search

ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://complianceascode.readthedocs.io/en/latest/
Other
2.17k stars 690 forks source link

SCAP 1.3 Validation #3144

Closed shawndwells closed 5 years ago

shawndwells commented 6 years ago

Ran the NIST SCAP 1.3 validation tool. Following are the remaining errors:

Requirement # Summary Result
SRC-330 If applicable, each component SHALL validate against its associated Schematron schema. For the SCAP source data stream collection, it SHALL validate against the version of the SCAP Schematron rules as specified on the element's @schematron-version attribute, and it SHOULD also validate against the latest Schematron rules. Fail
SRC-377 When implementing a patches up-to-date XCCDF rule that checks for patches via a single OVAL patch class definition, the following approach SHALL be used:~The source data stream SHALL include the OVAL source data stream component referenced by the patches up-to-date rule, which contains one or more OVAL patch class definitions, and MAY contain other class definitions. Fail
SRC-379 When implementing a patches up-to-date XCCDF rule that checks for patches via a single OVAL definition, the following approach SHALL be used:~Each element SHALL refer to the single OVAL definition performing the patches up-to-date check. Fail
shawndwells commented 6 years ago

Full report below. Need to download and remove .txt extension:

SCAPVal Validation Report.html.txt

shawndwells commented 6 years ago

also - SCAP 1.3 test suite can be downloaded here:

https://csrc.nist.gov/CSRC/media/Projects/Security-Content-Automation-Protocol/tools/scap/1.3/SCAP-Content-Validation-Tool-1.3.2.zip

Executed with something similar to:

java -jar scapval-1.3.2.jar -scapversion 1.3 -file /var/www/html/github/openscap/scap-security-guide/build/ssg-rhel7-ds.xml

Currently the test suite errors on Linux and OSX. Have informed NIST.

shawndwells commented 6 years ago

@dahaic + @mpreisler here is the punch list of what's left for SCAP 1.3 conformance. Seems like low effort.

shawndwells commented 5 years ago

NIST has rejected the Red Hat SCAP content since it does not conform to SCAP 1.3.

What's the ETA on 1.3 conformance?

dahaic commented 5 years ago

@shawndwells just to get cleaner view of the problem - NIST will now accept only SCAP 1.3 content? Or there is a way to publish it as SCAP 1.2 content?

redhatrises commented 5 years ago

According to 1.4 in https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.7511r5.pdf: This publication supersedes the Security Content Automation Protocol (SCAP) Version 1.2 Validation Program Test Requirements revision 4. The previous revisions of the program for SCAP 1.0 and 1.1 have been also deprecated. which reads as if NIST will only accept 1.3 considering 1.2 validation requirements are deprecated.

dahaic commented 5 years ago

@redhatrises eh, right, I have been checking wrong document for this statement. Thanks for clarification!

shawndwells commented 5 years ago

Can publish SCAP 1.2. But many of our RHEL probes (systemd) require OVAL 5.11/SCAP 1.3.

yuumasato commented 5 years ago

@shawndwells Do you still have the environment where scapval-1.3.2.jar runs correctly? Could you try it over 0.1.43 release?

shawndwells commented 5 years ago

On 3/4/19 10:18 AM, Watson Yuuma Sato wrote:

@shawndwells https://github.com/shawndwells Do you still have the environment where |scapval-1.3.2.jar| runs correctly? Could you try it over 0.1.43 release?

Works on any RHEL host:

$ sudo yum install -y java-1.6.0-openjdk $ mkdir /tmp/scapval && cd 
/tmp/scapval

$ wget 
https://csrc.nist.gov/CSRC/media/Projects/Security-Content-Automation-Protocol/tools/scap/1.3/SCAP-Content-Validation-Tool-1.3.2.zip

$ unzip SCAP-Content-Validation-Tool-1.3.2.zip 

$ wget 
http://people.redhat.com/swells/ssg-rhel7-1.3-ds.xml$ ./scapval.sh 
-online -scapversion 1.3 -file ssg-rhel7-1.3-ds.xml

Replacing the datastream with the SSG one.

===== edit: updated to reflect syntax

yuumasato commented 5 years ago

Heh, it runs on RHEL but not on Fedora, and BTW it needs to be version 1.8.0.

shawndwells commented 5 years ago

Hmmm. Try creating a file called scapval.sh with the following content: (code provided by Dragos at NIST)

#!/bin/bash

if [ -z "$JAVA_HOME" ]; then
    # JAVA_HOME is not set just use the system
    echo "no JAVA_HOME or empty string"
    RUN="java"
else
    echo 'found JAVA_HOME and its '
    echo $JAVA_HOME
    RUN="$JAVA_HOME/bin/java"

  #MY_SCRIPT_VARIABLE="$PWD"
fi

$RUN -version

echo " "

$RUN -Djava.protocol.handler.pkgs=sun.net.www.protocol -jar scapval-1.3.2.jar "$@"

And then on a freshly installed RHEL VM: :

$ sudo yum install -y java-1.6.0-openjdk

$ mkdir /tmp/scapval && cd /tmp/scapval

$ wget https://csrc.nist.gov/CSRC/media/Projects/Security-Content-Automation-Protocol/tools/scap/1.3/SCAP-Content-Validation-Tool-1.3.2.zip

$ unzip SCAP-Content-Validation-Tool-1.3.2.zip

$ chmod +x scapval.sh

$ ./scapval.sh -online -scapversion 1.3 -file /path/to/datastream
shawndwells commented 5 years ago

For RHEL8, tried to validate against SCAP 1.3 but received error: 2019-03-05 00:47:19 ERROR SCAP version specified on command line 1.3 Does not match what was found in the specified content [[Attribute: scap-version="1.2"]]

Re-ran the test suite as SCAP 1.2: ./scapval.sh -online -scapversion 1.2 -file ssg-rhel8-ds.xml

Generated reports attached.

Archive.zip

shawndwells commented 5 years ago

And for RHEL 7 - files attached Archive 2.zip

yuumasato commented 5 years ago

Regarding 1.2 compliance, errors reported in both Archives seem to be caused by OVAL5.11. When built with OVAlL-5.10, RHEL content passes SCAP 1.2 compliance with scapval 1.2 and 1.3.2. And https://github.com/ComplianceAsCode/content/pull/4053 should handle issues with RHV4 and RHOSP13 and SCAP-1.2 compliance.

yuumasato commented 5 years ago

This should be fixed by #4302