Closed jaedolph closed 4 years ago
JAORMX
commented
4 years ago The file is bziped and base64ed. So you need to decode the CM's contents with base64 and then decompress it.
Alternatively, there is a PV that contains the bziped files. We're still working on a better way to expose the raw results so folks can consume that. But, for now, do oc get pv, you can mount that on a pod and then extract it.
jaedolph
commented
4 years ago Hi @JAORMX, thanks for the quick response. I was able to parse the ARF report successfully after doing a base64 -d masters-scan-master1.fqdn-pod.xml.bzip2 > results.xml.bzip2 before extracting. Would it be worth documenting that the ARF files are base64 encoded in the README?
Still looks like there are issues with the xxcdf report from the ConfigMap though
jhrozek
commented
4 years ago Hi @JAORMX, thanks for the quick response. I was able to parse the ARF report successfully after doing a
base64 -d masters-scan-master1.fqdn-pod.xml.bzip2 > results.xml.bzip2before extracting. Would it be worth documenting that the ARF files are base64 encoded in the README?
I opened PR #214 to address this.
Still looks like there are issues with the xxcdf report from the ConfigMap though
What issue exactly? The one with the oscap xccdf generate ?
jaedolph
commented
4 years ago What issue exactly? The one with the
oscap xccdf generate
Yes, I cannot convert the xccdf xml into a html report. Don't have this issue with the ARF file
jhrozek
commented
4 years ago What issue exactly? The one with the
oscap xccdf generateYes, I cannot convert the xccdf xml into a html report. Don't have this issue with the ARF file
So, I asked the OpenSCAP developers and it seems that this is sort of expected. I'll paste the conversation here, there's nothing private in it anyway:
We have filed issues from people trying to generate reports based on our XCCDF results with oscap xccdf generate report . Can anyone check what could be wrong?
$ oscap xccdf generate report results > results.html
No cdf:Benchmark ID specified and no suitable candidate has been autodetected.
OpenSCAP Error:: Could not apply XSLT /usr/share/openscap/xsl/xccdf-report.xsl to XML file: results [/builddir/build/BUILD/openscap-1.3.2/src/source/xslt.c:177]
the xccdf is produced from arf using ds-split
Jan Cerny,
I think it needs either ARF or XCCDF file that contains the original Benchmark
Jakub Hrozek,
Sounds plausible, does it mean that the XCCDF as produces by the ds-split is too bare-bone and to generate results, one should just use the ARF in the first place?
Jan Cerny,
Yes, I think so. To generate the HTML report oscap needs both the file with results and the input content with input rules. But, the file extracted by oscap ds-rds split contains only the results, doesn't contain input rules. To generate HTML report by oscap xccdf generate report you need to pass either ARF or full XCCDF results (created by oscap xccdf eval --results). Using ARF has an advantage that the generated HTML will contain also the details about objects found on the scanned system.
Jakub Hrozek,
great, thanks a lot. I'll pass this along to the ticketSo, maybe we just need to document that in order to generate results, you need to use the ARF? btw there is a reason we split the XCCDF to be so small, it's because we need to correlate all the XCCDF results from all scans across machines that are scanned with a single ComplianceScan and we do it by putting the results in a ConfigMap (yeah..not the cleanest way, but we couldn't find anything better..). So it makes sense from that point of view to keep only the smallest possible subset of results in the XCCDF.
JAORMX
commented
4 years ago Is this still an issue?
hugohdz89
commented
4 years ago Hello all, just to share what I did to get the HTML report.
$ oc exec pods/pv-extract -- ls /workers-scan-results/0 ocp4-cis-api-checks-pod.xml.bzip2 $ oc cp pv-extract:/workers-scan-results .
Then
$ bunzip2 -c ocp4-cis-api-checks-pod.xml.bzip2 > ocp4-cis-api-checks-pod.xml
$ yum install -y openscap openscap-scanner
$ oscap xccdf generate report ocp4-cis-api-checks-pod.xml > ocp4-cis-api-checks-pod.html
With above steps I could convert the XML into HTML report.
JAORMX
commented
4 years ago @hugohdz89 by the way, if it helps, here's a tool that'll help download the reports as well https://github.com/JAORMX/oc-compliance
Attempted to run a scan using the example procedure in the README.
I ran this in a development environment with 1 master and 2 worker nodes.
Seems like the scan ran with no reported error, and the scan reports as DONE. This is what the compliance suite CR looks like once the scan is done: (output of
oc get compliancesuites example-compliancesuite -oyaml)I can also download the XML results using the
oc extract cm/masters-scan-master1.fqdn.podWhen I try and convert this to a html report, i get this issue:
Is there any additional steps I would need to do in order to convert the XML to a html report?
Also, the ARF file results that were generated by the scans seem to be garbage/corrupted in some way. When I try to extract the
masters-scan-master1.fqdn-pod.xml.bzip2file bzip2 throws an error that it is not a valid bzip file.