openscap icon indicating copy to clipboard operation
openscap copied to clipboard
verified publisher icon OpenSCAP

OpenSCAP doesn't appear to support service_test

Open nrathaus opened this issue 5 years ago • 5 comments

Description of Problem:

OpenSCAP doesn't appear to support service_test, example:

<service_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows" check="all" check_existence="at_least_one_exists" comment="Check if HidServ service is running" id="oval:org.mitre.oval:tst:100270" version="1">
  <object object_ref="oval:org.mitre.oval:obj:30027" />
  <state state_ref="oval:org.mitre.oval:ste:28012" />
</service_test>

Reporting:

Failed to import the OVAL Definitions from 'all.windows.vulnerability.xml'.
OpenSCAP Error: Unknown test type oval:org.mitre.oval:tst:100270. [../../../src/OVAL/oval_test.c:395]

The all.windows.vulnerability.xml was generated from the OVALRepo ( https://github.com/CISecurity/OVALRepo )

service_test has been introduced as part of OVAL 5.10.1 - https://oval.mitre.org/language/version5.10.1/ovaldefinition/documentation/windows-definitions-schema.html

OpenSCAP Version:

oscap --version
OpenSCAP command line tool (oscap) 1.2.16
Copyright 2009--2017 Red Hat Inc., Durham, North Carolina.

==== Supported specifications ====
XCCDF Version: 1.2
OVAL Version: 5.11.1
CPE Version: 2.3
CVSS Version: 2.0
CVE Version: 2.0
Asset Identification Version: 1.1
Asset Reporting Format Version: 1.1
CVRF Version: 1.1

==== Capabilities added by auto-loaded plugins ====
SCE Version: 1.0 (from libopenscap_sce.so.8)

==== Paths ====
Schema files: /usr/share/openscap/schemas
Default CPE files: /usr/share/openscap/cpe
Probes: /usr/lib/x86_64-linux-gnu/openscap

==== Inbuilt CPE names ====
Red Hat Enterprise Linux - cpe:/o:redhat:enterprise_linux
Red Hat Enterprise Linux 5 - cpe:/o:redhat:enterprise_linux:5
Red Hat Enterprise Linux 6 - cpe:/o:redhat:enterprise_linux:6
Red Hat Enterprise Linux 7 - cpe:/o:redhat:enterprise_linux:7
Oracle Linux 5 - cpe:/o:oracle:linux:5
Oracle Linux 6 - cpe:/o:oracle:linux:6
Oracle Linux 7 - cpe:/o:oracle:linux:7
Community Enterprise Operating System 5 - cpe:/o:centos:centos:5
Community Enterprise Operating System 6 - cpe:/o:centos:centos:6
Community Enterprise Operating System 7 - cpe:/o:centos:centos:7
Scientific Linux 5 - cpe:/o:scientificlinux:scientificlinux:5
Scientific Linux 6 - cpe:/o:scientificlinux:scientificlinux:6
Scientific Linux 7 - cpe:/o:scientificlinux:scientificlinux:7
Fedora 16 - cpe:/o:fedoraproject:fedora:16
Fedora 17 - cpe:/o:fedoraproject:fedora:17
Fedora 18 - cpe:/o:fedoraproject:fedora:18
Fedora 19 - cpe:/o:fedoraproject:fedora:19
Fedora 20 - cpe:/o:fedoraproject:fedora:20
Fedora 21 - cpe:/o:fedoraproject:fedora:21
Fedora 22 - cpe:/o:fedoraproject:fedora:22
Fedora 23 - cpe:/o:fedoraproject:fedora:23
Fedora 24 - cpe:/o:fedoraproject:fedora:24
Fedora 25 - cpe:/o:fedoraproject:fedora:25
Fedora 26 - cpe:/o:fedoraproject:fedora:26
Fedora 27 - cpe:/o:fedoraproject:fedora:27
Fedora 28 - cpe:/o:fedoraproject:fedora:28
SUSE Linux Enterprise all versions - cpe:/o:suse:sle
SUSE Linux Enterprise Server 10 - cpe:/o:suse:sles:10
SUSE Linux Enterprise Desktop 10 - cpe:/o:suse:sled:10
SUSE Linux Enterprise Server 11 - cpe:/o:suse:linux_enterprise_server:11
SUSE Linux Enterprise Desktop 11 - cpe:/o:suse:linux_enterprise_desktop:11
SUSE Linux Enterprise Server 12 - cpe:/o:suse:sles:12
SUSE Linux Enterprise Desktop 12 - cpe:/o:suse:sled:12
openSUSE 11.4 - cpe:/o:opensuse:opensuse:11.4
openSUSE 13.1 - cpe:/o:opensuse:opensuse:13.1
openSUSE 13.2 - cpe:/o:opensuse:opensuse:13.2
openSUSE 42.1 - cpe:/o:novell:leap:42.1
openSUSE 42.2 - cpe:/o:novell:leap:42.2
openSUSE All Versions - cpe:/o:opensuse:opensuse
Red Hat Enterprise Linux Optional Productivity Applications - cpe:/a:redhat:rhel_productivity
Red Hat Enterprise Linux Optional Productivity Applications 5 - cpe:/a:redhat:rhel_productivity:5
Wind River Linux all versions - cpe:/o:windriver:wrlinux
Wind River Linux 8 - cpe:/o:windriver:wrlinux:8

==== Supported OVAL objects and associated OpenSCAP probes ====
OVAL family   OVAL object                  OpenSCAP probe
----------    ----------                   ----------
(null)        system_info                  probe_system_info
independent   family                       probe_family
independent   filehash                     probe_filehash
independent   environmentvariable          probe_environmentvariable
independent   textfilecontent54            probe_textfilecontent54
independent   textfilecontent              probe_textfilecontent
independent   variable                     probe_variable
independent   xmlfilecontent               probe_xmlfilecontent
independent   environmentvariable58        probe_environmentvariable58
independent   filehash58                   probe_filehash58
linux         dpkginfo                     probe_dpkginfo
linux         inetlisteningservers         probe_inetlisteningservers
linux         partition                    probe_partition
linux         iflisteners                  probe_iflisteners
linux         selinuxboolean               probe_selinuxboolean
linux         selinuxsecuritycontext       probe_selinuxsecuritycontext
linux         systemdunitproperty          probe_systemdunitproperty
linux         systemdunitdependency        probe_systemdunitdependency
unix          file                         probe_file
unix          interface                    probe_interface
unix          password                     probe_password
unix          process                      probe_process
unix          runlevel                     probe_runlevel
unix          shadow                       probe_shadow
unix          uname                        probe_uname
unix          xinetd                       probe_xinetd
unix          sysctl                       probe_sysctl
unix          process58                    probe_process58
unix          fileextendedattribute        probe_fileextendedattribute
unix          routingtable                 probe_routingtable
unix          symlink                      probe_symlink

Operating System & Version:

Debian 10

Steps to Reproduce:

  1. Clone https://github.com/CISecurity/OVALRepo
  2. Run python3 build_oval_definitions_file.py -o all.windows.vulnerability.xml --family windows --class vulnerability
  3. Run oscap oval analyse --verbose DEVEL --results results.xml all.windows.vulnerability.xml system-characteristics.xml

Actual Results:

I compiled openscap on my own to debug the issue - but couldn't figure it so you can ignore the debug information:

I: oscap: Identified document type: oval_definitions [oscap(1338):oscap(7ff39126a980):doc_type.c:96:oscap_determine_document_type_reader]
D: oscap: Validating OVAL Definition (5.11.1) document from all.windows.vulnerability.xml. [oscap(1338):oscap(7ff39126a980):oscap_source.c:339:oscap_source_validate]
I: oscap: Identified document type: oval_system_characteristics [oscap(1338):oscap(7ff39126a980):doc_type.c:96:oscap_determine_document_type_reader]
D: oscap: Validating OVAL System Characteristics (5.10.1) document from system-characteristics.xml. [oscap(1338):oscap(7ff39126a980):oscap_source.c:339:oscap_source_validate]
I: oscap: Skipping tag: notes. [oscap(1338):oscap(7ff39126a980):oval_definition.c:430:_oval_definition_parse_tag]
I: oscap: Skipping tag: notes. [oscap(1338):oscap(7ff39126a980):oval_definition.c:430:_oval_definition_parse_tag]
Failed to import the OVAL Definitions from 'all.windows.vulnerability.xml'.
OpenSCAP Error: Unknown test type oval:org.mitre.oval:tst:100270. [../../../src/OVAL/oval_test.c:395]

Expected Results:

No error

Additional Information / Debugging Steps:

nrathaus avatar May 19 '20 09:05 nrathaus

I am attempting to run it on OpenSCAP 1.3.3 to see if it specific to my build (which is the Debian based one)

nrathaus avatar May 19 '20 09:05 nrathaus

It looks like OpenSCAP 1.3.3 doesn't have this issue - is this a documented problem?

nrathaus avatar May 19 '20 09:05 nrathaus

There was a recent attempt (a successful one, as far as I can say: https://github.com/OpenSCAP/openscap/pull/1438) to get 1.3 into better shape for Debian-based distributions. Is there any movement in regards of adding 1.3 to Sid?

evgenyz avatar May 19 '20 10:05 evgenyz

@nrathaus Can you please also grep "name=\"service_test\"" /usr/share/openscap/schemas/oval/* -R on your machine and paste the results here?

evgenyz avatar May 20 '20 08:05 evgenyz 

# dpkg -l | grep opensc
ii  libopenscap8                       1.2.16-2                     amd64        Set of libraries enabling integration of the SCAP line of standards
ii  libopenscap8-dbg                   1.2.16-2                     amd64        Set of libraries enabling integration of the SCAP line of standards

# cat /etc/debian_version
10.0

# grep "name=\"service_test\"" /usr/share/openscap/schemas/oval/* -R
/usr/share/openscap/schemas/oval/5.10/windows-definitions-schema.xsd:      <xsd:element name="service_test" substitutionGroup="oval-def:test">
/usr/share/openscap/schemas/oval/5.10.1/windows-definitions-schema.xsd:      <xsd:element name="service_test" substitutionGroup="oval-def:test">
/usr/share/openscap/schemas/oval/5.11/windows-definitions-schema.xsd:      <xsd:element name="service_test" substitutionGroup="oval-def:test">
/usr/share/openscap/schemas/oval/5.11.1/windows-definitions-schema.xsd:      <xsd:element name="service_test" substitutionGroup="oval-def:test">
/usr/share/openscap/schemas/oval/5.11.2/windows-definitions-schema.xsd:      <xsd:element name="service_test" substitutionGroup="oval-def:test">
/usr/share/openscap/schemas/oval/5.8/windows-definitions-schema.xsd:      <xsd:element name="service_test" substitutionGroup="oval-def:test">
/usr/share/openscap/schemas/oval/5.9/windows-definitions-schema.xsd:      <xsd:element name="service_test" substitutionGroup="oval-def:test">

nrathaus avatar May 20 '20 08:05 nrathaus