[prev in list] [next in list] [prev in thread] [next in thread]
List: scap-security-guide
Subject: Re: scap-workbench and SSG -.1.25
From: Jan Lieskovsky <jlieskov () redhat ! com>
Date: 2015-08-27 7:00:48
Message-ID: 1209349528.28753275.1440658848051.JavaMail.zimbra () redhat ! com
[Download RAW message or body]
Hello Ron,
thank you for your report.
----- Original Message -----
> From: "Simon Lukasik" <isimluk@fedoraproject.org>
> To: "SCAP Security Guide" <scap-security-guide@lists.fedorahosted.org>
> Sent: Thursday, August 27, 2015 8:06:16 AM
> Subject: Re: scap-workbench and SSG -.1.25
>
> Hello Ron,
>
> Thanks for checking with us.
>
> I guess the cause is the new OVAL version (5.11) in SSG.
Simon is right. Have verified the 'ssg-centos7-ds.xml' benchmark
from SSG 0.1.25 Zip archive:
[1] https://github.com/OpenSCAP/scap-security-guide/releases/download/v0.1.25/scap-security-guide-0.1.25.zip
contains OVAL file of version 5.11.
> Let me
> elaborate. The tools in centos-7 do not support OVAL-5.11. While the
> latest SSG uses OVAL-5.11.
To clarify a bit on this point. SSG is able to produce both (OVAL-5.10.1
and OVAL-5.11) versions of the OVAL document. The final version of produced
OVAL depends on the version of the underlying "oscap" command that was
used to produce the content (if "oscap" supports 5.10.1 version only,
final SSG OVAL will be of version 5.10 [and OVAL-5.11 checks will simply not
be included]. If "oscap" supports 5.11 OVAL language version already,
the produced SSG OVAL will be of version 5.11 already, and all OVAL checks
will be included).
The behaviour you are experiencing is there because those 0.1.25 SSG Zip
archive datastreams were produced using "oscap" version supporting OVAL-5.11
version already.
>
> With the next Red Hat Enterprise Linux 7 update we will be delivering
> tools that support OVAL-5.11.1. Until then you can use
> the-latest-greatest OpenSCAP repo at
> https://copr.fedoraproject.org/coprs/isimluk/OpenSCAP/
As Simon pointed out, the tentative plan is to switch to using OVAL-5.11
language version already (majority of the developers would have latest OpenSCAP
installed, and therefore we would not notice this issue).
But to preserve compatibility (OVAL-5.10.1 and OVAL-5.11 language versions
aren't backward compatible) -- IOW to allow the new SSG releases to run also
with older "oscap" / "scap-workbench" versions, the produced SSG Zip archive
should also contain datastreams build with older "oscap" versions.
Therefore I have filed:
[2] https://github.com/OpenSCAP/scap-security-guide/issues/655
to fix this state in future releases (start producing also OVAL-5.10.1
based DataStreams in the SSG Zip archive in future releases).
For now please apply the following steps as a workaround to produce
SSG-0.1.25 benchmarks for openscap-1.1.1 you are using:
* Download the upstream tarball:
$ wget -O scap-security-guide-0.1.25.tar.gz \
https://github.com/OpenSCAP/scap-security-guide/archive/v0.1.25.tar.gz
* Expand it:
$ tar xvzf scap-security-guide-0.1.25.tar.gz
* Build the RPM:
$ cd scap-security-guide-0.1.25/ && make SSG_VERSION_IS_GIT_SNAPSHOT=no rpm
* (As privileged user -- root) Install the produced RPM:
# rpm -i rpmbuild/RPMS/noarch/scap-security-guide-0.1.25-1.fc22.noarch.rpm
If you want to have the HTML guides installed too, install the -doc subpackage too:
# rpm -i rpmbuild/RPMS/noarch/scap-security-guide-doc-0.1.25-1.fc22.noarch.rpm
Note: I have tried the above scenario on Fedora 22 system, but it should work
also for CentOS 7 system. If not, that's a bug && it should be reported.
The benchmarks produced this way will be usable with those "oscap" and \
"scap-workbench" versions, you reported.
Hope the above being helpful.
Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
>
> Best,
> ~Å¡.
>
> On 08/27/2015 01:52 AM, Ron Backman wrote:
> > I am using SCAP-Workbench 1.0.2 on CentOS 7 and just downloaded the
> > lastest Scap Sceucity Guides version 0.1.25
> >
> > I am getting the following error. I tried opening a few of the other
> > Data Stream XML docs and am getting the same error. Is this DataStream
> > (1.2) to new for the SCAP -Workbench?
> >
> > Ideas?
> > --------------------------------
> >
> > 19:49:48
> >
> >
> >
> > info
> >
> >
> >
> > scap-workbench 1.0.2, compiled with Qt 4.8.5, using openscap 1.1.1
> >
> >
> > 19:50:00
> >
> >
> >
> > except
> >
> >
> >
> > Error while opening file. There was a problem with ScanningSession!
> > Failed to reload session. OpenSCAP error message: Invalid SCAP Source
> > Datastream (1.2) content in
> > /home/backman/Downloads/scap-security-guide-0.1.25/ssg-centos7-ds.xml.
> > [xccdf_session.c:352]
> >
> >
> >
> >
>
>
> --
> Å imon LukaÅ¡Ãk
> Security Technologies, Red Hat, Inc.
> --
> SCAP Security Guide mailing list
> scap-security-guide@lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
> https://github.com/OpenSCAP/scap-security-guide/
--
SCAP Security Guide mailing list
scap-security-guide@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic