openscap icon indicating copy to clipboard operation
openscap copied to clipboard

Published 20 hours ago verified publisher icon OpenSCAP

Checklist and ARF results not accepted by DISA STIG Viewer, STIG Manager, OpenRMF or Heimdall2

Open gmisura opened this issue 6 months ago • 7 comments
trafficstars

I'm wondering if I'm doing something wrong, but with "confirmation" that 3 of these tools don't like the results produced by oscap I feel pretty confident it's not me (?)

I'm generating --stig-viewer and -results-arf for both RHEL9 and AL2023:

AL2023:

wget -q https://github.com/ComplianceAsCode/content/releases/download/v0.1.76/scap-security-guide-0.1.76.zip
unzip -q scap-security-guide-0.1.76.zip
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis --stig-viewer aws-al2023_ssg-results.ckl --results-arf aws-al2023_ssg-results.xml --report aws-al2023_ssg-report.html scap-security-guide-0.1.76/ssg-al2023-ds.xml

RHEL9:

wget -q https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_9_V2R4_STIG_SCAP_1-3_Benchmark.zip
unzip -q U_RHEL_9_V2R4_STIG_SCAP_1-3_Benchmark.zip
oscap xccdf eval --stig-viewer ib-ubi9_disa-stig.ckl --results-arf ib-ubi9_disa-stig-results.xml --report ib-ubi9_disa-stig-report.html U_RHEL_9_V2R4_STIG_SCAP_1-3_Benchmark.xml

wget -q https://github.com/ComplianceAsCode/content/releases/download/v0.1.76/scap-security-guide-0.1.76.zip
unzip -q scap-security-guide-0.1.76.zip
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --stig-viewer ib-ubi9_ssg-result.ckl --results-arf ib-ubi9_ssg-results.xml --report ib-ubi9_ssg-report.html scap-security-guide-0.1.76/ssg-rhel9-ds.xml

STIG manager says: For file results.ckl: No CHECKLIST element For file results.xml: No Benchmark or TestResult element

OpenRMF says: results.ckl (i'll add these when I can) results.xml (i'll add these when I can)

Heimdall2 says: results.ckl - Control count: 0 results.xml - Control count: 0

oscap --version
OpenSCAP command line tool (oscap) 1.3.11

gmisura avatar May 19 '25 14:05 gmisura

Hey! Can you please try with 1.3.12 (should be available any moment now on EUSes).

evgenyz avatar May 19 '25 15:05 evgenyz

I'm installing via

dnf install -y openscap-scanner

I do see that 1.3.12 is available now

[root@ip-172-31-40-160 openscap-1.4.2]# oscap --version OpenSCAP command line tool (oscap) 1.3.12

Just reran and still not able to import the files into Heimdall2 (openRMF and STIG-Manager are not running at the moment so I can't confirm, but I feel like they will also fail).

How can I try 1.4.2? Downloaded https://github.com/OpenSCAP/openscap/releases/download/1.4.2/openscap-1.4.2.tar.gz but I guess I need to make it?

gmisura avatar May 19 '25 17:05 gmisura

@gmisura you might also want to try using DISA's StigViewer application (available on public.cyber.mil) and/or any XML viewer application/text editor.

Amndeep7 avatar May 20 '25 16:05 Amndeep7

@gmisura you might also want to try using DISA's StigViewer application (available on public.cyber.mil) and/or any XML viewer application/text editor.

yeah, except I'm on a mac. I'm confirming with my security team they are ok with me moving files from my work Mac to my personal PC so I can use the STIG viewer. Ug!

gmisura avatar May 20 '25 16:05 gmisura

If you are using the XML-based CKL files, then you can use the 2.x line of StigViewer to view your checklist file. You will need to install the JAR version and then download a Java runtime as well as some Java modules, but it possible to run StigViewer 2.x off of your mac.

Amndeep7 avatar May 21 '25 02:05 Amndeep7

I installed v2 of the STIG viewer. The .ckl says "Failed to load checklist. There was an error"

gmisura avatar May 23 '25 20:05 gmisura

I installed v3.1 of the DISA STIG viewer onto a Windows VM and when I tried to load the .ckl into it, I got the same error.

gmisura avatar Jun 13 '25 01:06 gmisura