Hi all, I've seen reference to this on this and other lists but no acceptable resolution.
Per documentation, I downloaded and installed the following:
openscap-content-1.0.8-1.el6_5.noarch perl-Pod-Escapes-1.04-136.el6.x86_64 openscap-1.0.8-1.el6_5.x86_64 scap-security-guide-0.1-16.el6.noarch openscap-utils-1.0.8-1.el6_5.x86_64 python-lxml-2.2.3-1.1.el6.x86_64
Using the command in the User Guide, after running:
oscap xccdf eval --profile stig-rhel6-server-upstream \ --results /tmp/`hostname`-ssg-results.xml \ --report /tmp/`hostname`-ssg-results.html \ --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml \ /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
I get valid output for about 225 CCE checks but then error out with:
OpenSCAP Error: Conversion of the string "-" to an integer (64 bits) failed: Invalid argument [oval_cmp.c:113]
I can confirm this is coming from the check for disabling coredumps in the limits.conf file by having replacing
* - core 0
with
* hard core 0
which resulted in:
OpenSCAP Error: Conversion of the string "hard" to an integer (64 bits) failed: Invalid argument [oval_cmp.c:113]
I went back and downloaded the scap-security-guide 0.5 source and compiled/installed. The doc says rhel6-xccdf-scap-security-guide.xml and rhel6-oval-scap-security-guide.xml would be produced from the make but I didn't find any. I did find the ssg xccdf and cpe files from scap-security-guide/RHEL6/dist/content so used those and got:
Profile "stig-rhel6-server-upstream" was not found.
Re-running again with server and stig-server profiles instead gave:
OpenSCAP Error: Selector ID(ensure_logrotate_activated) does not exist in Benchmark. [xccdf_policy.c:1904]
after running a few valid checks.
Am I missing a step somewhere?
Thanks, George Jackson
George,
This is a bug in the pattern matching code for this check that has recently been fixed.
I'm not sure on the timeline for getting that fix into the rpms.
On Fri, May 23, 2014 at 12:51 PM, Jackson, George C III CTR DISA PEO-MA (US) george.c.jackson1.ctr@mail.mil wrote:
Hi all, I've seen reference to this on this and other lists but no acceptable resolution.
Per documentation, I downloaded and installed the following:
openscap-content-1.0.8-1.el6_5.noarch perl-Pod-Escapes-1.04-136.el6.x86_64 openscap-1.0.8-1.el6_5.x86_64 scap-security-guide-0.1-16.el6.noarch openscap-utils-1.0.8-1.el6_5.x86_64 python-lxml-2.2.3-1.1.el6.x86_64
Using the command in the User Guide, after running:
oscap xccdf eval --profile stig-rhel6-server-upstream \ --results /tmp/`hostname`-ssg-results.xml \ --report /tmp/`hostname`-ssg-results.html \ --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml \ /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
I get valid output for about 225 CCE checks but then error out with:
OpenSCAP Error: Conversion of the string "-" to an integer (64 bits) failed: Invalid argument [oval_cmp.c:113]
I can confirm this is coming from the check for disabling coredumps in the limits.conf file by having replacing
- core 0
with
- hard core 0
which resulted in:
OpenSCAP Error: Conversion of the string "hard" to an integer (64 bits) failed: Invalid argument [oval_cmp.c:113]
I went back and downloaded the scap-security-guide 0.5 source and compiled/installed. The doc says rhel6-xccdf-scap-security-guide.xml and rhel6-oval-scap-security-guide.xml would be produced from the make but I didn't find any. I did find the ssg xccdf and cpe files from scap-security-guide/RHEL6/dist/content so used those and got:
Profile "stig-rhel6-server-upstream" was not found.
Re-running again with server and stig-server profiles instead gave:
OpenSCAP Error: Selector ID(ensure_logrotate_activated) does not exist in Benchmark. [xccdf_policy.c:1904]
after running a few valid checks.
Am I missing a step somewhere?
Thanks, George Jackson
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Hi Andrew,
Thanks for the info. I'll download/compile the openscap source from git and use that instead.
Thanks again, George Jackson
-----Original Message----- From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of Andrew Gilmore Sent: Friday, May 23, 2014 2:11 PM To: SCAP Security Guide Subject: Re: OpenSCAP Error: Conversion of the string "-" to an integer (64 bits) failed: Invalid argument [oval_cmp.c:113]
George,
This is a bug in the pattern matching code for this check that has recently been fixed.
I'm not sure on the timeline for getting that fix into the rpms.
On Fri, May 23, 2014 at 12:51 PM, Jackson, George C III CTR DISA PEO-MA (US) george.c.jackson1.ctr@mail.mil wrote:
Hi all, I've seen reference to this on this and other lists but no acceptable resolution.
Per documentation, I downloaded and installed the following:
openscap-content-1.0.8-1.el6_5.noarch perl-Pod-Escapes-1.04-136.el6.x86_64 openscap-1.0.8-1.el6_5.x86_64 scap-security-guide-0.1-16.el6.noarch openscap-utils-1.0.8-1.el6_5.x86_64 python-lxml-2.2.3-1.1.el6.x86_64
Using the command in the User Guide, after running:
oscap xccdf eval --profile stig-rhel6-server-upstream \ --results /tmp/`hostname`-ssg-results.xml \ --report /tmp/`hostname`-ssg-results.html \ --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml \ /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
I get valid output for about 225 CCE checks but then error out with:
OpenSCAP Error: Conversion of the string "-" to an integer (64 bits) failed: Invalid argument [oval_cmp.c:113]
I can confirm this is coming from the check for disabling coredumps in the limits.conf file by having replacing
* - core 0
with
* hard core 0
which resulted in:
OpenSCAP Error: Conversion of the string "hard" to an integer (64 bits) failed: Invalid argument [oval_cmp.c:113]
I went back and downloaded the scap-security-guide 0.5 source and compiled/installed. The doc says rhel6-xccdf-scap-security-guide.xml and rhel6-oval-scap-security-guide.xml would be produced from the make but I didn't find any. I did find the ssg xccdf and cpe files from scap-security-guide/RHEL6/dist/content so used those and got:
Profile "stig-rhel6-server-upstream" was not found.
Re-running again with server and stig-server profiles instead gave:
OpenSCAP Error: Selector ID(ensure_logrotate_activated) does not exist in Benchmark. [xccdf_policy.c:1904]
after running a few valid checks.
Am I missing a step somewhere?
Thanks, George Jackson
_______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
On 05/23/2014 09:26 PM, Jackson, George C III CTR DISA PEO-MA (US) wrote:
Hi Andrew,
Thanks for the info. I'll download/compile the openscap source from git and use that instead.
Thanks again, George Jackson
Hi George,
Don't download the latest openscap, you almost have the latest greatest. Please make sure to download the latest scap-security-guide from git.
Best regards,
Simon,
Actually it still doesn't work with the latest scap-security-guide-0.5.0-InitialDraft.tar.gz I downloaded directly from the git repo this morning. If I use the oscap from Red Hat's openscap-1.0.8-1.el6_5.x86_64 with the cmd line of:
oscap xccdf eval --profile stig-rhel6-server-upstream --results hera101-results.xml --report hera101-report.html --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
I still get:
Profile "stig-rhel6-server-upstream" was not found.
If I do the same with --profile stig-server or --profile server I get output on a few checks but then error out with
OpenSCAP Error: Selector ID(ensure_logrotate_activated) does not exist in Benchmark. [xccdf_policy.c:1904] Selector ID(service_postfix_enabled) does not exist in Benchmark. [xccdf_policy.c:1904]
So I went back to the oscap I compiled which didn't give any errors but every check gave a "Result: notapplicable". I compiled with:
./configure --enable-cce --enable-sce
so I still don't know what I'm doing wrong. Any ideas?
George Jackson Cluster Technical Lead Centaur Operations Northrop Grumman IS
-----Original Message----- From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of Simon Lukasik Sent: Saturday, May 24, 2014 10:47 AM To: SCAP Security Guide Subject: Re: OpenSCAP Error: Conversion of the string "-" to an integer (64 bits) failed: Invalid argument [oval_cmp.c:113]
On 05/23/2014 09:26 PM, Jackson, George C III CTR DISA PEO-MA (US) wrote:
Hi Andrew,
Thanks for the info. I'll download/compile the openscap source from git and use that instead.
Thanks again, George Jackson
Hi George,
Don't download the latest openscap, you almost have the latest greatest. Please make sure to download the latest scap-security-guide from git.
Best regards,
-- Simon Lukasik Security Technologies, Red Hat, Inc. _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
On 5/27/14, 4:54 PM, Jackson, George C III CTR DISA PEO-MA (US) wrote:
Simon,
Actually it still doesn't work with the latest scap-security-guide-0.5.0-InitialDraft.tar.gz I downloaded directly from the git repo this morning. If I use the oscap from Red Hat's openscap-1.0.8-1.el6_5.x86_64 with the cmd line of:
oscap xccdf eval --profile stig-rhel6-server-upstream --results hera101-results.xml --report hera101-report.html --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
I still get:
Profile "stig-rhel6-server-upstream" was not found.
If I do the same with --profile stig-server or --profile server I get output on a few checks but then error out with
OpenSCAP Error: Selector ID(ensure_logrotate_activated) does not exist in Benchmark. [xccdf_policy.c:1904] Selector ID(service_postfix_enabled) does not exist in Benchmark. [xccdf_policy.c:1904]
So I went back to the oscap I compiled which didn't give any errors but every check gave a "Result: notapplicable". I compiled with:
./configure --enable-cce --enable-sce
so I still don't know what I'm doing wrong. Any ideas?
The .tar.gz of SSG you mentioned is well over 18 months old. Mind sharing where you nabbed it (the link should probably be taken down)?
Are you able to use the latest SSG RPM? Download instructions at: https://fedorahosted.org/scap-security-guide/wiki/downloads
Hi Shawn,
Sure, I used the URL:
https://git.fedorahosted.org/git/scap-security-guide.git
Unfortunately, I cannot use git directly from the RHEL6 host I need this on to fedorahosted.org as we're a classified site and strict firewall/proxy rules won't allow me to. I can only use a browser on one unclassified Windows workstation (git not allowed) then transfer my downloads over manually :(
Any other options for me to get the latest?
Thanks, George Jackson Cluster Technical Lead Centaur Operations Northrop Grumman IS
-----Original Message----- From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of Shawn Wells Sent: Tuesday, May 27, 2014 4:02 PM To: scap-security-guide@lists.fedorahosted.org Subject: Re: OpenSCAP Error: Conversion of the string "-" to an integer (64 bits) failed: Invalid argument [oval_cmp.c:113]
On 5/27/14, 4:54 PM, Jackson, George C III CTR DISA PEO-MA (US) wrote:
Simon,
Actually it still doesn't work with the latest scap-security-guide-0.5.0-InitialDraft.tar.gz I downloaded directly from the git repo this morning. If I use the oscap from Red Hat's openscap-1.0.8-1.el6_5.x86_64 with the cmd line of:
oscap xccdf eval --profile stig-rhel6-server-upstream --results hera101-results.xml --report hera101-report.html --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
I still get:
Profile "stig-rhel6-server-upstream" was not found.
If I do the same with --profile stig-server or --profile server I get output on a few checks but then error out with
OpenSCAP Error: Selector ID(ensure_logrotate_activated) does not exist in Benchmark. [xccdf_policy.c:1904] Selector ID(service_postfix_enabled) does not exist in Benchmark. [xccdf_policy.c:1904]
So I went back to the oscap I compiled which didn't give any errors but every check gave a "Result: notapplicable". I compiled with:
./configure --enable-cce --enable-sce
so I still don't know what I'm doing wrong. Any ideas?
The .tar.gz of SSG you mentioned is well over 18 months old. Mind sharing where you nabbed it (the link should probably be taken down)?
Are you able to use the latest SSG RPM? Download instructions at: https://fedorahosted.org/scap-security-guide/wiki/downloads _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
You might want to try the FOS? If you are working under classified conditions (which probably shouldn’t' be in such a public setting), there should be a site that is approved to down load authorized sw for use in those types of environments.
Margaret
-----Original Message----- From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of Jackson, George C III CTR DISA PEO-MA (US) Sent: Tuesday, May 27, 2014 4:32 PM To: SCAP Security Guide Subject: RE: OpenSCAP Error: Conversion of the string "-" to an integer (64 bits) failed: Invalid argument [oval_cmp.c:113]
Hi Shawn,
Sure, I used the URL:
https://git.fedorahosted.org/git/scap-security-guide.git
Unfortunately, I cannot use git directly from the RHEL6 host I need this on to fedorahosted.org as we're a classified site and strict firewall/proxy rules won't allow me to. I can only use a browser on one unclassified Windows workstation (git not allowed) then transfer my downloads over manually :(
Any other options for me to get the latest?
Thanks, George Jackson Cluster Technical Lead Centaur Operations Northrop Grumman IS
-----Original Message----- From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of Shawn Wells Sent: Tuesday, May 27, 2014 4:02 PM To: scap-security-guide@lists.fedorahosted.org Subject: Re: OpenSCAP Error: Conversion of the string "-" to an integer (64 bits) failed: Invalid argument [oval_cmp.c:113]
On 5/27/14, 4:54 PM, Jackson, George C III CTR DISA PEO-MA (US) wrote:
Simon,
Actually it still doesn't work with the latest scap-security-guide-0.5.0-InitialDraft.tar.gz I downloaded directly from the git repo this morning. If I use the oscap from Red Hat's openscap-1.0.8-1.el6_5.x86_64 with the cmd line of:
oscap xccdf eval --profile stig-rhel6-server-upstream --results hera101-results.xml --report hera101-report.html --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
I still get:
Profile "stig-rhel6-server-upstream" was not found.
If I do the same with --profile stig-server or --profile server I get output on a few checks but then error out with
OpenSCAP Error: Selector ID(ensure_logrotate_activated) does not exist in Benchmark. [xccdf_policy.c:1904] Selector ID(service_postfix_enabled) does not exist in Benchmark. [xccdf_policy.c:1904]
So I went back to the oscap I compiled which didn't give any errors but every check gave a "Result: notapplicable". I compiled with:
./configure --enable-cce --enable-sce
so I still don't know what I'm doing wrong. Any ideas?
The .tar.gz of SSG you mentioned is well over 18 months old. Mind sharing where you nabbed it (the link should probably be taken down)?
Are you able to use the latest SSG RPM? Download instructions at: https://fedorahosted.org/scap-security-guide/wiki/downloads _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
On 5/27/14, 5:32 PM, Jackson, George C III CTR DISA PEO-MA (US) wrote:
Hi Shawn,
Sure, I used the URL:
https://git.fedorahosted.org/git/scap-security-guide.git
Unfortunately, I cannot use git directly from the RHEL6 host I need this on to fedorahosted.org as we're a classified site and strict firewall/proxy rules won't allow me to. I can only use a browser on one unclassified Windows workstation (git not allowed) then transfer my downloads over manually:(
Any other options for me to get the latest?
If using the EPEL repo isn't an option, perhaps you can download and one-way transfer the RPM. The EPEL package listing is available online: https://dl.fedoraproject.org/pub/epel/6/x86_64/
And a direct URL to the latest SSG RPM: https://dl.fedoraproject.org/pub/epel/6/x86_64/scap-security-guide-0.1-16.el...
If you need the *absolute* latest, since you're downloading the source, you can 'make content' and transfer the files in the output/ directory.
Still missing where that tarball is coming from, though. It shouldn't be generated anywhere in the source.
scap-security-guide@lists.fedorahosted.org