Ubuntu 14.04: No match found for key-sequence

jesuslinares commented 7 years ago

Hi,

I'm using OpenSCAP scanner in Ubuntu 14.04:

oscap --version
OpenSCAP command line tool (oscap) 1.0.2
Copyright 2009--2014 Red Hat Inc., Durham, North Carolina.

==== Supported specifications ====
XCCDF Version: 1.2
OVAL Version: 5.10.1
CPE Version: 2.3
CVSS Version: 2.0
CVE Version: 2.0
Asset Identification Version: 1.1
Asset Reporting Format Version: 1.1

==== Capabilities added by auto-loaded plugins ====
No plugins have been auto-loaded...

==== Paths ====
Schema files: /usr/share/openscap/schemas
Schematron files: /usr/share/openscap/xsl
Default CPE files: /usr/share/openscap/cpe
Probes: /usr/lib/x86_64-linux-gnu/openscap

==== Inbuilt CPE names ====
I/O warning : failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml"

==== Supported OVAL objects and associated OpenSCAP probes ====
system_info                  probe_system_info
family                       probe_family
filehash                     probe_filehash
environmentvariable          probe_environmentvariable
textfilecontent54            probe_textfilecontent54
textfilecontent              probe_textfilecontent
variable                     probe_variable
xmlfilecontent               probe_xmlfilecontent
environmentvariable58        probe_environmentvariable58
filehash58                   probe_filehash58
dpkginfo                     probe_dpkginfo
inetlisteningservers         probe_inetlisteningservers
partition                    probe_partition
iflisteners                  probe_iflisteners
selinuxboolean               probe_selinuxboolean
selinuxsecuritycontext       probe_selinuxsecuritycontext
file                         probe_file
interface                    probe_interface
password                     probe_password
process                      probe_process
runlevel                     probe_runlevel
shadow                       probe_shadow
uname                        probe_uname
xinetd                       probe_xinetd
sysctl                       probe_sysctl
process58                    probe_process58
fileextendedattribute        probe_fileextendedattribute
routingtable                 probe_routingtable

When I run a scan using the ubuntu-1404-ds.xml policy:

oscap xccdf eval --results /home/t.txt --profile xccdf_org.ssgproject.content_profile_common ssg-ubuntu-1404-ds.xml

I get a lot of errors:

...
File 'ssg-ubuntu-1404-ds.xml' line 4192: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}object_component': No match found for key-sequence ['oval:ssg-object_last_uid_min_from_etc_login_defs:obj:1'] of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}objectKeyRef'.
 [../../../src/XCCDF/xccdf_session.c:341]
File 'ssg-ubuntu-1404-ds.xml' line 4212: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}object_component': No match found for key-sequence ['oval:ssg-object_last_sys_uid_min_from_etc_login_defs:obj:1'] of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}objectKeyRef'.
 [../../../src/XCCDF/xccdf_session.c:341]
File 'ssg-ubuntu-1404-ds.xml' line 4217: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}object_component': No match found for key-sequence ['oval:ssg-object_last_sys_uid_max_from_etc_login_defs:obj:1'] of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}objectKeyRef'.
 [../../../src/XCCDF/xccdf_session.c:341]
Invalid SCAP Source Datastream (1.2) content in ssg-ubuntu-1404-ds.xml. [../../../src/XCCDF/xccdf_session.c:351]

What is happening?. It seems like this file requires OVAL Version 5.11, but the scanner in Ubuntu 14.04 has the 5.10.1 version.

can I generate this policy for Oval 5.10.1?.
is there a new package for Ubuntu 14.04 that supports Oval version 5.11?.
why this policy exists if it is not possible to run it?.

You guys are doing a great job with SCAP!

Thanks. Regards.

pthierry38 commented 7 years ago

Hi !

I'm managing the package for Debian but not for Ubuntu, in which SSG is integrated through Debian sync. As the xml files are generated in the Debian builders for the debian targets (testing and sid) using oscap >1.2 (supporting oval 5.11) this should have generated a datastream incompatible with oscap 1.0.2.

The SSG sources permits to build a 5.10 compatible datastream for Trusty, as the problem doesn't come from the SSG sources but the build context (oscap version at build time).

What you can do:

rebuild ssg from sources on a trusty (using ssg v0.1.31, newer ones are not compatible with such an old oscap version)
backporting a newer oscap version (oscap 1.2.8 from xenial is enough)
porting the ssg package to trusty which means to build it on trusty

jesuslinares commented 7 years ago

Hi,

there is no Trusty content for v0.1.31: https://github.com/OpenSCAP/scap-security-guide/tree/v0.1.31/Ubuntu/14.04

I think the best idea is to update the oscap package for Ubuntu Trusty. When it will be available?.

Thanks. Regards.

jesuslinares commented 7 years ago

I was not able to rebuild oscap or ssg in Trusty... I get a lot of errors following the instructions.

If the default oscap package is 1.0.2, the ssg trusty policy must be compatible with that version.

mpreisler commented 7 years ago

@jesuslinares

Could you please try:

git clone https://github.com/OpenSCAP/scap-security-guide.git
cd scap-security-guide/build
cmake -DSSG_OVAL_511_ENABLED=off ../
make -j 4 ubuntu1404

now try the ssg-ubuntu1404-ds.xml in the build directory. Since OVAL 5.11 was disabled at configure time it should now work even with older openscap.

jesuslinares commented 7 years ago

I tried it, I think the main error is:

OpenSCAP Error: failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml" [../../../src/CPE/cpedict_priv.c:328]

make -j 4 ubuntu1404

Scanning dependencies of target generate-internal-bash-remediation-functions.xml
Scanning dependencies of target ubuntu1404-tables
Scanning dependencies of target generate-internal-ubuntu1404-guide.xml
Scanning dependencies of target generate-internal-ubuntu1404-oval-unlinked.xml
[  0%] [  0%] [  0%] [bash-remediation-functions] generating bash-remediation-functions.xml
[ubuntu1404-content] generating guide.xml (SVG logo disabled)
Built target ubuntu1404-tables
[  0%] [  0%] [ubuntu1404-content] generating oval-unlinked.xml (OVAL 5.11 checks disabled)
Built target generate-internal-ubuntu1404-guide.xml
[  0%] Built target generate-internal-bash-remediation-functions.xml
Scanning dependencies of target generate-internal-ubuntu1404-shorthand.xml
[  0%] Scanning dependencies of target generate-internal-ubuntu1404-ansible-remediations.xml
Scanning dependencies of target generate-internal-ubuntu1404-bash-remediations.xml
[ubuntu1404-content] generating shorthand.xml
[  0%] [  0%] [ubuntu1404-content] generating ansible-remediations.xml
[ubuntu1404-content] generating bash-remediations.xml
[  0%] Built target generate-internal-ubuntu1404-shorthand.xml
Template not found: './template_OVAL_package_removed'. Looked in /root/test/scap-security-guide/shared/templates, /root/test/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_removed'. Looked in /root/test/scap-security-guide/shared/templates, /root/test/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_removed'. Looked in /root/test/scap-security-guide/shared/templates, /root/test/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_removed'. Looked in /root/test/scap-security-guide/shared/templates, /root/test/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_removed'. Looked in /root/test/scap-security-guide/shared/templates, /root/test/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_removed'. Looked in /root/test/scap-security-guide/shared/templates, /root/test/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_removed'. Looked in /root/test/scap-security-guide/shared/templates, /root/test/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_removed'. Looked in /root/test/scap-security-guide/shared/templates, /root/test/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_removed'. Looked in /root/test/scap-security-guide/shared/templates, /root/test/scap-security-guide/shared/templates/..
Scanning dependencies of target generate-internal-ubuntu1404-puppet-remediations.xml
[  0%] [ubuntu1404-content] generating puppet-remediations.xml
Template not found: './template_OVAL_kernel_module_disabled'. Looked in /root/test/scap-security-guide/shared/templates, /root/test/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_kernel_module_disabled'. Looked in /root/test/scap-security-guide/shared/templates, /root/test/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_installed'. Looked in /root/test/scap-security-guide/shared/templates, /root/test/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_installed'. Looked in /root/test/scap-security-guide/shared/templates, /root/test/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_installed'. Looked in /root/test/scap-security-guide/shared/templates, /root/test/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_installed'. Looked in /root/test/scap-security-guide/shared/templates, /root/test/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_installed'. Looked in /root/test/scap-security-guide/shared/templates, /root/test/scap-security-guide/shared/templates/..
Unknown target language: "puppet"
Unknown target language: "puppet"
Unknown target language: "ansible"
Unknown target language: "bash"
Merged 132 OVAL checks.
Unknown target language: "puppet"
Unknown target language: "puppet"
Unknown target language: "puppet"
Not merging remediation scripts from the '/root/test/scap-security-guide/Ubuntu/14.04/templates/static/ansible' directory as the directory does not exist.
Merged 42 ansible remediations.
[  0%] Built target generate-internal-ubuntu1404-ansible-remediations.xml
Not merging remediation scripts from the '/root/test/scap-security-guide/Ubuntu/14.04/templates/static/puppet' directory as the directory does not exist.
Merged 25 puppet remediations.
Merged 30 bash remediations.
[  0%] Scanning dependencies of target generate-internal-ubuntu1404-anaconda-remediations.xml
[  0%] Built target generate-internal-ubuntu1404-puppet-remediations.xml
[  0%] [  0%] Built target generate-internal-ubuntu1404-bash-remediations.xml
Built target generate-internal-ubuntu1404-oval-unlinked.xml
[ubuntu1404-content] generating anaconda-remediations.xml
Scanning dependencies of target generate-internal-ubuntu1404-xccdf-unlinked-resolved.xml
Scanning dependencies of target generate-ssg-ubuntu1404-cpe-dictionary.xml
[  0%] [ubuntu1404-content] generating xccdf-unlinked-resolved.xml
[  0%] [ubuntu1404-content] generating ssg-ubuntu1404-cpe-dictionary.xml, ssg-ubuntu1404-cpe-oval.xml
Unknown target language: "anaconda"
Unknown target language: "anaconda"
Unknown target language: "anaconda"

        Error: Can't locate "installed_OS_is_ubuntu1404" OVAL file in the
        list of OVAL checks for this product! Exiting..
[  0%] Built target generate-internal-ubuntu1404-xccdf-unlinked-resolved.xml
Unknown target language: "anaconda"
Unknown target language: "anaconda"
Unknown target language: "anaconda"
[  0%] Scanning dependencies of target generate-internal-ubuntu1404-ocil-unlinked.xml
Built target generate-ssg-ubuntu1404-cpe-dictionary.xml
[  0%] [ubuntu1404-content] generating ocil-unlinked.xml
Not merging remediation scripts from the '/root/test/scap-security-guide/Ubuntu/14.04/templates/static/anaconda' directory as the directory does not exist.
Merged 0 anaconda remediations.
[  0%] Built target generate-internal-ubuntu1404-anaconda-remediations.xml
[  0%] Built target generate-internal-ubuntu1404-ocil-unlinked.xml
Scanning dependencies of target generate-internal-ubuntu1404-xccdf-unlinked-ocilrefs.xml
[  0%] [ubuntu1404-content] generating xccdf-unlinked-ocilrefs.xml
[  0%] Built target generate-internal-ubuntu1404-xccdf-unlinked-ocilrefs.xml
Scanning dependencies of target generate-internal-ubuntu1404-xccdf-unlinked.xml
[  0%] [ubuntu1404-content] generating xccdf-unlinked.xml
[  0%] Built target generate-internal-ubuntu1404-xccdf-unlinked.xml
Scanning dependencies of target generate-internal-ubuntu1404-linked-xccdf-oval-ocil.xml
[  0%] [ubuntu1404-content] linking IDs, generating xccdf-linked.xml, oval-linked.xml, ocil-linked.xml
WARNING: OVAL check 'service_rsyslog_enabled' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'rsyslog_files_ownership' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'rsyslog_files_groupownership' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'rsyslog_files_permissions' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'package_syslogng_installed' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'service_syslogng_enabled' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'package_auditd_installed' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'service_auditd_enabled' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'package_cron_installed' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'service_cron_enabled' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'service_ntpd_enabled' was not found, removing <check-content> element from the XCCDF rule.
[ 25%] Built target generate-internal-ubuntu1404-linked-xccdf-oval-ocil.xml
Scanning dependencies of target generate-ssg-ubuntu1404-xccdf.xml
Scanning dependencies of target generate-ssg-ubuntu1404-ocil.xml
Scanning dependencies of target generate-ssg-ubuntu1404-oval.xml
[ 25%] [ 25%] [ 25%] [ubuntu1404-content] generating ssg-ubuntu1404-xccdf.xml
[ubuntu1404-content] generating ssg-ubuntu1404-oval.xml
[ubuntu1404-content] generating ssg-ubuntu1404-ocil.xml
[ 25%] Built target generate-ssg-ubuntu1404-ocil.xml
[ 25%] Built target generate-ssg-ubuntu1404-oval.xml
Unselected empty groups in 'common'.
Unselected empty groups in 'anssi_np_nt28_minimal'.
Unselected empty groups in 'anssi_np_nt28_average'.
Unselected empty groups in 'anssi_np_nt28_restrictive'.
Unselected empty groups in 'anssi_np_nt28_high'.
[ 50%] Built target generate-ssg-ubuntu1404-xccdf.xml
Scanning dependencies of target generate-all-roles-ubuntu1404-yml
Scanning dependencies of target generate-all-roles-ubuntu1404-sh
Scanning dependencies of target generate-ssg-ubuntu1404-xccdf-1.2.xml
[ 50%] [ 50%] [ 50%] [ubuntu1404-roles] generating urn:xccdf:fix:script:sh remediation roles for all profiles in ssg-ubuntu1404-xccdf.xml
[ubuntu1404-content] generating ssg-ubuntu1404-xccdf-1.2.xml
[ubuntu1404-roles] generating urn:xccdf:fix:script:ansible remediation roles for all profiles in ssg-ubuntu1404-xccdf.xml
I/O warning : failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml"
OpenSCAP Error: failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml" [../../../src/CPE/cpedict_priv.c:328]
Failed to add default CPE to newly created XCCDF policy model. [../../../src/XCCDF_POLICY/xccdf_policy.c:1865]
I/O Generated '/root/test/scap-security-guide/build/roles/ssg-ubuntu1404-role-default.sh' for profile ID '' in benchmark 'UBUNTU-TRUSTY', template=urn:xccdf:fix:script:sh.
warning : failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml"
OpenSCAP Error: failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml" [../../../src/CPE/cpedict_priv.c:328]
Failed to add default CPE to newly created XCCDF policy model. [../../../src/XCCDF_POLICY/xccdf_policy.c:1865]
Generated '/root/test/scap-security-guide/build/roles/ssg-ubuntu1404-role-default.yml' for profile ID '' in benchmark 'UBUNTU-TRUSTY', template=urn:xccdf:fix:script:ansible.
I/O warning : failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml"
OpenSCAP Error: failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml" [../../../src/CPE/cpedict_priv.c:328]
Failed to add default CPE to newly created XCCDF policy model. [../../../src/XCCDF_POLICY/xccdf_policy.c:1865]
Generated '/root/test/scap-security-guide/build/roles/ssg-ubuntu1404-role-anssi_np_nt28_minimal.sh' for profile ID 'anssi_np_nt28_minimal' in benchmark 'UBUNTU-TRUSTY', template=urn:xccdf:fix:script:sh.
I/O warning : failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml"
OpenSCAP Error: failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml" [../../../src/CPE/cpedict_priv.c:328]
Failed to add default CPE to newly created XCCDF policy model. [../../../src/XCCDF_POLICY/xccdf_policy.c:1865]
Generated '/root/test/scap-security-guide/build/roles/ssg-ubuntu1404-role-anssi_np_nt28_minimal.yml' for profile ID 'anssi_np_nt28_minimal' in benchmark 'UBUNTU-TRUSTY', template=urn:xccdf:fix:script:ansible.
I/O I/O warning : failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml"
OpenSCAP Error: failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml" [../../../src/CPE/cpedict_priv.c:328]
Failed to add default CPE to newly created XCCDF policy model. [../../../src/XCCDF_POLICY/xccdf_policy.c:1865]
Generated '/root/test/scap-security-guide/build/roles/ssg-ubuntu1404-role-common.sh' for profile ID 'common' in benchmark 'UBUNTU-TRUSTY', template=urn:xccdf:fix:script:sh.
warning : failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml"
OpenSCAP Error: failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml" [../../../src/CPE/cpedict_priv.c:328]
Failed to add default CPE to newly created XCCDF policy model. [../../../src/XCCDF_POLICY/xccdf_policy.c:1865]
Generated '/root/test/scap-security-guide/build/roles/ssg-ubuntu1404-role-common.yml' for profile ID 'common' in benchmark 'UBUNTU-TRUSTY', template=urn:xccdf:fix:script:ansible.
[ 50%] Built target generate-ssg-ubuntu1404-xccdf-1.2.xml
I/O I/O warning : failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml"
OpenSCAP Error: failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml" [../../../src/CPE/cpedict_priv.c:328]
Failed to add default CPE to newly created XCCDF policy model. [../../../src/XCCDF_POLICY/xccdf_policy.c:1865]
Generated '/root/test/scap-security-guide/build/roles/ssg-ubuntu1404-role-anssi_np_nt28_restrictive.sh' for profile ID 'anssi_np_nt28_restrictive' in benchmark 'UBUNTU-TRUSTY', template=urn:xccdf:fix:script:sh.
warning : failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml"
OpenSCAP Error: failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml" [../../../src/CPE/cpedict_priv.c:328]
Failed to add default CPE to newly created XCCDF policy model. [../../../src/XCCDF_POLICY/xccdf_policy.c:1865]
Generated '/root/test/scap-security-guide/build/roles/ssg-ubuntu1404-role-anssi_np_nt28_restrictive.yml' for profile ID 'anssi_np_nt28_restrictive' in benchmark 'UBUNTU-TRUSTY', template=urn:xccdf:fix:script:ansible.
I/O Scanning dependencies of target generate-ssg-ubuntu1404-ds.xml
warning : failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml"
OpenSCAP Error: failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml" [../../../src/CPE/cpedict_priv.c:328]
Failed to add default CPE to newly created XCCDF policy model. [../../../src/XCCDF_POLICY/xccdf_policy.c:1865]
Generated '/root/test/scap-security-guide/build/roles/ssg-ubuntu1404-role-anssi_np_nt28_high.sh' for profile ID 'anssi_np_nt28_high' in benchmark 'UBUNTU-TRUSTY', template=urn:xccdf:fix:script:sh.
I/O warning : failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml"
OpenSCAP Error: failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml" [../../../src/CPE/cpedict_priv.c:328]
Failed to add default CPE to newly created XCCDF policy model. [../../../src/XCCDF_POLICY/xccdf_policy.c:1865]
Generated '/root/test/scap-security-guide/build/roles/ssg-ubuntu1404-role-anssi_np_nt28_high.yml' for profile ID 'anssi_np_nt28_high' in benchmark 'UBUNTU-TRUSTY', template=urn:xccdf:fix:script:ansible.
I/O warning : failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml"
OpenSCAP Error: failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml" [../../../src/CPE/cpedict_priv.c:328]
Failed to add default CPE to newly created XCCDF policy model. [../../../src/XCCDF_POLICY/xccdf_policy.c:1865]
I/O warning : failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml"
OpenSCAP Error: failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml" [../../../src/CPE/cpedict_priv.c:328]
Failed to add default CPE to newly created XCCDF policy model. [../../../src/XCCDF_POLICY/xccdf_policy.c:1865]
Generated '/root/test/scap-security-guide/build/roles/ssg-ubuntu1404-role-anssi_np_nt28_average.sh' for profile ID 'anssi_np_nt28_average' in benchmark 'UBUNTU-TRUSTY', template=urn:xccdf:fix:script:sh.

Generated '/root/test/scap-security-guide/build/roles/ssg-ubuntu1404-role-anssi_np_nt28_average.yml' for profile ID 'anssi_np_nt28_average' in benchmark 'UBUNTU-TRUSTY', template=urn:xccdf:fix:script:ansible.

[ 50%] [ 50%] [ 75%] Built target generate-all-roles-ubuntu1404-yml
Built target generate-all-roles-ubuntu1404-sh
[ubuntu1404-content] generating ssg-ubuntu1404-ds.xml
/usr/bin/oscap: unrecognized option '--skip-valid'
Scanning dependencies of target ubuntu1404-roles
Usage:    oscap [options] ds sds-compose xccdf-file.xml target_datastream.xml
Help:     oscap ds sds-compose -h
make[3]: *** [ssg-ubuntu1404-ds.xml] Error 100
make[2]: *** [Ubuntu/14.04/CMakeFiles/generate-ssg-ubuntu1404-ds.xml.dir/all] Error 2
make[2]: *** Waiting for unfinished jobs....
[ 75%] Built target ubuntu1404-roles
make[1]: *** [Ubuntu/14.04/CMakeFiles/ubuntu1404.dir/rule] Error 2
make: *** [ubuntu1404] Error 2

mpreisler commented 7 years ago

@jesuslinares that's really odd. the file in question should come with OpenSCAP. I am wondering whether your openscap was built correctly.

jesuslinares commented 7 years ago

I tried it again:

apt-get remove libopenscap8 --purge
apt-get clean all
apt-get update
apt-get install libopenscap8 libopenscap8-dbg libopenscap-dev libopenscap-perl -y
cd scap-security-guide/
cd build/
cmake -DSSG_OVAL_511_ENABLED=off ../
make clean
make -j 4 ubuntu1404

make -j 4 ubuntu1404
[  0%] [  0%] [  0%] Built target ubuntu1404-tables
[ubuntu1404-content] generating guide.xml (SVG logo disabled)
[bash-remediation-functions] generating bash-remediation-functions.xml
[  0%] [  0%] [ubuntu1404-content] generating oval-unlinked.xml (OVAL 5.11 checks disabled)
Built target generate-internal-ubuntu1404-guide.xml
[  0%] Built target generate-internal-bash-remediation-functions.xml
[  0%] [  0%] [ubuntu1404-content] generating shorthand.xml
[ubuntu1404-content] generating puppet-remediations.xml
[  0%] [ubuntu1404-content] generating bash-remediations.xml
[  0%] Built target generate-internal-ubuntu1404-shorthand.xml
Unknown target language: "puppet"
Unknown target language: "puppet"
Template not found: './template_OVAL_package_removed'. Looked in /root/scap-security-guide/shared/templates, /root/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_removed'. Looked in /root/scap-security-guide/shared/templates, /root/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_removed'. Looked in /root/scap-security-guide/shared/templates, /root/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_removed'. Looked in /root/scap-security-guide/shared/templates, /root/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_removed'. Looked in /root/scap-security-guide/shared/templates, /root/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_removed'. Looked in /root/scap-security-guide/shared/templates, /root/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_removed'. Looked in /root/scap-security-guide/shared/templates, /root/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_removed'. Looked in /root/scap-security-guide/shared/templates, /root/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_removed'. Looked in /root/scap-security-guide/shared/templates, /root/scap-security-guide/shared/templates/..
[  0%] [ubuntu1404-content] generating ansible-remediations.xml
Template not found: './template_OVAL_kernel_module_disabled'. Looked in /root/scap-security-guide/shared/templates, /root/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_kernel_module_disabled'. Looked in /root/scap-security-guide/shared/templates, /root/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_installed'. Looked in /root/scap-security-guide/shared/templates, /root/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_installed'. Looked in /root/scap-security-guide/shared/templates, /root/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_installed'. Looked in /root/scap-security-guide/shared/templates, /root/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_installed'. Looked in /root/scap-security-guide/shared/templates, /root/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_installed'. Looked in /root/scap-security-guide/shared/templates, /root/scap-security-guide/shared/templates/..
Unknown target language: "puppet"
Unknown target language: "puppet"
Unknown target language: "puppet"
Not merging remediation scripts from the '/root/scap-security-guide/Ubuntu/14.04/templates/static/puppet' directory as the directory does not exist.
Merged 25 puppet remediations.
Unknown target language: "bash"
[  0%] Built target generate-internal-ubuntu1404-puppet-remediations.xml
[  0%] [ubuntu1404-content] generating anaconda-remediations.xml
Unknown target language: "ansible"
Merged 132 OVAL checks.
Unknown target language: "anaconda"
Unknown target language: "anaconda"
Unknown target language: "anaconda"
Merged 30 bash remediations.
[  0%] Built target generate-internal-ubuntu1404-bash-remediations.xml
[  0%] Not merging remediation scripts from the '/root/scap-security-guide/Ubuntu/14.04/templates/static/ansible' directory as the directory does not exist.
Merged 42 ansible remediations.
[ubuntu1404-content] generating xccdf-unlinked-resolved.xml
[  0%] [  0%] Built target generate-internal-ubuntu1404-oval-unlinked.xml
Built target generate-internal-ubuntu1404-ansible-remediations.xml
Unknown target language: "anaconda"
Unknown target language: "anaconda"
Unknown target language: "anaconda"
[  0%] Not merging remediation scripts from the '/root/scap-security-guide/Ubuntu/14.04/templates/static/anaconda' directory as the directory does not exist.
Merged 0 anaconda remediations.
[ubuntu1404-content] generating ssg-ubuntu1404-cpe-dictionary.xml, ssg-ubuntu1404-cpe-oval.xml
[  0%] Built target generate-internal-ubuntu1404-anaconda-remediations.xml
[  0%] Built target generate-internal-ubuntu1404-xccdf-unlinked-resolved.xml
[  0%]
        Error: Can't locate "installed_OS_is_ubuntu1404" OVAL file in the
        list of OVAL checks for this product! Exiting..
[ubuntu1404-content] generating ocil-unlinked.xml
[  0%] Built target generate-ssg-ubuntu1404-cpe-dictionary.xml
[  0%] Built target generate-internal-ubuntu1404-ocil-unlinked.xml
[  0%] [ubuntu1404-content] generating xccdf-unlinked-ocilrefs.xml
[ 33%] Built target generate-internal-ubuntu1404-xccdf-unlinked-ocilrefs.xml
[ 33%] [ubuntu1404-content] generating xccdf-unlinked.xml
[ 33%] Built target generate-internal-ubuntu1404-xccdf-unlinked.xml
[ 33%] [ubuntu1404-content] linking IDs, generating xccdf-linked.xml, oval-linked.xml, ocil-linked.xml
WARNING: OVAL check 'service_rsyslog_enabled' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'rsyslog_files_ownership' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'rsyslog_files_groupownership' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'rsyslog_files_permissions' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'package_syslogng_installed' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'service_syslogng_enabled' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'package_auditd_installed' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'service_auditd_enabled' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'package_cron_installed' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'service_cron_enabled' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'service_ntpd_enabled' was not found, removing <check-content> element from the XCCDF rule.
[ 33%] Built target generate-internal-ubuntu1404-linked-xccdf-oval-ocil.xml
[ 33%] [ 33%] [ 33%] [ubuntu1404-content] generating ssg-ubuntu1404-ocil.xml
[ubuntu1404-content] generating ssg-ubuntu1404-oval.xml
[ubuntu1404-content] generating ssg-ubuntu1404-xccdf.xml
[ 33%] Built target generate-ssg-ubuntu1404-ocil.xml
[ 66%] Built target generate-ssg-ubuntu1404-oval.xml
Unselected empty groups in 'common'.
Unselected empty groups in 'anssi_np_nt28_minimal'.
Unselected empty groups in 'anssi_np_nt28_average'.
Unselected empty groups in 'anssi_np_nt28_restrictive'.
Unselected empty groups in 'anssi_np_nt28_high'.
[ 66%] Built target generate-ssg-ubuntu1404-xccdf.xml
[ 66%] [ubuntu1404-content] generating ssg-ubuntu1404-xccdf-1.2.xml
[ 66%] Built target generate-ssg-ubuntu1404-xccdf-1.2.xml
[ 66%] [ubuntu1404-content] generating ssg-ubuntu1404-ds.xml
/usr/bin/oscap: unrecognized option '--skip-valid'
Usage:    oscap [options] ds sds-compose xccdf-file.xml target_datastream.xml
Help:     oscap ds sds-compose -h
make[3]: *** [ssg-ubuntu1404-ds.xml] Error 100
make[2]: *** [Ubuntu/14.04/CMakeFiles/generate-ssg-ubuntu1404-ds.xml.dir/all] Error 2
make[1]: *** [Ubuntu/14.04/CMakeFiles/ubuntu1404.dir/rule] Error 2
make: *** [ubuntu1404] Error 2

Any suggestion?. Thanks a lot!.

mpreisler commented 7 years ago

@jesuslinares Hmm, seems you have an archaic version of OpenSCAP. You could go to scap-security-guide/cmake/SSGCommon.cmake and look at the ssg_build_sds target. Remove all occurrences of --skip-valid from there. It will make the build slower but other than that it won't do any harm.

jesuslinares commented 7 years ago

I got some errors:

make -j 4 ubuntu1404
[  0%] [  0%] [bash-remediation-functions] generating bash-remediation-functions.xml
[  0%] Built target ubuntu1404-tables
[ubuntu1404-content] generating guide.xml (SVG logo disabled)
[  0%] [  0%] [ubuntu1404-content] generating oval-unlinked.xml (OVAL 5.11 checks disabled)
Built target generate-internal-ubuntu1404-guide.xml
[  0%] Built target generate-internal-bash-remediation-functions.xml
[  0%] [ubuntu1404-content] generating shorthand.xml
[  0%] [  0%] [ubuntu1404-content] generating ansible-remediations.xml
[ubuntu1404-content] generating bash-remediations.xml
[  0%] Built target generate-internal-ubuntu1404-shorthand.xml
[  0%] [ubuntu1404-content] generating anaconda-remediations.xml
Template not found: './template_OVAL_package_removed'. Looked in /root/scap-security-guide/shared/templates, /root/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_removed'. Looked in /root/scap-security-guide/shared/templates, /root/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_removed'. Looked in /root/scap-security-guide/shared/templates, /root/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_removed'. Looked in /root/scap-security-guide/shared/templates, /root/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_removed'. Looked in /root/scap-security-guide/shared/templates, /root/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_removed'. Looked in /root/scap-security-guide/shared/templates, /root/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_removed'. Looked in /root/scap-security-guide/shared/templates, /root/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_removed'. Looked in /root/scap-security-guide/shared/templates, /root/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_removed'. Looked in /root/scap-security-guide/shared/templates, /root/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_kernel_module_disabled'. Looked in /root/scap-security-guide/shared/templates, /root/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_kernel_module_disabled'. Looked in /root/scap-security-guide/shared/templates, /root/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_installed'. Looked in /root/scap-security-guide/shared/templates, /root/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_installed'. Looked in /root/scap-security-guide/shared/templates, /root/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_installed'. Looked in /root/scap-security-guide/shared/templates, /root/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_installed'. Looked in /root/scap-security-guide/shared/templates, /root/scap-security-guide/shared/templates/..
Template not found: './template_OVAL_package_installed'. Looked in /root/scap-security-guide/shared/templates, /root/scap-security-guide/shared/templates/..
Unknown target language: "anaconda"
Unknown target language: "anaconda"
Unknown target language: "anaconda"
Unknown target language: "ansible"
Unknown target language: "bash"
Unknown target language: "anaconda"
Unknown target language: "anaconda"
Unknown target language: "anaconda"
Merged 132 OVAL checks.
Not merging remediation scripts from the '/root/scap-security-guide/Ubuntu/14.04/templates/static/ansible' directory as the directory does not exist.
Merged 42 ansible remediations.
Not merging remediation scripts from the '/root/scap-security-guide/Ubuntu/14.04/templates/static/anaconda' directory as the directory does not exist.
Merged 0 anaconda remediations.
[  0%] [  0%] Merged 30 bash remediations.
Built target generate-internal-ubuntu1404-ansible-remediations.xml
Built target generate-internal-ubuntu1404-anaconda-remediations.xml
[  0%] Built target generate-internal-ubuntu1404-bash-remediations.xml
[  0%] [  0%] Built target generate-internal-ubuntu1404-oval-unlinked.xml
[  0%] [ubuntu1404-content] generating puppet-remediations.xml
[ubuntu1404-content] generating xccdf-unlinked-resolved.xml
[  0%] [ubuntu1404-content] generating ssg-ubuntu1404-cpe-dictionary.xml, ssg-ubuntu1404-cpe-oval.xml
Unknown target language: "puppet"
Unknown target language: "puppet"
[  0%] Built target generate-internal-ubuntu1404-xccdf-unlinked-resolved.xml

        Error: Can't locate "installed_OS_is_ubuntu1404" OVAL file in the
        list of OVAL checks for this product! Exiting..
[  0%] [  0%] [ubuntu1404-content] generating ocil-unlinked.xml
Unknown target language: "puppet"
Unknown target language: "puppet"
Unknown target language: "puppet"
Built target generate-ssg-ubuntu1404-cpe-dictionary.xml
[  0%] Built target generate-internal-ubuntu1404-ocil-unlinked.xml
Not merging remediation scripts from the '/root/scap-security-guide/Ubuntu/14.04/templates/static/puppet' directory as the directory does not exist.
Merged 25 puppet remediations.
[  0%] [  0%] Built target generate-internal-ubuntu1404-puppet-remediations.xml
[ubuntu1404-content] generating xccdf-unlinked-ocilrefs.xml
[ 33%] Built target generate-internal-ubuntu1404-xccdf-unlinked-ocilrefs.xml
[ 33%] [ubuntu1404-content] generating xccdf-unlinked.xml
[ 33%] Built target generate-internal-ubuntu1404-xccdf-unlinked.xml
[ 33%] [ubuntu1404-content] linking IDs, generating xccdf-linked.xml, oval-linked.xml, ocil-linked.xml
WARNING: OVAL check 'service_rsyslog_enabled' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'rsyslog_files_ownership' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'rsyslog_files_groupownership' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'rsyslog_files_permissions' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'package_syslogng_installed' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'service_syslogng_enabled' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'package_auditd_installed' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'service_auditd_enabled' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'package_cron_installed' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'service_cron_enabled' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'service_ntpd_enabled' was not found, removing <check-content> element from the XCCDF rule.
[ 33%] Built target generate-internal-ubuntu1404-linked-xccdf-oval-ocil.xml
[ 33%] [ 33%] [ 33%] [ubuntu1404-content] generating ssg-ubuntu1404-ocil.xml
[ubuntu1404-content] generating ssg-ubuntu1404-xccdf.xml
[ubuntu1404-content] generating ssg-ubuntu1404-oval.xml
[ 33%] [ 66%] Built target generate-ssg-ubuntu1404-ocil.xml
Built target generate-ssg-ubuntu1404-oval.xml
Unselected empty groups in 'common'.
Unselected empty groups in 'anssi_np_nt28_minimal'.
Unselected empty groups in 'anssi_np_nt28_average'.
Unselected empty groups in 'anssi_np_nt28_restrictive'.
Unselected empty groups in 'anssi_np_nt28_high'.
[ 66%] Built target generate-ssg-ubuntu1404-xccdf.xml
[ 66%] [ubuntu1404-content] generating ssg-ubuntu1404-xccdf-1.2.xml
[ 66%] Built target generate-ssg-ubuntu1404-xccdf-1.2.xml
[ 66%] [ubuntu1404-content] generating ssg-ubuntu1404-ds.xml
OpenSCAP Error: Unknown document type: 'ssg-ubuntu1404-ocil.xml' [../../../src/common/oscapxml.c:622]
No extended-components, nothing to do...
[100%] Built target generate-ssg-ubuntu1404-ds.xml
[100%] Built target ubuntu1404-content
[100%] [100%] [100%] [ubuntu1404-roles] generating urn:xccdf:fix:script:sh remediation roles for all profiles in ssg-ubuntu1404-ds.xml
[ubuntu1404-roles] generating urn:xccdf:fix:script:ansible remediation roles for all profiles in ssg-ubuntu1404-ds.xml
[ubuntu1404-guides] generating HTML guides for all profiles in ssg-ubuntu1404-ds.xml
Generated '/root/scap-security-guide/build/guides/ssg-ubuntu1404-guide-common.html' for profile ID 'xccdf_org.ssgproject.content_profile_common' in benchmark 'xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY'.
Generated '/root/scap-security-guide/build/guides/ssg-ubuntu1404-guide-anssi_np_nt28_average.html' for profile ID 'xccdf_org.ssgproject.content_profile_anssi_np_nt28_average' in benchmark 'xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY'.
Generated '/root/scap-security-guide/build/guides/ssg-ubuntu1404-guide-anssi_np_nt28_high.html' for profile ID 'xccdf_org.ssgproject.content_profile_anssi_np_nt28_high' in benchmark 'xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY'.
Generated '/root/scap-security-guide/build/guides/ssg-ubuntu1404-guide-anssi_np_nt28_minimal.html' for profile ID 'xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal' in benchmark 'xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY'.
Generated '/root/scap-security-guide/build/guides/ssg-ubuntu1404-guide-anssi_np_nt28_restrictive.html' for profile ID 'xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive' in benchmark 'xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY'.
I/O I/O warning : failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml"
warning : failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml"
OpenSCAP Error: failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml" [../../../src/CPE/cpedict_priv.c:328]
Failed to add default CPE to newly created XCCDF policy model. [../../../src/XCCDF_POLICY/xccdf_policy.c:1865]
OpenSCAP Error: failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml" [../../../src/CPE/cpedict_priv.c:328]
Failed to add default CPE to newly created XCCDF policy model. [../../../src/XCCDF_POLICY/xccdf_policy.c:1865]
Generated '/root/scap-security-guide/build/roles/ssg-ubuntu1404-role-default.yml' for profile ID '' in benchmark 'xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY', template=urn:xccdf:fix:script:ansible.
Generated '/root/scap-security-guide/build/roles/ssg-ubuntu1404-role-default.sh' for profile ID '' in benchmark 'xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY', template=urn:xccdf:fix:script:sh.
Generated '/root/scap-security-guide/build/guides/ssg-ubuntu1404-guide-default.html' for profile ID '' in benchmark 'xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY'.

[100%] Built target generate-ssg-ubuntu1404-guide-index.html
[100%] Built target ubuntu1404-guides
I/O I/O warning : failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml"
warning : failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml"
OpenSCAP Error: failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml" [../../../src/CPE/cpedict_priv.c:328]
Failed to add default CPE to newly created XCCDF policy model. [../../../src/XCCDF_POLICY/xccdf_policy.c:1865]
Generated '/root/scap-security-guide/build/roles/ssg-ubuntu1404-role-anssi_np_nt28_minimal.sh' for profile ID 'xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal' in benchmark 'xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY', template=urn:xccdf:fix:script:sh.
OpenSCAP Error: failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml" [../../../src/CPE/cpedict_priv.c:328]
Failed to add default CPE to newly created XCCDF policy model. [../../../src/XCCDF_POLICY/xccdf_policy.c:1865]
Generated '/root/scap-security-guide/build/roles/ssg-ubuntu1404-role-anssi_np_nt28_minimal.yml' for profile ID 'xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal' in benchmark 'xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY', template=urn:xccdf:fix:script:ansible.
I/O I/O warning : failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml"
warning : failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml"
OpenSCAP Error: failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml" [../../../src/CPE/cpedict_priv.c:328]
Failed to add default CPE to newly created XCCDF policy model. [../../../src/XCCDF_POLICY/xccdf_policy.c:1865]
Generated '/root/scap-security-guide/build/roles/ssg-ubuntu1404-role-anssi_np_nt28_restrictive.sh' for profile ID 'xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive' in benchmark 'xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY', template=urn:xccdf:fix:script:sh.
OpenSCAP Error: failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml" [../../../src/CPE/cpedict_priv.c:328]
Failed to add default CPE to newly created XCCDF policy model. [../../../src/XCCDF_POLICY/xccdf_policy.c:1865]
Generated '/root/scap-security-guide/build/roles/ssg-ubuntu1404-role-anssi_np_nt28_restrictive.yml' for profile ID 'xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive' in benchmark 'xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY', template=urn:xccdf:fix:script:ansible.
I/O warning : failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml"
I/O warning : failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml"
OpenSCAP Error: failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml" [../../../src/CPE/cpedict_priv.c:328]
Failed to add default CPE to newly created XCCDF policy model. [../../../src/XCCDF_POLICY/xccdf_policy.c:1865]
Generated '/root/scap-security-guide/build/roles/ssg-ubuntu1404-role-common.sh' for profile ID 'xccdf_org.ssgproject.content_profile_common' in benchmark 'xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY', template=urn:xccdf:fix:script:sh.
OpenSCAP Error: failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml" [../../../src/CPE/cpedict_priv.c:328]
Failed to add default CPE to newly created XCCDF policy model. [../../../src/XCCDF_POLICY/xccdf_policy.c:1865]
Generated '/root/scap-security-guide/build/roles/ssg-ubuntu1404-role-common.yml' for profile ID 'xccdf_org.ssgproject.content_profile_common' in benchmark 'xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY', template=urn:xccdf:fix:script:ansible.
I/O I/O warning : failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml"
warning : failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml"
OpenSCAP Error: failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml" [../../../src/CPE/cpedict_priv.c:328]
Failed to add default CPE to newly created XCCDF policy model. [../../../src/XCCDF_POLICY/xccdf_policy.c:1865]
Generated '/root/scap-security-guide/build/roles/ssg-ubuntu1404-role-anssi_np_nt28_high.sh' for profile ID 'xccdf_org.ssgproject.content_profile_anssi_np_nt28_high' in benchmark 'xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY', template=urn:xccdf:fix:script:sh.
OpenSCAP Error: failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml" [../../../src/CPE/cpedict_priv.c:328]
Failed to add default CPE to newly created XCCDF policy model. [../../../src/XCCDF_POLICY/xccdf_policy.c:1865]
Generated '/root/scap-security-guide/build/roles/ssg-ubuntu1404-role-anssi_np_nt28_high.yml' for profile ID 'xccdf_org.ssgproject.content_profile_anssi_np_nt28_high' in benchmark 'xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY', template=urn:xccdf:fix:script:ansible.
I/O warning : failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml"
I/O warning : failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml"
OpenSCAP Error: failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml" [../../../src/CPE/cpedict_priv.c:328]
Failed to add default CPE to newly created XCCDF policy model. [../../../src/XCCDF_POLICY/xccdf_policy.c:1865]
Generated '/root/scap-security-guide/build/roles/ssg-ubuntu1404-role-anssi_np_nt28_average.sh' for profile ID 'xccdf_org.ssgproject.content_profile_anssi_np_nt28_average' in benchmark 'xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY', template=urn:xccdf:fix:script:sh.

OpenSCAP Error: failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml" [../../../src/CPE/cpedict_priv.c:328]
Failed to add default CPE to newly created XCCDF policy model. [../../../src/XCCDF_POLICY/xccdf_policy.c:1865]
Generated '/root/scap-security-guide/build/roles/ssg-ubuntu1404-role-anssi_np_nt28_average.yml' for profile ID 'xccdf_org.ssgproject.content_profile_anssi_np_nt28_average' in benchmark 'xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY', template=urn:xccdf:fix:script:ansible.

[100%] [100%] Built target generate-all-roles-ubuntu1404-yml
Built target generate-all-roles-ubuntu1404-sh
[100%] Built target ubuntu1404-roles
[100%] Built target ubuntu1404

but it seems that it is generated. When I run an "oscap info":

Document type: XCCDF Checklist
Checklist version: 1.1
Status: draft
Generated: 2017-07-06
Imported: 2017-07-06T14:48:25
Resolved: true
Profiles:
        common
        anssi_np_nt28_minimal
        anssi_np_nt28_average
        anssi_np_nt28_restrictive
        anssi_np_nt28_high
I/O warning : failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml"
Referenced check files:
        ssg-ubuntu1404-oval.xml
                system: http://oval.mitre.org/XMLSchema/oval-definitions-5
        ssg-ubuntu1404-ocil.xml
                system: http://scap.nist.gov/schema/ocil/2
OpenSCAP Error: failed to load external entity "/usr/share/openscap/cpe/openscap-cpe-dict.xml" [../../../src/CPE/cpedict_priv.c:328]
Failed to add default CPE to newly created XCCDF policy model. [../../../src/XCCDF_POLICY/xccdf_policy.c:1865]

And the scan returns "notapplicable" or "notselected" items.

The real issue here is the default oscap package for Ubuntu Trusty, it must support OVAL 5.11. I wrote in the Ubuntu list to ask for an update.

Thanks.

mpreisler commented 7 years ago

@jesuslinares Yeah, that would be the clean fix. In the meantime you can open the XCCDF and look for <platform>. Remove all the platform elements and it will work.

The results are notapplicable because the CPE dict is not installed for some reason.

jesuslinares commented 7 years ago

If I remove the <platform> tag, I get 48 results: notchecked or notselected.

Can I generate the CPE dict that is missing?.

Thanks a lot!.

mpreisler commented 7 years ago

notchecked = OVAL check is not implemented for that rule notselected = that rule is not selected as part of the profile you are using

Make sure you are using the right profile. Use oscap info or SCAP Workbench to find the list of profiles.

jesuslinares commented 7 years ago

I'm running the policy with all profiles...

Any help to update the Trusty package to support OVAL 5.11?.

pthierry38 commented 7 years ago

If you wish to update the libopenscap8 package (to support oval 5.11), the easyest way is to get back the source package from xenial (apt-get source libopenscap8 from a xenial host or chroot) and rebuild it (using dpkg-buildpackage -uc -us) after having updated the debian/changelog file to target trusty instead oof xenial. Remember to check the debian/control file for the list of build-depends.

I haven't build an openscap package on trusty but I've already built an openscap 1.2.8 from sources (without the packaging) and it worked.

I can't build one this evening (gmt+2) but if you don't manage to build one i will generate a package for trusty tomorrow evening.

jesuslinares commented 7 years ago

Hi @pthierry38

that would be awesome!. Update the Trusty package is necessary. I'm not familiar with deb packages, so I prefer to wait till you update it. If finally, you don't have time or whatever, I will do it.

Thanks a lot!.

pthierry38 commented 7 years ago

K. I will try to do that this evening. I'm also merging Debian and Ubuntu in the shared XCCDF guide. I've nearly finished. Will try to propose a merge request for this and for Debian 9 next week. This will start ANSSI req support fort other OSes and permit to get NIST/DISA/... support for deb-based.

jesuslinares commented 7 years ago

Great!. Please let me know when it is ready. Thanks for the effort!.

pthierry38 commented 7 years ago

I've built the trusty packages based on the Xenial source package. You can get it here: https://www.reseau-libre.net/openscap.tar.gz The tarball contains all the source+bin packages, the .changes, .dsc, and source tarballs so that you can rebuild it if needed. The package has been compiled with libdebus-1-dev so that the services check will work, as the systemd probes have been compiled (this is not the case of the trusty and xenial official packages). If you wish to install only the oscap probes, just install libopenscap8_1.2.8-1_amd64.deb (using dpkg -i).

jesuslinares commented 7 years ago

Thanks a lots!. It works perfectly. The ssg policy runs with no errors.

I hope the Ubuntu team updates the official package.

ComplianceAsCode / content

Ubuntu 14.04: No match found for key-sequence #2130