Classification: UNCLASSIFIED Caveats: NONE
I remember that there were issues with the SSG content and RHEL6 (due to SCC not supporting a sufficient version of...XCCDF? SCAP?). But previously, I could still use SCC with the SSG content; it would just generate a few more false positives than using OpenSCAP. Admittedly, it has been a while since I tried.
Now, when trying SCC 3.1.2, I can't make it run at all. After importing the zip file (generated from git) and selecting the stig-rhel6-server-upstream profile, a scan finishes almost immediately with:
The SCAP content stream <ssg-rhel6-> is not applicable to this platform per the CPE definitions
I've tried on both RHEL6 Workstation and Server, and I've also tried stripping the <platform> information from the XML files.
I'm attempting this for two reasons, as otherwise I'm perfectly happy scanning with OpenSCAP. SCC has the ability to run a check on a single rule at a time, which is useful. Also, I have an inspection soon, and they may want me to use it.
-- Ray Shaw (Contractor, STG) Army Research Laboratory CIO, Unix Support
Classification: UNCLASSIFIED Caveats: NONE
Hello Ray,
thank you for checking with us.
----- Original Message -----
From: "Ray V CTR USARMY ARL Shaw (US)" ray.v.shaw.ctr@mail.mil To: scap-security-guide@lists.fedorahosted.org Sent: Friday, May 9, 2014 3:28:18 PM Subject: SCC (UNCLASSIFIED)
Classification: UNCLASSIFIED Caveats: NONE
I remember that there were issues with the SSG content and RHEL6 (due to SCC not supporting a sufficient version of...XCCDF? SCAP?). But previously, I could still use SCC with the SSG content; it would just generate a few more false positives than using OpenSCAP. Admittedly, it has been a while since I tried.
Now, when trying SCC 3.1.2, I can't make it run at all. After importing the zip file (generated from git) and selecting the stig-rhel6-server-upstream profile, a scan finishes almost immediately with:
The SCAP content stream <ssg-rhel6-> is not applicable to this platform per the CPE definitions
I've tried on both RHEL6 Workstation and Server, and I've also tried stripping the <platform> information from the XML files.
I'm attempting this for two reasons, as otherwise I'm perfectly happy scanning with OpenSCAP. SCC has the ability to run a check on a single rule at a time, which is useful. Also, I have an inspection soon, and they may want me to use it.
Does SCC have a possibility to check just one OVAL definition? If so, could you try to run the SCC alternative to the following OpenSCAP command and let us know it's output:?
# oscap oval eval --id oval:ssg:def:100 ssg-rhel6-oval.xml
The oval:ssg:def:100 definition checks if the installed version of the OS is RHEL-6 (above evaluation returns true with OpenSCAP on RHEL-6).
So wondering if the not applicable problem can't come from different evaluation of this rule. Also, have you tried to explicitly provide RHEL-6 CPE file (ssg-rhel6-cpe-dictionary.xml) to SCC? Still the same output?
Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
-- Ray Shaw (Contractor, STG) Army Research Laboratory CIO, Unix Support
Classification: UNCLASSIFIED Caveats: NONE
Classification: UNCLASSIFIED Caveats: NONE
-----Original Message----- From: Jan Lieskovsky [mailto:jlieskov@redhat.com] Sent: Friday, May 09, 2014 9:45 AM To: Shaw, Ray V CTR USARMY ARL (US) Cc: SCAP Security Guide Subject: Re: SCC (UNCLASSIFIED)
Hello Ray,
thank you for checking with us.
----- Original Message -----
From: "Ray V CTR USARMY ARL Shaw (US)" ray.v.shaw.ctr@mail.mil To: scap-security-guide@lists.fedorahosted.org Sent: Friday, May 9, 2014 3:28:18 PM Subject: SCC (UNCLASSIFIED)
Classification: UNCLASSIFIED Caveats: NONE
I remember that there were issues with the SSG content and RHEL6 (due to SCC not supporting a sufficient version of...XCCDF? SCAP?). But previously, I could still use SCC with the SSG content; it would just generate a few more false positives than using OpenSCAP. Admittedly, it has been a while since I tried.
Now, when trying SCC 3.1.2, I can't make it run at all. After importing the zip file (generated from git) and selecting the stig-rhel6-server-upstream profile, a scan finishes almost
immediately with:
The SCAP content stream <ssg-rhel6-> is not applicable to this platform per the CPE definitions
I've tried on both RHEL6 Workstation and Server, and I've also tried stripping the <platform> information from the XML files.
I'm attempting this for two reasons, as otherwise I'm perfectly happy scanning with OpenSCAP. SCC has the ability to run a check on a single rule at a time, which is useful. Also, I have an inspection soon, and they may want me to use it.
Does SCC have a possibility to check just one OVAL definition? If so, could you try to run the SCC alternative to the following OpenSCAP command and let us know it's output:?
# oscap oval eval --id oval:ssg:def:100 ssg-rhel6-oval.xml
The oval:ssg:def:100 definition checks if the installed version of the OS is RHEL-6 (above evaluation returns true with OpenSCAP on RHEL-6).
So wondering if the not applicable problem can't come from different evaluation of this rule. Also, have you tried to explicitly provide RHEL-6 CPE file (ssg-rhel6-cpe-dictionary.xml) to SCC? Still the same output?
Unfortunately, as far as I can tell, SCC only has an option to evaluate a single XCCDF rule (and then only from the command line). Which is usually what I want! But of course, not right now. The command you provided returns true with OpenSCAP for me as well.
I don't really see a way to specify ssg-rhel6-cpe-dictionary.xml. Basically, it lets you import SCAP, OVAL, or OCIL content and then do a limited amount of things with that. When I imported the SSG zip as SCAP, it copied all files to its Resources/Content directory, but only really lets me interact with the XCCDF (selecting a stream and running a scan).
I did try to import the OVAL file directly, enable it, and run a scan with it, but I don't think that was an expected thing to do:
[ERROR] Could not find the external variables file for "ssg-rhel6-oval".
I'll have to see if the XML results generated by an OpenSCAP scan work with the "next in line" set of tools (STIG viewer, etc.) I seem to recall that being an issue before, but if it works, then maybe that will be fine. I can live without the ability to run a single XCCDF check (though it would be super great if OpenSCAP had this).
-- Ray Shaw (Contractor, STG) Army Research Laboratory CIO, Unix Support
Classification: UNCLASSIFIED Caveats: NONE
On 5/9/14, 9:28 AM, Shaw, Ray V CTR USARMY ARL (US) wrote:
Classification: UNCLASSIFIED Caveats: NONE
I remember that there were issues with the SSG content and RHEL6 (due to SCC not supporting a sufficient version of...XCCDF? SCAP?). But previously, I could still use SCC with the SSG content; it would just generate a few more false positives than using OpenSCAP. Admittedly, it has been a while since I tried.
Now, when trying SCC 3.1.2, I can't make it run at all. After importing the zip file (generated from git) and selecting the stig-rhel6-server-upstream profile, a scan finishes almost immediately with:
The SCAP content stream <ssg-rhel6-> is not applicable to this platform per the CPE definitions
I've tried on both RHEL6 Workstation and Server, and I've also tried stripping the <platform> information from the XML files.
I'm attempting this for two reasons, as otherwise I'm perfectly happy scanning with OpenSCAP. SCC has the ability to run a check on a single rule at a time, which is useful. Also, I have an inspection soon, and they may want me to use it.
Through feedback and active dialog with SPAWAR, we wrote a quick "SCC Usage" guide back in Nov 2013 [1]. Could you give it a skim, and if you're still having problems, I'll download a copy of the latest SCC and see if I can duplicate. The existing docs were written against SCC 3.1 RC2, so in theory there should be minimal differences against the GA release: http://people.redhat.com/swells/scap-security-guide/docs/User_Guide/tmp/en-U...
[1] https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-November/0...
Classification: UNCLASSIFIED Caveats: NONE
My results were...interesting. I ran make in the latest git tree to generate a zip file, then got the following error when attempting to import it from the command line:
bash-4.1# ./cscc -is /home/username/scap-security-guide-0.1.16.zip Stream ssg-ocilrefs-rhel6- is not a valid stream, therefore will not be installed.
None of the content appeared in the menus. However, when I imported it using the GUI, it accepted the content, and I was able to proceed with the remaining steps. They seem very similar to what I've been doing in the GUI, so I wasn't surprised when I got similar scan results:
bash-4.1# ./cscc
******************************************************************************** * * * SCAP Compliance Checker (SCC) 3.1.2 * * * * Developed By * * SPAWAR Systems Center Atlantic * * * ******************************************************************************** Connecting to HOSTNAME.EXAMPLE.COM...
Stream Version :0.9 Stream:ssg-rhel6 Profile:stig-rhel6-server-upstream Time:2014-05-12_150548
HOSTNAME.EXAMPLE.COM: Loading ssg-rhel6-cpe-oval.xml HOSTNAME.EXAMPLE.COM: OVAL Schema Version: 5.10 [ERROR] Invalid content. No OVAL object value found for package 'NAME'. Target System: HOSTNAME.EXAMPLE.COM Selected Profile: stig-rhel6-server-upstream Stream Name: ssg-rhel6- Stream Version: 0.9 Stream Date: 2014-05-12 SCAP Stream: ssg-rhel6 Profile ID: stig-rhel6-server-upstream Definition ID: oval:ssg:def:100 Test ID: oval:ssg:tst:3135 Object ID: oval:ssg:obj:3136 HOSTNAME.EXAMPLE.COM: Saving HOSTNAME.EXAMPLE.COM_SCC-3.1.2_2014-05-12_150548_OVAL-CPE-Results_ssg-rhel6.xml HOSTNAME.EXAMPLE.COM: Loading ssg-rhel6-cpe-dictionary.xml HOSTNAME.EXAMPLE.COM: The SCAP content stream <ssg-rhel6-> is not applicable to this platform per the CPE definitions
Total Errors: 1 Total Warnings: 0 Review complete. Results, if any, are located in the following directory: /home/username/SCC/Results
Logs, if any, are located in the following directory: /home/username/SCC/Logs
-- Ray Shaw (Contractor, STG) Army Research Laboratory CIO, Unix Support
-----Original Message----- From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap- security-guide-bounces@lists.fedorahosted.org] On Behalf Of Shawn Wells Sent: Monday, May 12, 2014 12:34 PM To: scap-security-guide@lists.fedorahosted.org Subject: Re: SCC (UNCLASSIFIED)
On 5/9/14, 9:28 AM, Shaw, Ray V CTR USARMY ARL (US) wrote:
Classification: UNCLASSIFIED Caveats: NONE
I remember that there were issues with the SSG content and RHEL6 (due to SCC not supporting a sufficient version of...XCCDF? SCAP?). But previously, I could still use SCC with the SSG content; it would just generate a few more false positives than using OpenSCAP. Admittedly, it has been a while since I tried.
Now, when trying SCC 3.1.2, I can't make it run at all. After importing the zip file (generated from git) and selecting the stig-rhel6-server-upstream profile, a scan finishes almost
immediately with:
The SCAP content stream <ssg-rhel6-> is not applicable to this platform per the CPE definitions
I've tried on both RHEL6 Workstation and Server, and I've also tried stripping the <platform> information from the XML files.
I'm attempting this for two reasons, as otherwise I'm perfectly happy scanning with OpenSCAP. SCC has the ability to run a check on a single rule at a time, which is useful. Also, I have an inspection soon, and they may want me to use it.
Through feedback and active dialog with SPAWAR, we wrote a quick "SCC Usage" guide back in Nov 2013 [1]. Could you give it a skim, and if you're still having problems, I'll download a copy of the latest SCC and see if I can duplicate. The existing docs were written against SCC 3.1 RC2, so in theory there should be minimal differences against the GA release: http://people.redhat.com/swells/scap-security- guide/docs/User_Guide/tmp/en-US/html-single/#sect-User_Guide-Alt_Tools- SCC
[1] https://lists.fedorahosted.org/pipermail/scap-security-guide/2013- November/004468.html _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Classification: UNCLASSIFIED Caveats: NONE
On 5/12/14, 3:14 PM, Shaw, Ray V CTR USARMY ARL (US) wrote:
HOSTNAME.EXAMPLE.COM: Saving HOSTNAME.EXAMPLE.COM_SCC-3.1.2_2014-05-12_150548_OVAL-CPE-Results_ssg-rhel6.xml HOSTNAME.EXAMPLE.COM: Loading ssg-rhel6-cpe-dictionary.xml HOSTNAME.EXAMPLE.COM: The SCAP content stream <ssg-rhel6-> is not applicable to this platform per the CPE definitions
Well, that's a little alarming.... `cat /etc/redhat-release`... you running RHEL? ;)
I'll play with SCC later this week.
On 5/12/14, 3:14 PM, Shaw, Ray V CTR USARMY ARL (US) wrote:
HOSTNAME.EXAMPLE.COM: Loading ssg-rhel6-cpe-oval.xml HOSTNAME.EXAMPLE.COM: OVAL Schema Version: 5.10 [ERROR] Invalid content. No OVAL object value found for package 'NAME'.
Actually, this may be the issue: Can you try to load ssg-rhel6-oval.xml (vs *cpe-oval.xml)?
Classification: UNCLASSIFIED Caveats: NONE
Unfortunately, I'm not aware of a way to do that. You just get to select your XCCDF and the stream you want, and SCC kind of does its thing (or doesn't, in this case); the other files aren't specified explicitly as they are with OpenSCAP. It just has them all and decides what to do with them. I tried moving the cpe-oval file out of /opt/scc/Resources/Content, but then it just complained, used its generic CPE dictionary, and failed anyway.
I also tried loading ssg-rhel6-oval.xml as OVAL content, and running a scan that way, but that comes up with:
[ERROR] Could not find the external variables file for "ssg-rhel6-oval".
And yes, definitely running RHEL :p I've tried it on a few different systems, both Workstation and Server.
-- Ray Shaw (Contractor, STG) Army Research Laboratory CIO, Unix Support
-----Original Message----- From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap- security-guide-bounces@lists.fedorahosted.org] On Behalf Of Shawn Wells Sent: Monday, May 12, 2014 3:56 PM To: scap-security-guide@lists.fedorahosted.org Subject: Re: SCC (UNCLASSIFIED)
On 5/12/14, 3:14 PM, Shaw, Ray V CTR USARMY ARL (US) wrote:
HOSTNAME.EXAMPLE.COM: Loading ssg-rhel6-cpe-oval.xml HOSTNAME.EXAMPLE.COM: OVAL Schema Version: 5.10 [ERROR] Invalid content. No OVAL object value found for package 'NAME'.
Actually, this may be the issue: Can you try to load ssg-rhel6- oval.xml (vs *cpe-oval.xml)? _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Classification: UNCLASSIFIED Caveats: NONE
On 5/13/14, 8:20 AM, Shaw, Ray V CTR USARMY ARL (US) wrote:
Classification: UNCLASSIFIED Caveats: NONE
Unfortunately, I'm not aware of a way to do that. You just get to select your XCCDF and the stream you want, and SCC kind of does its thing (or doesn't, in this case); the other files aren't specified explicitly as they are with OpenSCAP. It just has them all and decides what to do with them. I tried moving the cpe-oval file out of /opt/scc/Resources/Content, but then it just complained, used its generic CPE dictionary, and failed anyway.
I also tried loading ssg-rhel6-oval.xml as OVAL content, and running a scan that way, but that comes up with:
[ERROR] Could not find the external variables file for "ssg-rhel6-oval".
And yes, definitely running RHEL :p I've tried it on a few different systems, both Workstation and Server.
Strange. The SCC guys and I traded EMails last night, they're sending over the latest SCC build. The SSG community has a good relationship with that team, many even beta test their releases, making this odd. Will ping the list once I've the latest version downloaded (hopefully today).
Hello Shawn,
----- Original Message -----
From: "Shawn Wells" shawn@redhat.com To: scap-security-guide@lists.fedorahosted.org Sent: Tuesday, May 13, 2014 10:15:13 PM Subject: Re: SCC (UNCLASSIFIED)
On 5/13/14, 8:20 AM, Shaw, Ray V CTR USARMY ARL (US) wrote:
Classification: UNCLASSIFIED Caveats: NONE
Unfortunately, I'm not aware of a way to do that. You just get to select your XCCDF and the stream you want, and SCC kind of does its thing (or doesn't, in this case); the other files aren't specified explicitly as they are with OpenSCAP. It just has them all and decides what to do with them. I tried moving the cpe-oval file out of /opt/scc/Resources/Content, but then it just complained, used its generic CPE dictionary, and failed anyway.
I also tried loading ssg-rhel6-oval.xml as OVAL content, and running a scan that way, but that comes up with:
[ERROR] Could not find the external variables file for "ssg-rhel6-oval".
And yes, definitely running RHEL :p I've tried it on a few different systems, both Workstation and Server.
Strange. The SCC guys and I traded EMails last night, they're sending over the latest SCC build. The SSG community has a good relationship with that team, many even beta test their releases, making this odd. Will ping the list once I've the latest version downloaded (hopefully today).
If it's not a business secret would it be possible to document the way, how such beta release SCC build can be obtained? Even informally (to be read as - mail this email contact with justification / reasoning [referencing particular SSG mailing list use case] why you need access to the software) would be sufficient.
The sole motivation behind this request being it's not the first time there's is some SCC issue with SSG content reported (SCC behaving differently than OpenSCAP) and I think it would only help to improve the maturity (of both?) of the projects we to be directly able to test / experience the issues our users are experiencing (we to be able more quickly to identify potential reasons & fix them where / if necessary).
Have searched further in the past, how SCC can be obtained, but from the page: [1] http://www.public.navy.mil/spawar/Atlantic/ProductsServices/Pages/SCAP.aspx
to be able to download that software you need to belong in one of the following groups: * Department of Defence (DoD) user with valid Common Access Card (CAC) id, * Non-DOD - US Government Employee or contractor,
There's also alternate method (if you don't fall in none of the above groups), it's possible to request access via ssc_lant-scc@navy.mil email address providing the following justification: 1) US Federal agency you are supporting 2) Government POC with .gov or .mil email address or Contract Number
but since I didn't find a way how either of the three can be achieved (is this documented somewhere on SSG's wiki?) gave up on following SCC error / bug reports from our customers, since it's hard to identify the reason / source of the problem, when you aren't able to download / try the software in question.
I think there might be more people on this mailing list able to offer their help into investigating such bug reports / use cases, but just due to the limitation not having access to the tool (and even not being able in transparent way to obtain it), not investing their time in these cases further (which doesn't help neither of the two projects).
Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
On 5/14/14, 5:55 AM, Jan Lieskovsky wrote:
Hello Shawn,
----- Original Message -----
From: "Shawn Wells" shawn@redhat.com To: scap-security-guide@lists.fedorahosted.org Sent: Tuesday, May 13, 2014 10:15:13 PM Subject: Re: SCC (UNCLASSIFIED)
On 5/13/14, 8:20 AM, Shaw, Ray V CTR USARMY ARL (US) wrote:
Classification: UNCLASSIFIED Caveats: NONE
Unfortunately, I'm not aware of a way to do that. You just get to select your XCCDF and the stream you want, and SCC kind of does its thing (or doesn't, in this case); the other files aren't specified explicitly as they are with OpenSCAP. It just has them all and decides what to do with them. I tried moving the cpe-oval file out of /opt/scc/Resources/Content, but then it just complained, used its generic CPE dictionary, and failed anyway.
I also tried loading ssg-rhel6-oval.xml as OVAL content, and running a scan that way, but that comes up with:
[ERROR] Could not find the external variables file for "ssg-rhel6-oval".
And yes, definitely running RHEL :p I've tried it on a few different systems, both Workstation and Server.
Strange. The SCC guys and I traded EMails last night, they're sending over the latest SCC build. The SSG community has a good relationship with that team, many even beta test their releases, making this odd. Will ping the list once I've the latest version downloaded (hopefully today).
If it's not a business secret would it be possible to document the way, how such beta release SCC build can be obtained? Even informally (to be read as - mail this email contact with justification / reasoning [referencing particular SSG mailing list use case] why you need access to the software) would be sufficient.
The sole motivation behind this request being it's not the first time there's is some SCC issue with SSG content reported (SCC behaving differently than OpenSCAP) and I think it would only help to improve the maturity (of both?) of the projects we to be directly able to test / experience the issues our users are experiencing (we to be able more quickly to identify potential reasons & fix them where / if necessary).
Have searched further in the past, how SCC can be obtained, but from the page: [1] http://www.public.navy.mil/spawar/Atlantic/ProductsServices/Pages/SCAP.aspx
to be able to download that software you need to belong in one of the following groups:
- Department of Defence (DoD) user with valid Common Access Card (CAC) id,
- Non-DOD - US Government Employee or contractor,
There's also alternate method (if you don't fall in none of the above groups), it's possible to request access via ssc_lant-scc@navy.mil email address providing the following justification:
- US Federal agency you are supporting
- Government POC with .gov or .mil email address or Contract Number
but since I didn't find a way how either of the three can be achieved (is this documented somewhere on SSG's wiki?) gave up on following SCC error / bug reports from our customers, since it's hard to identify the reason / source of the problem, when you aren't able to download / try the software in question.
I think there might be more people on this mailing list able to offer their help into investigating such bug reports / use cases, but just due to the limitation not having access to the tool (and even not being able in transparent way to obtain it), not investing their time in these cases further (which doesn't help neither of the two projects).
emailed SPAWAR, they said:
Just have them email the SCC mailbox and we'll add them to our distro list, so they will get any updates in the future as well. Also if you want to be on alpha and beta testing builds, just indicate as such.
So, for people interested, shoot a note over to scc_land@navy.mil
scap-security-guide@lists.fedorahosted.org