search

OpenSCAP / openscap

NIST Certified SCAP 1.2 toolkit
https://www.open-scap.org/tools/openscap-base
GNU Lesser General Public License v2.1
1.38k stars 380 forks source link

Failure while evaluating Ubuntu 16.04 using DISA STIG #1716

Closed compete2cooperate closed 3 years ago

compete2cooperate commented 3 years ago

We are trying to evaluate Ubuntu 16.04 using openscap with DISA STIG as reference/benchmark (downloaded from https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_CAN_Ubuntu_16-04_LTS_V2R2_STIG.zip) but we are getting all result as "notchecked" . Not sure if we are missing anything. Any help is highly appreciated.

Thanks!

Description of Problem: We are trying to evaluate Ubuntu 16.04 using openscap with DISA STIG as reference/benchmark (downloaded from https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_CAN_Ubuntu_16-04_LTS_V2R2_STIG.zip) but we are getting all result as "notchecked"

OpenSCAP Version: 1.2.15

Operating System & Version: Ubuntu 16.04 LTS

Steps to Reproduce:

  1. We executed oscap xccdf eval --profile MAC-1_Classified --report /tmp/report.html --cpe /usr/share/scap-security-guide/ssg-ubuntu1604-cpe-dictionary.xml U_CAN_Ubuntu_16-04_LTS_STIG_V2R2_Manual-xccdf.xml
  2. But all of the results are "notchecked"

Actual Results:

Title The Ubuntu operating system must disable all wireless network adapters. Rule SV-219346r610963_rule Ident SV-110017 Ident V-100913 Ident CCI-002418 Result notchecked

Title The Ubuntu operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements. Rule SV-233779r610963_rule Ident CCI-000366 Result notchecked

Title The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy display. Rule SV-233780r610963_rule Ident CCI-000366 Result notchecked

Expected Results: Result with either pass or fail

Additional Information / Debugging Steps:

evgenyz commented 3 years ago

Please run it in debugging mode and attach the resulting log.

oscap xccdf eval --verbose DEVEL --profile MAC-1_Classified --report /tmp/report.html --cpe /usr/share/scap-security-guide/ssg-ubuntu1604-cpe-dictionary.xml U_CAN_Ubuntu_16-04_LTS_STIG_V2R2_Manual-xccdf.xml

compete2cooperate commented 3 years ago

Hi @evgenyz Thanks for such a quick response

We issued following command oscap xccdf eval --verbose DEVEL --verbose-log-file /tmp/xccdf.log --profile MAC-1_Classified --report /tmp/report.html --cpe /usr/share/scap-security-guide/ssg-ubuntu1604-cpe-dictionary.xml U_CAN_Ubuntu_16-04_LTS_STIG_V2R2_Manual-xccdf.xml

Please find the xccdf.log as verbose-log-file xccdf.log

ggbecker commented 3 years ago

Hi @evgenyz Thanks for such a quick response

We issued following command oscap xccdf eval --verbose DEVEL --verbose-log-file /tmp/xccdf.log --profile MAC-1_Classified --report /tmp/report.html --cpe /usr/share/scap-security-guide/ssg-ubuntu1604-cpe-dictionary.xml U_CAN_Ubuntu_16-04_LTS_STIG_V2R2_Manual-xccdf.xml

Please find the xccdf.log as verbose-log-file xccdf.log

The file U_CAN_Ubuntu_16-04_LTS_STIG_V2R2_Manual-xccdf.xml is a manual benchmark checklist and does not contain any automated content that can be consumed by the scanner.

Please refer to SCAP content provided by DISA here: https://public.cyber.mil/stigs/scap/

In your case it should be this file: https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_CAN_Ubuntu_16-04_LTS_V2R2_STIG_SCAP_1-2_Benchmark.zip

I'm going to close the since it doesn't seem to be related to a problem with the scanner itself.