search

OpenSCAP / openscap

NIST Certified SCAP 1.2 toolkit
https://www.open-scap.org/tools/openscap-base
GNU Lesser General Public License v2.1
1.38k stars 380 forks source link

SCE Results not included in report when SCE scripts are in a subdirectory #919

Closed uzseb closed 9 months ago

uzseb commented 6 years ago

When calling SCE scripts from XCCDF and when these scripts are in a subdirectory, the report doesn't have the script output. The report works but with an error message "I/O warning : failed to load external entity ..."

XCCDF rule

        <Rule id="rule-XCCDF_RESULT_PASS" selected="true">
                <title>XCCDF_RESULT_PASS Title</title>
                <check id="check-XCCDF_RESULT_PASS" system="http://open-scap.org/page/SCE">
                        <check-import import-name="stdout" />
                        <check-content-ref href="script/XCCDF_RESULT_PASS.sh" />
                </check>
        </Rule>

At the execution

root@srvcentos7 test_scap]# oscap xccdf eval --results script-xccdf.result.xml --report script-xccdf.report.html --check-engine-results script-xccdf.xml 
Title   XCCDF_RESULT_PASS Title
Rule    rule-XCCDF_RESULT_PASS
Result  pass
...
I/O warning : failed to load external entity "/root/test_scap/scripts/XCCDF_RESULT_PASS.sh.result.xml"
root@srvcentos7 test_scap]#

The test is executed but no output in the report.

Hint: The generation of the xml sce results are using the basename, the report generation is using the path.

[root@srvcentos7 ~]# date
Fri Nov 24 14:31:50 CET 2017
[root@srvcentos7 ~]# uname -a
Linux srvcentos7.local 3.10.0-693.5.2.el7.x86_64 #1 SMP Fri Oct 20 20:32:50 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[root@srvcentos7 ~]# cat /etc/redhat-release 
CentOS Linux release 7.4.1708 (Core) 
[root@srvcentos7 ~]# oscap -V | head -14
OpenSCAP command line tool (oscap) 1.2.14
Copyright 2009--2017 Red Hat Inc., Durham, North Carolina.

==== Supported specifications ====
XCCDF Version: 1.2
OVAL Version: 5.11.1
CPE Version: 2.3
CVSS Version: 2.0
CVE Version: 2.0
Asset Identification Version: 1.1
Asset Reporting Format Version: 1.1

==== Capabilities added by auto-loaded plugins ====
SCE Version: 1.0 (from libopenscap_sce.so.8)
[root@srvcentos7 ~]#

In bouillabaisse, we trust

dahaic commented 6 years ago

Hello @uzseb, does the /root/test_scap/scripts/ directory exist? Also I noticed that in first example, there's href="script/XCCDF_RESULT_PASS.sh" and in second its scripts/XCCDF_RESULT_PASS.sh.result.xml that's missing (notice script/scripts)

Can you check this? Thanks for the report!

jan-cerny commented 6 years ago

@dahaic The problem could be that scripts/XCCDF_RESULT_PASS.sh.result.xml should be generated by oscap.

jan-cerny commented 6 years ago

@uzseb I'm afraid that I can't reproduce your issue. What input do you use? Do you use plain XCCDF or a datastream?