Hi Shawn,
On Sun, Jun 2, 2019 at 8:25 PM Shawn Wells <shawn(a)redhat.com> wrote:
Attempting to use the RHEL 8 data streams, but even 'oscap
info' fails
using the latest release [0]:
This is an issue in OpenSCAP. OpenSCAP can't process datastreams that
contain a `component-ref` element that references content from internet
without providing `--fetch-remote-resources` on the command line. We
reference remote content in rule "Security patches are up to date". Using
`component-ref` element to reference remote content is required by SCAP 1.3
standard.
As a workaround, add `--fetch-remote-resources` to the `oscap` call. This
issue has already been fixed in upstream in
https://github.com/OpenSCAP/openscap/pull/1324.
> # oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.3.xml
> Document type: Source Data Stream
> Imported: 2019-06-02T11:16:07
>
> Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml
> Generated: (null)
> Version: 1.3
> Checklists:
> Ref-Id: scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml
> WARNING: Datastream component
>
'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2'
> points out to the remote
> 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2'.
> Use '--fetch-remote-resources' option to download it.
> WARNING: Skipping
> 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2'
> file which is referenced from datastream
> OpenSCAP Error: Could not extract
> scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml with all dependencies
> from datastream. [ds_sds_session.c:211]
Looking at the ssg-rhel8-ds-1.3 file there are lots of mentions to SCAP
1.2 instead of 1.3?
If it's related to XCCDF 1.2, then it's correct (surprisingly), because
SCAP 1.3 standard contains XCCDF 1.2, not XCCDF 1.3. See
https://csrc.nist.gov/Projects/Security-Content-Automation-Protocol/SCAP-...
, section "Languages",
However, this seems to be wrong:
<ns10:Benchmark id="xccdf_org.ssgproject.content_benchmark_RHEL-8"
resolved="1" style="SCAP_1.2">
Nice catch! Thanks.
[0]
https://github.com/ComplianceAsCode/content/releases/download/v0.1.44/sca...
_______________________________________________
scap-security-guide mailing list --
scap-security-guide(a)lists.fedorahosted.org
To unsubscribe send an email to
scap-security-guide-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
--
Jan Černý
Security Technologies | Red Hat, Inc.