: Thursday, April 6, 2017 6:07:18 AM > Subject: [Open-scap] Using scap workbench to scan Debian on Beaglebone Black > > I have installed SCAP Workbench on Mac OS X[1] and attempted to scan a > Beaglebone Black with Debian installed remotely. Debian has been installed > with OpenSCAP[2]. However the scan threw up a lot of errors and didn't > complete. I am only including a small subset of the errors so as not to > overwhelm readers with the amount of text. But am happy to furnish the full > logs in pastebin if it is helpful. Hope to have some tips. Thanks! > > > 13:28:47 > info > Connection established. > > > 13:28:47 > info > Checking if oscap is available on remote machine... > > > 13:28:59 > info > Querying capabilities on remote machine... > > > 13:29:13 > info > Copying input data to remote target... > > > 13:30:32 > info > Starting the remote process... > > > 13:30:32 > info > Processing on the remote machine... > > > 13:30:47 > error > The 'oscap' process has written the following content to stderr: OpenSCAP > Error: File '/tmp/tmp.3WyW7Kt0Aa' line 1835: Element > '{http://oval.mitre.org/XMLSchema/oval-definitions-5#linux}systemdunitdependency_test': > This element is not expected. > > > 13:30:47 > error > The 'oscap' process has written the following content to stderr: > [../../../src/XCCDF/xccdf_session.c:342] > > > 13:30:47 > error > The 'oscap' process has written the following content to stderr: File > '/tmp/tmp.3WyW7Kt0Aa' line 2482: Element > '{http://oval.mitre.org/XMLSchema/oval-definitions-5#linux}systemdunitdependency_object': > This element is not expected. > > > 13:30:47 > error > The 'oscap' process has written the following content to stderr: > [../../../src/XCCDF/xccdf_session.c:342] > > > 13:30:47 > error > The 'oscap' process has written the following content to stderr: File > '/tmp/tmp.3WyW7Kt0Aa' line 3427: Element > '{http://oval.mitre.org/XMLSchema/oval-definitions-5#linux}systemdunitdependency_state': > This element is not expected. > > > 13:30:47 > error > The 'oscap' process has written the following content to stderr: > [../../../src/XCCDF/xccdf_session.c:342] > > > 13:30:47 > error > The 'oscap' process has written the following content to stderr: File > '/tmp/tmp.3WyW7Kt0Aa' line 3653: Element > '{http://oval.mitre.org/XMLSchema/oval-definitions-5}glob_to_regex': This > element is not expected. Expected is one of ( > {http://www.w3.org/2000/09/xmldsig#}Signature, > {http://oval.mitre.org/XMLSchema/oval-definitions-5}object_component, > {http://oval.mitre.org/XMLSchema/oval-definitions-5}variable_component, > {http://oval.mitre.org/XMLSchema/oval-definitions-5}literal_component, > {http://oval.mitre.org/XMLSchema/oval-definitions-5}arithmetic, > {http://oval.mitre.org/XMLSchema/oval-definitions-5}begin, > {http://oval.mitre.org/XMLSchema/oval-definitions-5}concat, > {http://oval.mitre.org/XMLSchema/oval-definitions-5}end, > {http://oval.mitre.org/XMLSchema/oval-definitions-5}escape_regex, >
Re: [Open-scap] Using scap workbench to scan Debian on Beaglebone Black
Having installed OpenSCAP 1.2.9, the workbench run is much more successful. However there are still errors, albeit much lesser than before. Any tips? 01:58:28 info Establishing connecting to remote target... 01:58:32 info Connection established. 01:58:32 info Checking if oscap is available on remote machine... 01:58:39 info Querying capabilities on remote machine... 01:58:47 info Copying input data to remote target... 01:59:32 info Starting the remote process... 01:59:32 info Processing on the remote machine... 01:59:43 error The 'oscap' process has written the following content to stderr: E: The package cache file is corrupted 01:59:43 error The 'oscap' process has written the following content to stderr: E: The package cache file is corrupted 01:59:43 error The 'oscap' process has written the following content to stderr: E: The package cache file is corrupted 01:59:43 error The 'oscap' process has written the following content to stderr: E: The package cache file is corrupted 01:59:44 error The 'oscap' process has written the following content to stderr: E: The package cache file is corrupted 01:59:44 error The 'oscap' process has written the following content to stderr: E: The package cache file is corrupted 01:59:44 error The 'oscap' process has written the following content to stderr: E: The package cache file is corrupted 01:59:44 error The 'oscap' process has written the following content to stderr: E: The package cache file is corrupted 01:59:46 error The 'oscap' process has written the following content to stderr: OpenSCAP Error: Probe with PID=10485 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:173] 01:59:46 error The 'oscap' process has written the following content to stderr: Item corresponding to object 'oval:ssg-obj_package_rsyslog_installed:obj:1' from test 'oval:ssg-test_package_rsyslog_installed:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:908] 01:59:46 error The 'oscap' process has written the following content to stderr: Probe with PID=10510 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:173] 01:59:46 error The 'oscap' process has written the following content to stderr: Item corresponding to object 'oval:ssg-obj_package_telnetd_removed:obj:1' from test 'oval:ssg-test_package_telnetd_removed:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:908] 01:59:46 error The 'oscap' process has written the following content to stderr: Probe with PID=10516 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:173] 01:59:46 error The 'oscap' process has written the following content to stderr: Item corresponding to object 'oval:ssg-obj_package_inetutils-telnetd_removed:obj:1' from test 'oval:ssg-test_package_inetutils-telnetd_removed:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:908] 01:59:46 error The 'oscap' process has written the following content to stderr: Probe with PID=10522 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:173] 01:59:46 error The 'oscap' process has written the following content to stderr: Item corresponding to object 'oval:ssg-obj_package_telnetd-ssl_removed:obj:1' from test 'oval:ssg-test_package_telnetd-ssl_removed:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:908] 01:59:46 error The 'oscap' process has written the following content to stderr: Probe with PID=10528 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:173] 01:59:46 error The 'oscap' process has written the following content to stderr: Item corresponding to object 'oval:ssg-obj_package_nis_removed:obj:1' from test 'oval:ssg-test_package_nis_removed:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:908] 01:59:46 error The 'oscap' process has written the following content to stderr: Probe with PID=10534 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:173] 01:59:46 error The 'oscap' process has written the following content to stderr: Item corresponding to object 'oval:ssg-obj_package_ntpdate_removed:obj:1' from test 'oval:ssg-test_package_ntpdate_removed:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:908] 01:59:46 error The 'oscap' process has written the following content to stderr: Probe with PID=10540 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:173] 01:59:46 error The 'oscap' process has written the following content to stderr: I
Re: [Open-scap] fetch remote resources on RHEL7 fails
On 4/6/17 11:10 AM, Przemek Klosowski wrote: > > On a fresh-out-of-the-box+updated RHEL7 (with > openscap-scanner-1.2.10-3.el7_3.x86_64) > > oscap xccdf eval --profile > xccdf_org.ssgproject.content_profile_common --report > /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml > This content points out to the remote resources. Use > `--fetch-remote-resources' option to download them. > WARNING: Skipping > http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml > file which is referenced from XCCDF content > > The scan goes off/generates reports, but in order to heed the the > WARNING, I try to get the latest remote OVAL file > > oscap xccdf eval --fetch-remote-resources --profile > xccdf_org.ssgproject.content_profile_common --report > /tmp/report-remote.html > /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml > Downloading: > http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml > ... ok > OpenSCAP Error: Unable to parse XML from user memory buffer > [oscap_source.c:254] > Failed to create OVAL definition model from: > 'http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml'. > [xccdf_session.c:787] > > and the scan terminates. Is that a problem with the remote file > (Red_Hat_Enterprise_Linux_7.xml) or an 'oscap' bug? > I get the exact same error - looks like a bug $ cat /etc/redhat-release ; uname -a ; rpm -qv openscap-scanner ; free -m Red Hat Enterprise Linux Server release 7.3 (Maipo) Linux devbox 3.10.0-514.10.2.el7.x86_64 #1 SMP Mon Feb 20 02:37:52 EST 2017 x86_64 x86_64 x86_64 GNU/Linux openscap-scanner-1.2.10-3.el7_3.x86_64 ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
Re: [Open-scap] Using scap workbench to scan Debian on Beaglebone Black
For some strange reason, after a reboot, I have managed to scan without issue using - SCAP Workbench - CLI: oscap xccdf eval --fetch-remote-resources --results debian-xccdf.xml --report debian-xccdf.html --profile xccdf_org.ssgproject.content_profile_common ssg-debian8-ds.xml Just wish to double check that the CLI command is the correct one as well as it is a guesstimate as I have not completed reading the manual yet One issue that I encountered is that I needed to physically transfer ssg-debian8-ds.xml to my beaglebone black via scp as the file isn't present on beaglebone black. Is this the correct way or is the file hiding somewhere on the system? On Friday, April 7, 2017 2:04 AM, Luther Goh Lu Feng wrote: Having installed OpenSCAP 1.2.9, the workbench run is much more successful. However there are still errors, albeit much lesser than before. Any tips? 01:58:28 info Establishing connecting to remote target... 01:58:32 info Connection established. 01:58:32 info Checking if oscap is available on remote machine... 01:58:39 info Querying capabilities on remote machine... 01:58:47 info Copying input data to remote target... 01:59:32 info Starting the remote process... 01:59:32 info Processing on the remote machine... 01:59:43 error The 'oscap' process has written the following content to stderr: E: The package cache file is corrupted 01:59:43 error The 'oscap' process has written the following content to stderr: E: The package cache file is corrupted 01:59:43 error The 'oscap' process has written the following content to stderr: E: The package cache file is corrupted 01:59:43 error The 'oscap' process has written the following content to stderr: E: The package cache file is corrupted 01:59:44 error The 'oscap' process has written the following content to stderr: E: The package cache file is corrupted 01:59:44 error The 'oscap' process has written the following content to stderr: E: The package cache file is corrupted 01:59:44 error The 'oscap' process has written the following content to stderr: E: The package cache file is corrupted 01:59:44 error The 'oscap' process has written the following content to stderr: E: The package cache file is corrupted 01:59:46 error The 'oscap' process has written the following content to stderr: OpenSCAP Error: Probe with PID=10485 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:173] 01:59:46 error The 'oscap' process has written the following content to stderr: Item corresponding to object 'oval:ssg-obj_package_rsyslog_installed:obj:1' from test 'oval:ssg-test_package_rsyslog_installed:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:908] 01:59:46 error The 'oscap' process has written the following content to stderr: Probe with PID=10510 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:173] 01:59:46 error The 'oscap' process has written the following content to stderr: Item corresponding to object 'oval:ssg-obj_package_telnetd_removed:obj:1' from test 'oval:ssg-test_package_telnetd_removed:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:908] 01:59:46 error The 'oscap' process has written the following content to stderr: Probe with PID=10516 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:173] 01:59:46 error The 'oscap' process has written the following content to stderr: Item corresponding to object 'oval:ssg-obj_package_inetutils-telnetd_removed:obj:1' from test 'oval:ssg-test_package_inetutils-telnetd_removed:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:908] 01:59:46 error The 'oscap' process has written the following content to stderr: Probe with PID=10522 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:173] 01:59:46 error The 'oscap' process has written the following content to stderr: Item corresponding to object 'oval:ssg-obj_package_telnetd-ssl_removed:obj:1' from test 'oval:ssg-test_package_telnetd-ssl_removed:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:908] 01:59:46 error The 'oscap' process has written the following content to stderr: Probe with PID=10528 has been killed with signal 11 [../../../../../src/OVAL/probes/SEAP/sch_pipe.c:173] 01:59:46 error The 'oscap' process has written the following content to stderr: Item corresponding to object 'oval:ssg-obj_package_nis_removed:obj:1' from test 'oval:ssg-test_package_nis_removed:tst:1' has an unknown flag. This may indicate a bug in OpenSCAP. [../../../../src/OVAL/results/oval_resultTest.c:908] 01:59:46 error The 'oscap' process has written the followi