openscap
openscap copied to clipboard
OpenSCAP
Is OpenSCAP able to evaluate any system characteristics?
Hello everyone. I've been looking at OpenSCAP -V flag and found out that there is no probes for Windows or IOS (at least, in this list. Maybe windows probes are only included in windows build.). But it seems that with this command:
oscap oval analyse --results o.xml definition.xml system-characteristics.xml
I still get valid results even for windows files. Does this mean that OpenSCAP can process results from files definition.xml+system_characteristics.xml for any oval scheme there is in folder openscap/schemas/oval/5.11.2? What if i use probes from some commercial interpreter and analyze system_characteristics with definition through OpenSCAP?
Hi, OpenSCAP should be able to consume any document as long as it complies to OVAL specification. In general, it's able to process all schemas. Only during evaluation it returns notchecked if there is no probe implemented for some OVAL test. I think it should be possible to use the workflow you suggest and I'm not aware of limitations. However, I have never tried this workflow, so I don't know if it works properly.
@jan-cerny thank you for answer. I tried to check IOS system_characteristics.xml (i wrote them myself) and it worked great. But then i tried to do this with iosxe namespace and family and got this error:
oscap oval analyse --results o.xml iosxe-def.xml sys-char.xml
W: oscap: Unknown OVAL family: iosxe
Failed to import the OVAL Definitions from 'iosxe-def.xml'.
OpenSCAP Error: Unknown test type oval:datapk.ussc.ru-wincch:tst:2019001. [/home/centos/Develop/openscap/src/OVAL/oval_test.c:395]
As i said, for now i create system-characteristics file manually by myself, so i may be wrong somewhere, but i found out that file public/oval_types.h does not even have OVAL_FAMILY_IOSXE variable (maybe there is some quick workaround if things is not hardcoded too much?).
System characteristics, by the way, gets validation error while definition don't:
oscap oval validate --definitions iosxe-def.xml
oscap oval validate --syschar sys-char.xml
File 'sys-char.xml' line 37: Element '{http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#iosxe}line_item': This element is not expected. Expected is one of ( {http://oval.mitre.org/XMLSchema/oval-system-characteristics-5}item, {http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#aix}interim_fix_item, {http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#aix}fileset_item, {http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#aix}fix_item, {http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#aix}no_item, {http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#aix}oslevel_item, {http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#apache}httpd_item, {http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#catos}line_item, {http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#catos}module_item, {http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#catos}version_item ).
File 'sys-char.xml' line 31: Element '{http://oval.mitre.org/XMLSchema/oval-system-characteristics-5}reference': No match found for key-sequence ['1'] of keyref '{http://oval.mitre.org/XMLSchema/oval-system-characteristics-5}itemKeyRef'.
OpenSCAP Error: Invalid OVAL System Characteristics (5.11.1) content in sys-char.xml. [/home/denis/Desktop/openscap-1.3.1/src/source/oscap_source.c:346]
Line 37:
<line_item id="1" xmlns="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5#iosxe" >
<config_line>nottest</config_line>
</line_item>
My files are in attachment. iosxe.zip
@nrathaus i am not working in security anymore so don't know if it is still here