Closed shawndwells closed 5 years ago
Full report below. Need to download and remove .txt extension:
also - SCAP 1.3 test suite can be downloaded here:
Executed with something similar to:
java -jar scapval-1.3.2.jar -scapversion 1.3 -file /var/www/html/github/openscap/scap-security-guide/build/ssg-rhel7-ds.xml
Currently the test suite errors on Linux and OSX. Have informed NIST.
@dahaic + @mpreisler here is the punch list of what's left for SCAP 1.3 conformance. Seems like low effort.
NIST has rejected the Red Hat SCAP content since it does not conform to SCAP 1.3.
What's the ETA on 1.3 conformance?
@shawndwells just to get cleaner view of the problem - NIST will now accept only SCAP 1.3 content? Or there is a way to publish it as SCAP 1.2 content?
According to 1.4 in https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.7511r5.pdf:
This publication supersedes the Security Content Automation Protocol (SCAP) Version 1.2 Validation Program Test Requirements revision 4. The previous revisions of the program for SCAP 1.0 and 1.1 have been also deprecated.
which reads as if NIST will only accept 1.3 considering 1.2 validation requirements are deprecated.
@redhatrises eh, right, I have been checking wrong document for this statement. Thanks for clarification!
Can publish SCAP 1.2. But many of our RHEL probes (systemd) require OVAL 5.11/SCAP 1.3.
@shawndwells Do you still have the environment where scapval-1.3.2.jar
runs correctly? Could you try it over 0.1.43 release?
On 3/4/19 10:18 AM, Watson Yuuma Sato wrote:
@shawndwells https://github.com/shawndwells Do you still have the environment where |scapval-1.3.2.jar| runs correctly? Could you try it over 0.1.43 release?
Works on any RHEL host:
$ sudo yum install -y java-1.6.0-openjdk $ mkdir /tmp/scapval && cd
/tmp/scapval
$ wget
https://csrc.nist.gov/CSRC/media/Projects/Security-Content-Automation-Protocol/tools/scap/1.3/SCAP-Content-Validation-Tool-1.3.2.zip
$ unzip SCAP-Content-Validation-Tool-1.3.2.zip
$ wget
http://people.redhat.com/swells/ssg-rhel7-1.3-ds.xml$ ./scapval.sh
-online -scapversion 1.3 -file ssg-rhel7-1.3-ds.xml
Replacing the datastream with the SSG one.
===== edit: updated to reflect syntax
Heh, it runs on RHEL but not on Fedora, and BTW it needs to be version 1.8.0.
Hmmm. Try creating a file called scapval.sh
with the following content:
(code provided by Dragos at NIST)
#!/bin/bash
if [ -z "$JAVA_HOME" ]; then
# JAVA_HOME is not set just use the system
echo "no JAVA_HOME or empty string"
RUN="java"
else
echo 'found JAVA_HOME and its '
echo $JAVA_HOME
RUN="$JAVA_HOME/bin/java"
#MY_SCRIPT_VARIABLE="$PWD"
fi
$RUN -version
echo " "
$RUN -Djava.protocol.handler.pkgs=sun.net.www.protocol -jar scapval-1.3.2.jar "$@"
And then on a freshly installed RHEL VM: :
$ sudo yum install -y java-1.6.0-openjdk
$ mkdir /tmp/scapval && cd /tmp/scapval
$ wget https://csrc.nist.gov/CSRC/media/Projects/Security-Content-Automation-Protocol/tools/scap/1.3/SCAP-Content-Validation-Tool-1.3.2.zip
$ unzip SCAP-Content-Validation-Tool-1.3.2.zip
$ chmod +x scapval.sh
$ ./scapval.sh -online -scapversion 1.3 -file /path/to/datastream
For RHEL8, tried to validate against SCAP 1.3 but received error:
2019-03-05 00:47:19 ERROR SCAP version specified on command line 1.3 Does not match what was found in the specified content [[Attribute: scap-version="1.2"]]
Re-ran the test suite as SCAP 1.2:
./scapval.sh -online -scapversion 1.2 -file ssg-rhel8-ds.xml
Generated reports attached.
And for RHEL 7 - files attached Archive 2.zip
Regarding 1.2 compliance, errors reported in both Archives seem to be caused by OVAL5.11. When built with OVAlL-5.10, RHEL content passes SCAP 1.2 compliance with scapval 1.2 and 1.3.2. And https://github.com/ComplianceAsCode/content/pull/4053 should handle issues with RHV4 and RHOSP13 and SCAP-1.2 compliance.
This should be fixed by #4302
Ran the NIST SCAP 1.3 validation tool. Following are the remaining errors: