[Solved in comment 27] How to use openscap on Ubuntu or Debian?

Asked by Norbert

As far I can understand SCAP contains not only CVEs (Common Vulnerabilities and Exposures), but also
CCE (Common Configuration Enumeration),
CPE (Common Platform Enumeration),
CVSS (Common Vulnerability Scoring System),
XCCDF (Extensible Configuration Checklist Description Format),
OVAL (Open Vulnerability and Assessment Language).

If we talk about CVEs - they are closing with newest security updates.
I have heard about downloading SCAP content (http://www.open-scap.org/page/Documentation#Common_Usage) for my system, but in /usr/share/openscap there is no Ubuntu and Debian related files, so this folder contains:
* scap-fedora14-oval.xml
* scap-fedora14-xccdf.xml
* scap-rhel6-oval.xml
* scap-rhel6-xccdf.xml
* schemas
* xsl

So my question is - how to use openSCAP on Ubuntu (for example, Precise Pangolin 12.04 LTS) or Debian? And where I can get SCAP xml-content for my GNU/Linux distro?

Revision history for this message
Norbert (nrbrtx) said :
#1

It seems that OpenSuSe has OVAL xmls published at http://support.novell.com/security/oval/.
But I can't find such xml-files for Debian and Ubuntu.

Revision history for this message
michael (yellupcm-gmail) said :
#2
Revision history for this message
Launchpad Janitor (janitor) said :
#3

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

Revision history for this message
Norbert (nrbrtx) said :
#4

I still need an answer. Michael's answer do not satisfy me.

Revision history for this message
Launchpad Janitor (janitor) said :
#5

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

Revision history for this message
Norbert (nrbrtx) said :
#6

I still need an answer.

Revision history for this message
Launchpad Janitor (janitor) said :
#7

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

Revision history for this message
Marcus Furlong (furlongm) said :
#8

Locations for OVAL xml definitions for various distros:

Suse:
http://ftp.suse.com/pub/projects/security/oval/

Red Hat:
https://www.redhat.com/security/data/oval/

Ubuntu:
https://people.canonical.com/~ubuntu-security/oval/

Debian:
https://www.debian.org/security/oval/

Unfortunately the Debian definitions are out of date, but there is work being done to remedy that. See

   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=738199

for more details.

Revision history for this message
Norbert (nrbrtx) said :
#9

Thank you for reply, Marcus!

What is correct way to check Ubuntu 12.04 system with 'com.ubuntu.precise.cve.oval.xml' file?
What programs and/or packages should I install? Which command produce OVAL's scan results of my system?

Revision history for this message
Launchpad Janitor (janitor) said :
#10

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

Revision history for this message
Norbert (nrbrtx) said :
#11

Thank you for reply, Marcus!

What is correct way to check Ubuntu 12.04 system with 'com.ubuntu.precise.cve.oval.xml' file?
What programs and/or packages should I install? Which command produce OVAL's scan results of my system?

Revision history for this message
Launchpad Janitor (janitor) said :
#12

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

Revision history for this message
Norbert (nrbrtx) said :
#13

Thank you for reply, Marcus!

What is correct way to check Ubuntu 12.04 system with 'com.ubuntu.precise.cve.oval.xml' file?
What programs and/or packages should I install? Which command produce OVAL's scan results of my system?

As temporary solution I discovered useful site - https://vulners.com - it can Audit package list and show unpatched CVEs.

Revision history for this message
Launchpad Janitor (janitor) said :
#14

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

Revision history for this message
Norbert (nrbrtx) said :
#15

Thank you for reply, Marcus!

What is correct way to check Ubuntu 12.04 system with 'com.ubuntu.precise.cve.oval.xml' file?
What programs and/or packages should I install? Which command produce OVAL's scan results of my system?

As temporary solution I discovered useful site - https://vulners.com - it can Audit package list and show unpatched CVEs.

Revision history for this message
Launchpad Janitor (janitor) said :
#16

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

Revision history for this message
Norbert (nrbrtx) said :
#17

Thank you for reply, Marcus!

What is correct way to check Ubuntu 12.04 system with 'com.ubuntu.precise.cve.oval.xml' file?
What programs and/or packages should I install? Which command produce OVAL's scan results of my system?

As temporary solution I discovered useful site - https://vulners.com - it can Audit package list and show unpatched CVEs.

Revision history for this message
Launchpad Janitor (janitor) said :
#18

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

Revision history for this message
Norbert (nrbrtx) said :
#19

I still need an answer.

Revision history for this message
Launchpad Janitor (janitor) said :
#20

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

Revision history for this message
Norbert (nrbrtx) said :
#21

I still need an answer.

Revision history for this message
Launchpad Janitor (janitor) said :
#22

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

Revision history for this message
Norbert (nrbrtx) said :
#23

I still need an answer.

Revision history for this message
Launchpad Janitor (janitor) said :
#24

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

Revision history for this message
Norbert (nrbrtx) said :
#25

I still need an answer.

Revision history for this message
Launchpad Janitor (janitor) said :
#26

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

Revision history for this message
Norbert (nrbrtx) said :
#27

Thank you for your support :)

I wrote step by step guide to answer my question.

# get dependencies
 # for 12.04
 sudo apt-get install build-essential libcurl4-openssl-dev libxslt1-dev libgcrypt11-dev

 # for 14.04 and 16.04
 sudo apt-get install build-essential cmake libqt4-dev libxslt1-dev libcurl4-openssl-dev libz-dev autoconf libtool libpcre3-dev asciidoctor git checkinstall libgcrypt-dev

# build and install OpenSCAP
 # for 12.04, 14.04, 16.04
 cd /tmp
 git clone https://github.com/OpenSCAP/openscap
 cd openscap
 git checkout maint-1.2
 ./autogen.sh
 ./configure --prefix /usr --disable-python --disable-util-oscap-docker
 make -j4
 sudo checkinstall make install # specify version 1.2.14

# get OVAL
cd /tmp
 # for 12.04
 wget https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.precise.cve.oval.xml
 # for 14.04
 wget https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.trusty.cve.oval.xml
 # for 16.04
 wget https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.xenial.cve.oval.xml

# check
 # for 12.04
 oscap oval eval --results /tmp/results-precise.xml --report /tmp/report-precise.html /tmp/com.ubuntu.precise.cve.oval.xml
 firefox /tmp/report-precise.html
 # for 14.04
 oscap oval eval --results /tmp/results-trusty.xml --report /tmp/report-trusty.html /tmp/com.ubuntu.trusty.cve.oval.xml
 firefox /tmp/report-trusty.html
 # for 16.04
 oscap oval eval --results /tmp/results-xenial.xml --report /tmp/report-xenial.html /tmp/com.ubuntu.xenial.cve.oval.xml
 firefox /tmp/report-xenial.html

## SCAP Workbench (14.04 and 16.04)
 # build and install SCAP Workbench
 cd /tmp
 git clone https://github.com/OpenSCAP/scap-workbench
 cd scap-workbench
 git checkout v1-1
 mkdir build
 cd build/
 cmake ../
 make -j4
 sudo checkinstall make install # change name (2) to scap-workbench

# run scap-workbench on Ubuntu 16.04
 cd /tmp
 # compile
 git clone https://github.com/OpenSCAP/scap-security-guide.git
 cd scap-security-guide
 sudo apt-get install xsltproc libxml2-utils expat python-lxml
 make

 # or get compiled version
 wget https://github.com/OpenSCAP/scap-security-guide/releases/download/v0.1.31/scap-security-guide-0.1.31-oval-5.10.zip
 unzip scap-security-guide-0.1.31-oval-5.10.zip
 cd scap-security-guide-0.1.31-oval-5.10
 scap-workbench ssg-ubuntu1604-ds.xml

This solution is based on:
https://www.redhat.com/archives/open-scap-list/2016-March/msg00010.html
https://martin.preisler.me/wp-content/uploads/2016/12/USENIX-LISA-2016-Security-Compliance-for-Containers-and-VMs-with-OpenSCAP.pdf

Revision history for this message
Norbert (nrbrtx) said :
#28

Solved!

Revision history for this message
Norbert (nrbrtx) said :
#29

Solved!

Revision history for this message
Norbert (nrbrtx) said :
#30

scap-workbench compilation on 12.04 is as follows:

# get dependencies
sudo apt-get install build-essential cmake libqt4-dev libxslt1-dev libcurl4-openssl-dev libz-dev autoconf libtool libpcre3-dev git checkinstall libgcrypt-dev

## SCAP Workbench (12.04)
cd /tmp
git clone https://github.com/OpenSCAP/scap-workbench
cd scap-workbench
git checkout v1-1
mkdir build
cd build/
touch /tmp/scap-workbench/doc/user_manual.html # Ubuntu 12.04 does not have asciidoctor package
cmake ../
make -j4
sudo checkinstall make install # change name (2) to scap-workbench

That's all.

Revision history for this message
Michael Quick (panjshirlion) said :
#31

The followup to this forum helped me figure out where to get the XML files for Ubuntu 16.04. Thank you.