Attempting to use the RHEL 8 data streams, but even 'oscap info' fails using the latest release [0]:
# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.3.xml Document type: Source Data Stream Imported: 2019-06-02T11:16:07
Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml Generated: (null) Version: 1.3 Checklists: Ref-Id: scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2' points out to the remote 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2'. Use '--fetch-remote-resources' option to download it. WARNING: Skipping 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2' file which is referenced from datastream OpenSCAP Error: Could not extract scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml with all dependencies from datastream. [ds_sds_session.c:211]
Looking at the ssg-rhel8-ds-1.3 file there are lots of mentions to SCAP 1.2 instead of 1.3?
[0] https://github.com/ComplianceAsCode/content/releases/download/v0.1.44/scap-s...
On 6/2/19 2:24 PM, Shawn Wells wrote:
Attempting to use the RHEL 8 data streams, but even 'oscap info' fails using the latest release [0]:
# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.3.xml Document type: Source Data Stream Imported: 2019-06-02T11:16:07
Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml Generated: (null) Version: 1.3 Checklists: Ref-Id: scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2' points out to the remote 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2'. Use '--fetch-remote-resources' option to download it. WARNING: Skipping 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2' file which is referenced from datastream OpenSCAP Error: Could not extract scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml with all dependencies from datastream. [ds_sds_session.c:211]
Looking at the ssg-rhel8-ds-1.3 file there are lots of mentions to SCAP 1.2 instead of 1.3?
[0] https://github.com/ComplianceAsCode/content/releases/download/v0.1.44/scap-s...
p.s. this also happens with upstream:
$ ./build_product rhel8 $ oscap info build/ssg-rhel8-ds-1.3.xml Document type: Source Data Stream Imported: 2019-06-02T14:27:51
Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml Generated: (null) Version: 1.3 Checklists: Ref-Id: scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml' points out to the remote 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml'. Use '--fetch-remote-resources' option to download it. WARNING: Skipping 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml' file which is referenced from datastream OpenSCAP Error: Could not extract scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml with all dependencies from datastream. [ds_sds_session.c:211]
The rhel8 1.2 datastream appears fine when using "oscap info," but using it also results in an error:
$ oscap info build/ssg-rhel8-ds.xml Document type: Source Data Stream Imported: 2019-06-02T14:27:50
Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml Generated: (null) Version: 1.2 Checklists: Ref-Id: scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml Status: draft Generated: 2019-06-02 Resolved: true Profiles: Title: Criminal Justice Information Services (CJIS) Security Policy Id: xccdf_org.ssgproject.content_profile_cjis Title: Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171) Id: xccdf_org.ssgproject.content_profile_cui Title: Health Insurance Portability and Accountability Act (HIPAA) Id: xccdf_org.ssgproject.content_profile_hipaa Title: Protection Profile for General Purpose Operating Systems Id: xccdf_org.ssgproject.content_profile_ospp Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8 Id: xccdf_org.ssgproject.content_profile_pci-dss Title: Red Hat Corporate Profile for Certified Cloud Providers (RH CCP) Id: xccdf_org.ssgproject.content_profile_rht-ccp Title: Standard System Security Profile for Red Hat Enterprise Linux 8 Id: xccdf_org.ssgproject.content_profile_standard Referenced check files: ssg-rhel8-oval.xml system: http://oval.mitre.org/XMLSchema/oval-definitions-5 ssg-rhel8-ocil.xml system: http://scap.nist.gov/schema/ocil/2 https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml system: http://oval.mitre.org/XMLSchema/oval-definitions-5 Checks: Ref-Id: scap_org.open-scap_cref_ssg-rhel8-oval.xml Ref-Id: scap_org.open-scap_cref_ssg-rhel8-ocil.xml Ref-Id: scap_org.open-scap_cref_ssg-rhel8-cpe-oval.xml Dictionaries: Ref-Id: scap_org.open-scap_cref_ssg-rhel8-cpe-dictionary.xml
$ sudo atomic scan --scan_type configuration_compliance --scanner_args xccdf-id=scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml,profile=xccdf_org.ssgproject.content_profile_ospp,report registry.redhat.io/ubi8/ubi-minimal --scanner openscap-ncp docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2019-06-02-07-30-02-549130:/scanin -v /var/lib/atomic/openscap-ncp/2019-06-02-07-30-02-549130:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro openscap-ncp:latest oscapd-evaluate scan --targets chroots-in-dir:///scanin --output /scanout --no-cve-scan --fix_type bash -j1 --xccdf-id scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml --profile xccdf_org.ssgproject.content_profile_ospp --report
registry.redhat.io/ubi8/ubi-minimal (3bfa511b67f8277)
registry.redhat.io/ubi8/ubi-minimal is not supported for this scan.
Files associated with this scan are in /var/lib/atomic/openscap-ncp/2019-06-02-07-30-02-549130.
Hi Shawn,
It seems to me that `openscap-daemon` doesn't contain RHEL 8 CPE, so it can't pick the RHEL 8 datastream that you added to the container. However, in RHEL 7 container the RHEL 8 datastreams aren't shipped, so it means customers won't be able to scan RHEL 8 - based containers on RHEL 7 hosts anyway.
Regards
On Sun, Jun 2, 2019 at 8:34 PM Shawn Wells shawn@redhat.com wrote:
On 6/2/19 2:24 PM, Shawn Wells wrote:
Attempting to use the RHEL 8 data streams, but even 'oscap info' fails using the latest release [0]:
# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.3.xml Document type: Source Data Stream Imported: 2019-06-02T11:16:07
Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml Generated: (null) Version: 1.3 Checklists: Ref-Id: scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml WARNING: Datastream component
'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2'
points out to the remote '
https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2'.
Use '--fetch-remote-resources' option to download it. WARNING: Skipping '
https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2'
file which is referenced from datastream OpenSCAP Error: Could not extract scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml with all dependencies from datastream. [ds_sds_session.c:211]
Looking at the ssg-rhel8-ds-1.3 file there are lots of mentions to SCAP 1.2 instead of 1.3?
[0]
https://github.com/ComplianceAsCode/content/releases/download/v0.1.44/scap-s...
p.s. this also happens with upstream:
$ ./build_product rhel8 $ oscap info build/ssg-rhel8-ds-1.3.xml Document type: Source Data Stream Imported: 2019-06-02T14:27:51
Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml Generated: (null) Version: 1.3 Checklists: Ref-Id: scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml' points out to the remote 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml'. Use '--fetch-remote-resources' option to download it. WARNING: Skipping 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml' file which is referenced from datastream OpenSCAP Error: Could not extract scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml with all dependencies from datastream. [ds_sds_session.c:211]
The rhel8 1.2 datastream appears fine when using "oscap info," but using it also results in an error:
$ oscap info build/ssg-rhel8-ds.xml Document type: Source Data Stream Imported: 2019-06-02T14:27:50
Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml Generated: (null) Version: 1.2 Checklists: Ref-Id: scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml Status: draft Generated: 2019-06-02 Resolved: true Profiles: Title: Criminal Justice Information Services (CJIS) Security Policy Id: xccdf_org.ssgproject.content_profile_cjis Title: Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171) Id: xccdf_org.ssgproject.content_profile_cui Title: Health Insurance Portability and Accountability Act (HIPAA) Id: xccdf_org.ssgproject.content_profile_hipaa Title: Protection Profile for General Purpose Operating Systems Id: xccdf_org.ssgproject.content_profile_ospp Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8 Id: xccdf_org.ssgproject.content_profile_pci-dss Title: Red Hat Corporate Profile for Certified Cloud Providers (RH CCP) Id: xccdf_org.ssgproject.content_profile_rht-ccp Title: Standard System Security Profile for Red Hat Enterprise Linux 8 Id: xccdf_org.ssgproject.content_profile_standard Referenced check files: ssg-rhel8-oval.xml system:
http://oval.mitre.org/XMLSchema/oval-definitions-5
ssg-rhel8-ocil.xml system: http://scap.nist.gov/schema/ocil/2https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml system:
http://oval.mitre.org/XMLSchema/oval-definitions-5
Checks: Ref-Id: scap_org.open-scap_cref_ssg-rhel8-oval.xml Ref-Id: scap_org.open-scap_cref_ssg-rhel8-ocil.xml Ref-Id: scap_org.open-scap_cref_ssg-rhel8-cpe-oval.xml Dictionaries: Ref-Id: scap_org.open-scap_cref_ssg-rhel8-cpe-dictionary.xml
$ sudo atomic scan --scan_type configuration_compliance --scanner_args
xccdf-id=scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml,profile=xccdf_org.ssgproject.content_profile_ospp,report
registry.redhat.io/ubi8/ubi-minimal --scanner openscap-ncp docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2019-06-02-07-30-02-549130:/scanin -v /var/lib/atomic/openscap-ncp/2019-06-02-07-30-02-549130:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro openscap-ncp:latest oscapd-evaluate scan --targets chroots-in-dir:///scanin --output /scanout --no-cve-scan --fix_type bash -j1 --xccdf-id scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml --profile xccdf_org.ssgproject.content_profile_ospp --report
registry.redhat.io/ubi8/ubi-minimal (3bfa511b67f8277)
registry.redhat.io/ubi8/ubi-minimal is not supported for this scan.Files associated with this scan are in /var/lib/atomic/openscap-ncp/2019-06-02-07-30-02-549130.
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
On Jun 3, 2019, at 10:30 AM, Jan Cerny jcerny@redhat.com wrote:
Hi Shawn,
It seems to me that `openscap-daemon` doesn't contain RHEL 8 CPE, so it can't pick the RHEL 8 datastream that you added to the container. However, in RHEL 7 container the RHEL 8 datastreams aren't shipped, so it means customers won't be able to scan RHEL 8 - based containers on RHEL 7 hosts anyway.
Regards
Yikes - so there is no possible way to scan RHEL8 systems? how soon will that bug be fixed?
On Sun, Jun 2, 2019 at 8:34 PM Shawn Wells shawn@redhat.com wrote:
On 6/2/19 2:24 PM, Shawn Wells wrote:
Attempting to use the RHEL 8 data streams, but even 'oscap info' fails using the latest release [0]:
# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.3.xml Document type: Source Data Stream Imported: 2019-06-02T11:16:07
Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml Generated: (null) Version: 1.3 Checklists: Ref-Id: scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2' points out to the remote 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2'. Use '--fetch-remote-resources' option to download it. WARNING: Skipping 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2' file which is referenced from datastream OpenSCAP Error: Could not extract scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml with all dependencies from datastream. [ds_sds_session.c:211]
Looking at the ssg-rhel8-ds-1.3 file there are lots of mentions to SCAP 1.2 instead of 1.3?
[0] https://github.com/ComplianceAsCode/content/releases/download/v0.1.44/scap-s...
p.s. this also happens with upstream:
$ ./build_product rhel8 $ oscap info build/ssg-rhel8-ds-1.3.xml Document type: Source Data Stream Imported: 2019-06-02T14:27:51
Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml Generated: (null) Version: 1.3 Checklists: Ref-Id: scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml' points out to the remote 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml'. Use '--fetch-remote-resources' option to download it. WARNING: Skipping 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml' file which is referenced from datastream OpenSCAP Error: Could not extract scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml with all dependencies from datastream. [ds_sds_session.c:211]
The rhel8 1.2 datastream appears fine when using "oscap info," but using it also results in an error:
$ oscap info build/ssg-rhel8-ds.xml Document type: Source Data Stream Imported: 2019-06-02T14:27:50
Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml Generated: (null) Version: 1.2 Checklists: Ref-Id: scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml Status: draft Generated: 2019-06-02 Resolved: true Profiles: Title: Criminal Justice Information Services (CJIS) Security Policy Id: xccdf_org.ssgproject.content_profile_cjis Title: Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171) Id: xccdf_org.ssgproject.content_profile_cui Title: Health Insurance Portability and Accountability Act (HIPAA) Id: xccdf_org.ssgproject.content_profile_hipaa Title: Protection Profile for General Purpose Operating Systems Id: xccdf_org.ssgproject.content_profile_ospp Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8 Id: xccdf_org.ssgproject.content_profile_pci-dss Title: Red Hat Corporate Profile for Certified Cloud Providers (RH CCP) Id: xccdf_org.ssgproject.content_profile_rht-ccp Title: Standard System Security Profile for Red Hat Enterprise Linux 8 Id: xccdf_org.ssgproject.content_profile_standard Referenced check files: ssg-rhel8-oval.xml system: http://oval.mitre.org/XMLSchema/oval-definitions-5 ssg-rhel8-ocil.xml system: http://scap.nist.gov/schema/ocil/2 https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml system: http://oval.mitre.org/XMLSchema/oval-definitions-5 Checks: Ref-Id: scap_org.open-scap_cref_ssg-rhel8-oval.xml Ref-Id: scap_org.open-scap_cref_ssg-rhel8-ocil.xml Ref-Id: scap_org.open-scap_cref_ssg-rhel8-cpe-oval.xml Dictionaries: Ref-Id: scap_org.open-scap_cref_ssg-rhel8-cpe-dictionary.xml
$ sudo atomic scan --scan_type configuration_compliance --scanner_args xccdf-id=scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml,profile=xccdf_org.ssgproject.content_profile_ospp,report registry.redhat.io/ubi8/ubi-minimal --scanner openscap-ncp docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2019-06-02-07-30-02-549130:/scanin -v /var/lib/atomic/openscap-ncp/2019-06-02-07-30-02-549130:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro openscap-ncp:latest oscapd-evaluate scan --targets chroots-in-dir:///scanin --output /scanout --no-cve-scan --fix_type bash -j1 --xccdf-id scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml --profile xccdf_org.ssgproject.content_profile_ospp --report
registry.redhat.io/ubi8/ubi-minimal (3bfa511b67f8277)
registry.redhat.io/ubi8/ubi-minimal is not supported for this scan.Files associated with this scan are in /var/lib/atomic/openscap-ncp/2019-06-02-07-30-02-549130.
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
-- Jan Černý Security Technologies | Red Hat, Inc. _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
Hi Shawn,
In atomic scan it isn't possible to scan RHEL8 containers.
But you can download the content from upstream and use `oscap-docker`, eg.:
oscap-docker image ubi8/ubi-minimal xccdf eval --fetch-remote-resources --profile ospp scap-security-guide-0.1.44/ssg-rhel8-ds-1.3.xml
This works for me on RHEL 7. For the 1.3 datastreams, you have to provide --fetch-remote-resources option, due to https://bugzilla.redhat.com/show_bug.cgi?id=1709423
Regards
On Mon, Jun 3, 2019 at 10:40 AM Shawn Wells shawn@redhat.com wrote:
On Jun 3, 2019, at 10:30 AM, Jan Cerny jcerny@redhat.com wrote:
Hi Shawn,
It seems to me that `openscap-daemon` doesn't contain RHEL 8 CPE, so it can't pick the RHEL 8 datastream that you added to the container. However, in RHEL 7 container the RHEL 8 datastreams aren't shipped, so it means customers won't be able to scan RHEL 8 - based containers on RHEL 7 hosts anyway.
Regards
Yikes - so there is no possible way to scan RHEL8 systems? how soon will that bug be fixed?
On Sun, Jun 2, 2019 at 8:34 PM Shawn Wells shawn@redhat.com wrote:
On 6/2/19 2:24 PM, Shawn Wells wrote:
Attempting to use the RHEL 8 data streams, but even 'oscap info' fails using the latest release [0]:
# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.3.xml Document type: Source Data Stream Imported: 2019-06-02T11:16:07
Stream:
scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml
Generated: (null) Version: 1.3 Checklists: Ref-Id: scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml WARNING: Datastream component
'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2'
points out to the remote '
https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2'.
Use '--fetch-remote-resources' option to download it. WARNING: Skipping '
https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2'
file which is referenced from datastream OpenSCAP Error: Could not extract scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml with all dependencies from datastream. [ds_sds_session.c:211]
Looking at the ssg-rhel8-ds-1.3 file there are lots of mentions to SCAP 1.2 instead of 1.3?
[0]
https://github.com/ComplianceAsCode/content/releases/download/v0.1.44/scap-s...
p.s. this also happens with upstream:
$ ./build_product rhel8 $ oscap info build/ssg-rhel8-ds-1.3.xml Document type: Source Data Stream Imported: 2019-06-02T14:27:51
Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml Generated: (null) Version: 1.3 Checklists: Ref-Id: scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml' points out to the remote 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml'. Use '--fetch-remote-resources' option to download it. WARNING: Skipping 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml' file which is referenced from datastream OpenSCAP Error: Could not extract scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml with all dependencies from datastream. [ds_sds_session.c:211]
The rhel8 1.2 datastream appears fine when using "oscap info," but using it also results in an error:
$ oscap info build/ssg-rhel8-ds.xml Document type: Source Data Stream Imported: 2019-06-02T14:27:50
Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml Generated: (null) Version: 1.2 Checklists: Ref-Id: scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml Status: draft Generated: 2019-06-02 Resolved: true Profiles: Title: Criminal Justice Information Services (CJIS) Security Policy Id: xccdf_org.ssgproject.content_profile_cjis Title: Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171) Id: xccdf_org.ssgproject.content_profile_cui Title: Health Insurance Portability and Accountability Act (HIPAA) Id: xccdf_org.ssgproject.content_profile_hipaa Title: Protection Profile for General Purpose Operating Systems Id: xccdf_org.ssgproject.content_profile_ospp Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8 Id: xccdf_org.ssgproject.content_profile_pci-dss Title: Red Hat Corporate Profile for Certified Cloud Providers (RH CCP) Id: xccdf_org.ssgproject.content_profile_rht-ccp Title: Standard System Security Profile for Red Hat Enterprise Linux 8 Id: xccdf_org.ssgproject.content_profile_standard Referenced check files: ssg-rhel8-oval.xml system:
http://oval.mitre.org/XMLSchema/oval-definitions-5
ssg-rhel8-ocil.xml system: http://scap.nist.gov/schema/ocil/2https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml system:
http://oval.mitre.org/XMLSchema/oval-definitions-5
Checks: Ref-Id: scap_org.open-scap_cref_ssg-rhel8-oval.xml Ref-Id: scap_org.open-scap_cref_ssg-rhel8-ocil.xml Ref-Id: scap_org.open-scap_cref_ssg-rhel8-cpe-oval.xml Dictionaries: Ref-Id: scap_org.open-scap_cref_ssg-rhel8-cpe-dictionary.xml
$ sudo atomic scan --scan_type configuration_compliance --scanner_args
xccdf-id=scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml,profile=xccdf_org.ssgproject.content_profile_ospp,report
registry.redhat.io/ubi8/ubi-minimal --scanner openscap-ncp docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2019-06-02-07-30-02-549130:/scanin -v /var/lib/atomic/openscap-ncp/2019-06-02-07-30-02-549130:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro openscap-ncp:latest oscapd-evaluate scan --targets chroots-in-dir:///scanin --output /scanout --no-cve-scan --fix_type bash -j1 --xccdf-id scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml --profile xccdf_org.ssgproject.content_profile_ospp --report
registry.redhat.io/ubi8/ubi-minimal (3bfa511b67f8277)
registry.redhat.io/ubi8/ubi-minimal is not supported for thisscan.
Files associated with this scan are in /var/lib/atomic/openscap-ncp/2019-06-02-07-30-02-549130.
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
-- Jan Černý Security Technologies | Red Hat, Inc.
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
Hi Shawn,
On Sun, Jun 2, 2019 at 8:25 PM Shawn Wells shawn@redhat.com wrote:
Attempting to use the RHEL 8 data streams, but even 'oscap info' fails using the latest release [0]:
This is an issue in OpenSCAP. OpenSCAP can't process datastreams that contain a `component-ref` element that references content from internet without providing `--fetch-remote-resources` on the command line. We reference remote content in rule "Security patches are up to date". Using `component-ref` element to reference remote content is required by SCAP 1.3 standard.
As a workaround, add `--fetch-remote-resources` to the `oscap` call. This issue has already been fixed in upstream in https://github.com/OpenSCAP/openscap/pull/1324.
# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.3.xml Document type: Source Data Stream Imported: 2019-06-02T11:16:07
Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml Generated: (null) Version: 1.3 Checklists: Ref-Id: scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml WARNING: Datastream component
'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2'
points out to the remote 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2'.
Use '--fetch-remote-resources' option to download it. WARNING: Skipping 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2'
file which is referenced from datastream OpenSCAP Error: Could not extract scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml with all dependencies from datastream. [ds_sds_session.c:211]
Looking at the ssg-rhel8-ds-1.3 file there are lots of mentions to SCAP 1.2 instead of 1.3?
If it's related to XCCDF 1.2, then it's correct (surprisingly), because SCAP 1.3 standard contains XCCDF 1.2, not XCCDF 1.3. See https://csrc.nist.gov/Projects/Security-Content-Automation-Protocol/SCAP-Rel... , section "Languages",
However, this seems to be wrong: <ns10:Benchmark id="xccdf_org.ssgproject.content_benchmark_RHEL-8" resolved="1" style="SCAP_1.2"> Nice catch! Thanks.
[0]
https://github.com/ComplianceAsCode/content/releases/download/v0.1.44/scap-s... _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
scap-security-guide@lists.fedorahosted.org
-
Jan Cerny -
Shawn Wells