14 Replies Latest reply on Aug 23, 2016 12:21 PM by Edwin Lindeman

    OpenScap Import 1.2 DataStream

    Edwin Lindeman

      Hey guys

       

      Has anyone successfully imported OpenScap for RHEL 7?  This is the version that is compatible for 1.2.  I've attempted to import the single XML in and I keep getting the message "the root element of the document is not <xsd:schema>". I've tried making a few changes to the XML without success.

       

      If anyone has successfully imported this into your BSA Server environment (8.7 or 8.6) please let me know.  We're working on a task that we're wanting to use OpenScap for RHEL 7.

       

      Best Regards

        • 1. Re: OpenScap Import 1.2 DataStream
          Bill Robinson

          Openscap for rhel7 from who? DISA? link ?

          • 2. Re: OpenScap Import 1.2 DataStream
            Edwin Lindeman

            This is for compliance and installed it via yum and pulled the ssg xml and attempted to import it into the console.

             

            Thank you

            • 3. Re: OpenScap Import 1.2 DataStream
              Bill Robinson

              Installed what ?

              • 4. Re: OpenScap Import 1.2 DataStream
                Edwin Lindeman

                OpenScap Base - yum install openscap-scanner    ..it creates a folder in /usr/share/xml/scap/ssg/content  folder contains multiple xml files and one of them is ssg-rhel7-ds.xml .  Took the XML file and attempted to added to the console as a 1.2 SCAP file.

                 

                Thank you

                • 5. Re: OpenScap Import 1.2 DataStream
                  Bill Robinson

                  Afaik you need the xccdf, cpe, cpe-oval to create the scap bundle in bsa.  do you have those ?

                  • 6. Re: OpenScap Import 1.2 DataStream
                    Edwin Lindeman

                    Hi Bill since this was a datastream file I thought you only needed this one XML. I thought those other files you mentioned were only applied to lower versions like 1.0. 

                     

                    I don't have the other files mentioned. 

                     

                    Thank you

                    • 7. Re: OpenScap Import 1.2 DataStream
                      Daniel Goetzman

                      You can use the oscap utility to see if the file is a SCAP 1.2 Datastream format, or not...

                       

                      Like this;

                       

                      # oscap info BMC-IT_SCAP-1.2_SDS.xml

                      Document type: Source Data Stream

                      Imported: 2016-06-30T09:08:25

                       

                       

                      Stream: scap_org.open-scap_datastream_from_xccdf_Edited-CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v1.1.0-xccdf.xml

                      Generated: (null)

                      Version: 1.2

                      Checklists:

                              Ref-Id: scap_org.open-scap_cref_Edited-CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v1.1.0-xccdf.xml

                                      Profiles:

                                              xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Domain_Controller

                                              xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Member_Server

                                      Referenced check files:

                                              CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v1.1.0-oval.xml

                                                      system: http://oval.mitre.org/XMLSchema/oval-definitions-5

                      Checks:

                              Ref-Id: scap_org.open-scap_cref_CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v1.1.0-oval.xml

                      No dictionaries.

                       

                       

                      Might also be interesting to use the oscap validate option to see if the xml file is valid?

                      • 8. Re: OpenScap Import 1.2 DataStream
                        Bill Robinson

                        Maybe you need to separate out the individual files to import into bsa.

                        • 9. Re: OpenScap Import 1.2 DataStream
                          Edwin Lindeman

                          Thanks Daniel, I'll try that

                          • 10. Re: OpenScap Import 1.2 DataStream
                            Edwin Lindeman

                            Thanks Bill, If I can't get the ds file to import properly I'll give that a shot and see if that makes a difference.

                            • 11. Re: OpenScap Import 1.2 DataStream
                              Edwin Lindeman

                              My verification :

                               

                              Document type: Source Data Stream

                              Imported: 2016-07-05T14:48:54

                               

                               

                              Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel7-xccdf-1.2.xml

                              Generated: (null)

                              Version: 1.2

                              Checklists:

                                      Ref-Id: scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml

                                              Status: draft

                                              Generated: 2016-05-11

                                              Resolved: true

                                              Profiles:

                                                      xccdf_org.ssgproject.content_profile_standard

                                                      xccdf_org.ssgproject.content_profile_pci-dss

                                                      xccdf_org.ssgproject.content_profile_C2S

                                                      xccdf_org.ssgproject.content_profile_rht-ccp

                                                      xccdf_org.ssgproject.content_profile_common

                                                      xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream

                                                      xccdf_org.ssgproject.content_profile_ospp-rhel7-server

                                              Referenced check files:

                                                      ssg-rhel7-oval.xml

                                                              system: http://oval.mitre.org/XMLSchema/oval-definitions-5

                                                      http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml

                                                              system: http://oval.mitre.org/XMLSchema/oval-definitions-5

                              Checks:

                                      Ref-Id: scap_org.open-scap_cref_ssg-rhel7-oval.xml

                                      Ref-Id: scap_org.open-scap_cref_output--ssg-rhel7-cpe-oval.xml

                                      Ref-Id: scap_org.open-scap_cref_output--ssg-rhel7-oval.xml

                              Dictionaries:

                                      Ref-Id: scap_org.open-scap_cref_output--ssg-rhel7-cpe-dictionary.xml

                               

                              I also validate the XML was in correct format.

                              • 12. Re: OpenScap Import 1.2 DataStream
                                Bill Robinson

                                hmm - it looks like the 1.2 import should take the single file.

                                 

                                so i get the same issue i think, in the appserver log i see a bunch of warnings:

                                [06 Jul 2016 11:33:05,262] [Client-Connections-Thread-4] [WARN] [BLAdmin:BLAdmins:192.168.52.53] [com.bladelogic.om.scap.xccdf.xml.XmlParser] [Client] schema_reference.4: Failed to read schema document 'oval-definitions-schema.xsd', because 1) could not find the document; 2) the document could not be read; 3) the root element of the document is not <xsd:schema>.

                                 

                                but i think we can ignore those, then:

                                 

                                [06 Jul 2016 11:33:05,404] [Client-Connections-Thread-4] [ERROR] [BLAdmin:BLAdmins:192.168.52.53] [com.bladelogic.om.scap.datastream.io.DataStreamInterpreter] [Client] Invalid component reference for a component

                                [06 Jul 2016 11:33:05,405] [Client-Connections-Thread-4] [ERROR] [BLAdmin:BLAdmins:192.168.52.53] [com.bladelogic.om.scap.service.SCAPImportServiceImpl] [Client] Error importing scap content from /opt/bmc/bladelogic/appserver/NSH/tmp/application_server/0/content/ssg-rhel7-ds.xml : (2023) Invalid component reference for a component

                                 

                                seems like something support should look at.

                                • 13. Re: OpenScap Import 1.2 DataStream
                                  Edwin Lindeman

                                  Thanks Bill for testing it out as well. We did issue a ticket and hopefully we can get some good results.

                                  • 14. Re: OpenScap Import 1.2 DataStream
                                    Edwin Lindeman

                                    We did issue the ticket with BMC and they analyzed the file and basically made one change.

                                     

                                    <ds:component> => <component> , basically removed the ds: part of it.

                                    Also for the RHEL 7 content had to modify the interpretor to use python 2.6 and not 2.75.

                                     

                                    Anyhow got them to work.

                                     

                                    Thank you