Hello Ron,

thank you for your report.

----- Original Message -----

From: "Simon Lukasik" isimluk@fedoraproject.org To: "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Thursday, August 27, 2015 8:06:16 AM Subject: Re: scap-workbench and SSG -.1.25

Hello Ron,

Thanks for checking with us.

I guess the cause is the new OVAL version (5.11) in SSG.

Simon is right. Have verified the 'ssg-centos7-ds.xml' benchmark from SSG 0.1.25 Zip archive: [1] https://github.com/OpenSCAP/scap-security-guide/releases/download/v0.1.25/sc...

contains OVAL file of version 5.11.

Let me elaborate. The tools in centos-7 do not support OVAL-5.11. While the latest SSG uses OVAL-5.11.

To clarify a bit on this point. SSG is able to produce both (OVAL-5.10.1 and OVAL-5.11) versions of the OVAL document. The final version of produced OVAL depends on the version of the underlying "oscap" command that was used to produce the content (if "oscap" supports 5.10.1 version only, final SSG OVAL will be of version 5.10 [and OVAL-5.11 checks will simply not be included]. If "oscap" supports 5.11 OVAL language version already, the produced SSG OVAL will be of version 5.11 already, and all OVAL checks will be included).

The behaviour you are experiencing is there because those 0.1.25 SSG Zip archive datastreams were produced using "oscap" version supporting OVAL-5.11 version already.

With the next Red Hat Enterprise Linux 7 update we will be delivering tools that support OVAL-5.11.1. Until then you can use the-latest-greatest OpenSCAP repo at https://copr.fedoraproject.org/coprs/isimluk/OpenSCAP/

As Simon pointed out, the tentative plan is to switch to using OVAL-5.11 language version already (majority of the developers would have latest OpenSCAP installed, and therefore we would not notice this issue).

But to preserve compatibility (OVAL-5.10.1 and OVAL-5.11 language versions aren't backward compatible) -- IOW to allow the new SSG releases to run also with older "oscap" / "scap-workbench" versions, the produced SSG Zip archive should also contain datastreams build with older "oscap" versions.

Therefore I have filed: [2] https://github.com/OpenSCAP/scap-security-guide/issues/655

to fix this state in future releases (start producing also OVAL-5.10.1 based DataStreams in the SSG Zip archive in future releases).

For now please apply the following steps as a workaround to produce SSG-0.1.25 benchmarks for openscap-1.1.1 you are using:

* Download the upstream tarball: $ wget -O scap-security-guide-0.1.25.tar.gz https://github.com/OpenSCAP/scap-security-guide/archive/v0.1.25.tar.gz

* Expand it: $ tar xvzf scap-security-guide-0.1.25.tar.gz

* Build the RPM: $ cd scap-security-guide-0.1.25/ && make SSG_VERSION_IS_GIT_SNAPSHOT=no rpm

* (As privileged user -- root) Install the produced RPM: # rpm -i rpmbuild/RPMS/noarch/scap-security-guide-0.1.25-1.fc22.noarch.rpm

If you want to have the HTML guides installed too, install the -doc subpackage too: # rpm -i rpmbuild/RPMS/noarch/scap-security-guide-doc-0.1.25-1.fc22.noarch.rpm

Note: I have tried the above scenario on Fedora 22 system, but it should work also for CentOS 7 system. If not, that's a bug && it should be reported.

The benchmarks produced this way will be usable with those "oscap" and "scap-workbench" versions, you reported.

Hope the above being helpful.

Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team

Best, ~š.

On 08/27/2015 01:52 AM, Ron Backman wrote:

...

I am using SCAP-Workbench 1.0.2 on CentOS 7 and just downloaded the lastest Scap Sceucity Guides version 0.1.25

I am getting the following error. I tried opening a few of the other Data Stream XML docs and am getting the same error. Is this DataStream (1.2) to new for the SCAP -Workbench?

Ideas?

19:49:48

info

scap-workbench 1.0.2, compiled with Qt 4.8.5, using openscap 1.1.1

19:50:00

except

Error while opening file. There was a problem with ScanningSession! Failed to reload session. OpenSCAP error message: Invalid SCAP Source Datastream (1.2) content in /home/backman/Downloads/scap-security-guide-0.1.25/ssg-centos7-ds.xml. [xccdf_session.c:352]

-- Šimon Lukašík Security Technologies, Red Hat, Inc. -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/