Hi All,
Before bothering you with my problems I would just like to say thanks for all the great work on scap-security-guide you guys are doing. We're investigating a good basis for our Linux security baseline and OpenSCAP+SSG is spot on.
When running `oscap xccdf eval --profile server rhel6-xccdf-scap-security-guide.xml` the following error is returned : 1 1871 In file 'rhel6-xccdf-scap-security-guide.xml' on line 3201: Element '{http://checklists.nist.gov/xccdf/1.1%7DValue': This element is not expected. Expected is ( {http://checklists.nist.gov/xccdf/1.1%7Dsignature ).
I'm new to scap-security-guide (so browsing the xccdf file was a bit daunting :-) but the above mentioned <Value id="password_history_retain_number"...> tag seems out of place in a '<Rule id="set_password_hashing_algorithm"...>' context :
<Rule id="set_password_hashing_algorithm" severity="low" selected="false"> <title>Set Password Hashing Algorithm</title> <description>... </description> <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5</reference> <rationale> Using a stronger hashing algorithm makes password cracking attacks more difficult. </rationale> <ident system="http://cce.mitre.org">CCE-14063-2</ident> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-content-ref href="rhel6-oval-scap-security-guide.xml" name="oval:scap-security-guide:def:839"/> </check> </Rule> <Value id="password_history_retain_number" type="number" operator="equals" interactive="0"> <title>remember</title> <description>The last n passwords for each user are saved in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml%22%3E/etc/security/opasswd</xhtml:code> in order to force password change history and keep the user from alternating between the same password too frequently.</description> <value selector="">5</value> <value selector="0">0</value> <value selector="5">5</value> <value selector="10">10</value> </Value>
I'm on RHEL6 and so might be running old(er) software. Is Fedora 16/17 necessary or am I missing something? Here's what I did:
cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.3 (Santiago)
rpm -q git openscap-utils python-lxml git-1.7.1-2.el6_0.1.x86_64 openscap-utils-0.8.0-2.el6.x86_64 python-lxml-2.2.3-1.1.el6.x86_64
cd scap-security-guide
git log commit 5454d44eee80becb5c1b8929bf6498edfa3bfdcb Merge: 405d61e a0f2e7e Author: Kevin Spargur kspargur@redhat.com Date: Wed Jul 25 19:59:05 2012 -0400
Merge branch 'master' of ssh://git.fedorahosted.org/git/scap-securi ...
cd scap-security-guide/RHEL6
make all ... oscap xccdf generate guide --profile allrules output/rhel6-xccdf.xml > output/rhel6-guide.html WARNING: Processing an unresolved XCCDF document. This may have unexpected results. ... Duplicate ID, which will not be added: var_samba_private_directory Duplicate ID, which will not be added: state_uid_root Duplicate ID, which will not be added: object_etc_skel_files Duplicate ID, which will not be added: var_removable_partition Duplicate ID, which will not be added: var_removable_partition Duplicate ID, which will not be added: var_ssh_config_directory ...
cd dist/content
oscap xccdf eval --profile server rhel6-xccdf-scap-security-guide.xml 1 1871 In file 'rhel6-xccdf-scap-security-guide.xml' on line 3201: Element '{http://checklists.nist.gov/xccdf/1.1%7DValue': This element is not expected. Expected is ( {http://checklists.nist.gov/xccdf/1.1%7Dsignature ).
Regards, Willem.
Hi all,
I removed the Value tags I mentioned earlier. oscap still complained so I kept removing... Eventually I got a succesful run by making the following adjustments :
diff rhel6-xccdf-scap-security-guide.xml.ORG rhel6-xccdf-scap-security-guide.xml 103d102 < <select idref="limit_password_reuse" selected="true"/> 3201,3211d3199 < <Value id="password_history_retain_number" type="number" operator="equals" interactive="0"> < <title>remember</title> < <description>The last n passwords for each user are saved in < <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml%22%3E/etc/security/opasswd</xhtml:code> in order to force password change history and < keep the user from alternating between the same password too < frequently.</description> < <value selector="">5</value> < <value selector="0">0</value> < <value selector="5">5</value> < <value selector="10">10</value> < </Value> 3224,3225d3211 < <ident cce="14939-3"/> < <oval id="accounts_password_reuse_limit" value="password_history_retain_number"/> 11662c11648 < </Benchmark> \ No newline at end of file ---
</Benchmark>
By the way, when I changed limit_password_reuse to false instead of removing it, oscap hangs running it's probes (different ones the few times I ran it). Probably unrelated but I thought I should mention it.
Regards, Willem.
On Thu, Jul 26, 2012 at 10:26 AM, Willem Bos whbos@xs4all.nl wrote:
Hi All,
Before bothering you with my problems I would just like to say thanks for all the great work on scap-security-guide you guys are doing. We're investigating a good basis for our Linux security baseline and OpenSCAP+SSG is spot on.
When running `oscap xccdf eval --profile server rhel6-xccdf-scap-security-guide.xml` the following error is returned : 1 1871 In file 'rhel6-xccdf-scap-security-guide.xml' on line 3201: Element '{http://checklists.nist.gov/xccdf/1.1%7DValue': This element is not expected. Expected is ( {http://checklists.nist.gov/xccdf/1.1%7Dsignature ).
I'm new to scap-security-guide (so browsing the xccdf file was a bit daunting :-) but the above mentioned <Value id="password_history_retain_number"...> tag seems out of place in a '<Rule id="set_password_hashing_algorithm"...>' context :
<Rule id="set_password_hashing_algorithm" severity="low"selected="false"> <title>Set Password Hashing Algorithm</title> <description>...
</description> <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5</reference> <rationale> Using a stronger hashing algorithm makes password cracking attacks more difficult. </rationale> <ident system="http://cce.mitre.org">CCE-14063-2</ident> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-content-ref href="rhel6-oval-scap-security-guide.xml" name="oval:scap-security-guide:def:839"/> </check> </Rule> <Value id="password_history_retain_number" type="number" operator="equals" interactive="0"> <title>remember</title> <description>The last n passwords for each user are saved in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/security/opasswd</xhtml:code> in order to force password change history and keep the user from alternating between the same password too frequently.</description> <value selector="">5</value> <value selector="0">0</value> <value selector="5">5</value> <value selector="10">10</value> </Value>
I'm on RHEL6 and so might be running old(er) software. Is Fedora 16/17 necessary or am I missing something? Here's what I did:
cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.3 (Santiago)
rpm -q git openscap-utils python-lxml git-1.7.1-2.el6_0.1.x86_64 openscap-utils-0.8.0-2.el6.x86_64 python-lxml-2.2.3-1.1.el6.x86_64
cd scap-security-guide
git log commit 5454d44eee80becb5c1b8929bf6498edfa3bfdcb Merge: 405d61e a0f2e7e Author: Kevin Spargur kspargur@redhat.com Date: Wed Jul 25 19:59:05 2012 -0400
Merge branch 'master' of ssh://git.fedorahosted.org/git/scap-securi...
cd scap-security-guide/RHEL6
make all ... oscap xccdf generate guide --profile allrules output/rhel6-xccdf.xml > output/rhel6-guide.html WARNING: Processing an unresolved XCCDF document. This may have unexpected results. ... Duplicate ID, which will not be added: var_samba_private_directory Duplicate ID, which will not be added: state_uid_root Duplicate ID, which will not be added: object_etc_skel_files Duplicate ID, which will not be added: var_removable_partition Duplicate ID, which will not be added: var_removable_partition Duplicate ID, which will not be added: var_ssh_config_directory ...
cd dist/content
oscap xccdf eval --profile server rhel6-xccdf-scap-security-guide.xml 1 1871 In file 'rhel6-xccdf-scap-security-guide.xml' on line 3201: Element '{http://checklists.nist.gov/xccdf/1.1%7DValue': This element is not expected. Expected is ( {http://checklists.nist.gov/xccdf/1.1%7Dsignature ).
Regards, Willem.
Hey, welcome to the list. I saw the same issue as well. I believe it relates to the <oval id="accounts_password_reuse_limit" value="password_history_retain_number"/> shorthand not getting transformed because the parent is a group rather then a rule. The patch I submitted last night removed the error for me.
-Kevin
On Jul 26, 2012, at 4:57 AM, Willem Bos whbos@xs4all.nl wrote:
<oval id="accounts_password_reuse_limit"value="password_history_retain_number"/>
Hi Kevin,
I pulled your patch in this morning. That resolved two of the problems I had earlier but not this one. I'm at commit 5454d44eee80becb5c1b8929bf6498edfa3bfdcb :
git log commit 5454d44eee80becb5c1b8929bf6498edfa3bfdcb Merge: 405d61e a0f2e7e Author: Kevin Spargur kspargur@redhat.com Date: Wed Jul 25 19:59:05 2012 -0400
Merge branch 'master' of ssh://git.fedorahosted.org/git/scap-securi ...
Regards, Willem. On Thu, Jul 26, 2012 at 12:01 PM, Kevin Spargur kspargur@redhat.com wrote:
Hey, welcome to the list. I saw the same issue as well. I believe it relates to the <oval id="accounts_password_reuse_limit" value="password_history_retain_number"/> shorthand not getting transformed because the parent is a group rather then a rule. The patch I submitted last night removed the error for me.
-Kevin
On Jul 26, 2012, at 4:57 AM, Willem Bos whbos@xs4all.nl wrote:
<oval id="accounts_password_reuse_limit"value="password_history_retain_number"/>
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/scap-security-guide
The patch is still pending an ack before it's gets pushed to the stack. You can try applying the diff from [PATCH 2/2] Changed group limiting_password_reuse to a rule yourself if you would like.
-Kevin
On Jul 26, 2012, at 6:34 AM, Willem Bos whbos@xs4all.nl wrote:
Hi Kevin,
I pulled your patch in this morning. That resolved two of the problems I had earlier but not this one. I'm at commit 5454d44eee80becb5c1b8929bf6498edfa3bfdcb :
git log commit 5454d44eee80becb5c1b8929bf6498edfa3bfdcb Merge: 405d61e a0f2e7e Author: Kevin Spargur kspargur@redhat.com Date: Wed Jul 25 19:59:05 2012 -0400
Merge branch 'master' of ssh://git.fedorahosted.org/git/scap-securi ...
Regards, Willem. On Thu, Jul 26, 2012 at 12:01 PM, Kevin Spargur kspargur@redhat.com wrote:
Hey, welcome to the list. I saw the same issue as well. I believe it relates to the <oval id="accounts_password_reuse_limit" value="password_history_retain_number"/> shorthand not getting transformed because the parent is a group rather then a rule. The patch I submitted last night removed the error for me.
-Kevin
On Jul 26, 2012, at 4:57 AM, Willem Bos whbos@xs4all.nl wrote:
<oval id="accounts_password_reuse_limit"value="password_history_retain_number"/>
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/scap-security-guide
Hi Kevin,
Ah, I missed that! After applying the patch there's one error left :
oscap xccdf eval --profile server rhel6-xccdf-scap-security-guide.xml ... Rule ID: disable_dhcp_client Title: Disable DHCP Client Result: pass OpenSCAP Error: Selector ID(limit_password_reuse) does not exist in Benchmark.
Regards, Willem.
On Thu, Jul 26, 2012 at 1:43 PM, Kevin Spargur kspargur@redhat.com wrote:
The patch is still pending an ack before it's gets pushed to the stack. You can try applying the diff from [PATCH 2/2] Changed group limiting_password_reuse to a rule yourself if you would like.
-Kevin
On Jul 26, 2012, at 6:34 AM, Willem Bos whbos@xs4all.nl wrote:
Hi Kevin,
I pulled your patch in this morning. That resolved two of the problems I had earlier but not this one. I'm at commit 5454d44eee80becb5c1b8929bf6498edfa3bfdcb :
git log commit 5454d44eee80becb5c1b8929bf6498edfa3bfdcb Merge: 405d61e a0f2e7e Author: Kevin Spargur kspargur@redhat.com Date: Wed Jul 25 19:59:05 2012 -0400
Merge branch 'master' of ssh://git.fedorahosted.org/git/scap-securi ...
Regards, Willem. On Thu, Jul 26, 2012 at 12:01 PM, Kevin Spargur kspargur@redhat.com wrote:
Hey, welcome to the list. I saw the same issue as well. I believe it relates to the <oval id="accounts_password_reuse_limit"
value="password_history_retain_number"/> shorthand not getting transformed because the parent is a group rather then a rule. The patch I submitted last night removed the error for me.
-Kevin
On Jul 26, 2012, at 4:57 AM, Willem Bos whbos@xs4all.nl wrote:
<oval id="accounts_password_reuse_limit"value="password_history_retain_number"/>
scap-security-guide mailing list
scap-security-guide@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/scap-security-guide
Hi Kevin,
Just did a pull and oscap runs without any errors. Thanks!
Regards, Willem.
On Thu, Jul 26, 2012 at 4:23 PM, Willem Bos whbos@xs4all.nl wrote:
Hi Kevin,
Ah, I missed that! After applying the patch there's one error left :
oscap xccdf eval --profile server rhel6-xccdf-scap-security-guide.xml ... Rule ID: disable_dhcp_client Title: Disable DHCP Client Result: pass OpenSCAP Error: Selector ID(limit_password_reuse) does not exist in Benchmark.
Regards, Willem.
On Thu, Jul 26, 2012 at 1:43 PM, Kevin Spargur kspargur@redhat.com wrote:
The patch is still pending an ack before it's gets pushed to the stack. You can try applying the diff from [PATCH 2/2] Changed group limiting_password_reuse to a rule yourself if you would like.
-Kevin
On Jul 26, 2012, at 6:34 AM, Willem Bos whbos@xs4all.nl wrote:
Hi Kevin,
I pulled your patch in this morning. That resolved two of the problems I had earlier but not this one. I'm at commit 5454d44eee80becb5c1b8929bf6498edfa3bfdcb :
git log commit 5454d44eee80becb5c1b8929bf6498edfa3bfdcb Merge: 405d61e a0f2e7e Author: Kevin Spargur kspargur@redhat.com Date: Wed Jul 25 19:59:05 2012 -0400
Merge branch 'master' of ssh://git.fedorahosted.org/git/scap-securi ...
Regards, Willem. On Thu, Jul 26, 2012 at 12:01 PM, Kevin Spargur kspargur@redhat.com wrote:
Hey, welcome to the list. I saw the same issue as well. I believe it relates to the <oval id="accounts_password_reuse_limit"
value="password_history_retain_number"/> shorthand not getting transformed because the parent is a group rather then a rule. The patch I submitted last night removed the error for me.
-Kevin
On Jul 26, 2012, at 4:57 AM, Willem Bos whbos@xs4all.nl wrote:
<oval id="accounts_password_reuse_limit"value="password_history_retain_number"/>
scap-security-guide mailing list
scap-security-guide@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org
-
Kevin Spargur -
Willem Bos