Šimon Lukašík (isimluk) wrote,
Šimon Lukašík
isimluk

How to convert USGCB to DataStream with OpenSCAP

USGCB stands for United States Government Configuration Baseline; according to its web page, it is initiative to create security configuration baselines for technologies deployed across the federal agencies. On 2011-09-30, USGCB released official baseline for Red Hat Enterprise Linux 5 Desktop. This baseline remained the only official guidance for Linux systems for long time.

The USGCB for RHEL 5 Desktop, was released in form of SCAP 1.1. In this blog, I will show you how to use OpenSCAP to convert this baseline to a new version of SCAP, SCAP 1.2. Note that the SCAP 1.2 defines new file format (called DataStream) which allows us to bundle multiple legacy files into one huge xml.

For this example, we will need the newest OpenSCAP library which was yesterday released as version 0.9.6. First of all, we need to download the baseline from usgcb.nist.gov and unpack it.

        $ mkdir USGCB; cd USGCB
        $ wget http://usgcb.nist.gov/usgcb/content/scap/USGCB-rhel5desktop-1.0.5.0.zip
        $ unzip USGCB-rhel5desktop-1.0.5.0.zip
        Archive: USGCB-rhel5desktop-1.0.5.0.zip
           inflating: usgcb-rhel5desktop-cpe-dictionary.xml
           inflating: usgcb-rhel5desktop-cpe-oval.xml
           inflating: usgcb-rhel5desktop-oval.xml
           inflating: usgcb-rhel5desktop-xccdf.xml
        $ mv usgcb-rhel5desktop-xccdf{,11}.xml

Now, we have the content prepared and we may start with the conversion to DataStream. The XCCDF document we have uses XCCDF version 1.1, but within DataStream file format, there is only XCCDF 1.2 allowed. We need to convert XCCDF document to the newest version of the standard. We will use XSL Transformations which comes with the newest OpenSCAP package for this task.

Unfortunately, it's not so simple. The USGCB baseline contains 4 buggy <xccdf:sub> elements which refer to nonexistent values. These 4 elements remain unnoticed as long as the content is in XCCDF version 1.1. However, the XSD validation schema for XCCDF 1.2 is more strict and it will be picking up on these. Let's use the very first XSLT to remove bogus sub elements:

        $ xsltproc /usr/share/openscap/xsl/xccdf_1.1_remove_dangling_sub.xsl \
           usgcb-rhel5desktop-xccdf11.xml \
           > usgcb-rhel5desktop-xccdf11fixed.xml

Once, there are no dangling <xccdf:sub> elements, we can proceed with document conversion to XCCDF 1.2:

        $ xsltproc --stringparam reverse_DNS gov.nist.usgcb \
           /usr/share/openscap/xsl/xccdf_1.1_to_1.2.xsl \
           usgcb-rhel5desktop-xccdf11fixed.xml \
           > usgcb-rhel5desktop-xccdf.xml

You can verify that the resulting document is compliant with XCCDF 1.2:

        $ oscap xccdf validate usgcb-rhel5desktop-xccdf.xml

Next, we will let oscap create DataStream from this new XCCDF.

        $ oscap ds sds-compose usgcb-rhel5desktop-xccdf.xml usgcb-rhel5desktop-ds.xml
        OpenSCAP Error: Could not found file http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml: No such file or directory.

The error message which is produced by OpenSCAP is expected and can be safely ignored. The message means to say that OpenSCAP found reference to the OVAL content which was not found locally, therefore the OpenSCAP failed to include it into the DataStream. The OVAL file on that location changes in time and USGCB authors wanted this file to be downloaded at the scan time. At any step, oscap-info module can be used to inspect resulting document:

        $ oscap info usgcb-rhel5desktop-ds.xml
        Document type: Source Data Stream
        Imported: 2013-04-21T22:30:31

        Stream: scap_org.open-scap_datastream_from_xccdf_usgcb-rhel5desktop-xccdf.xml
        Generated: (null)
        Version: 1.2
        Checklists:
           Ref-Id: scap_org.open-scap_cref_usgcb-rhel5desktop-xccdf.xml
               Profile: xccdf_gov.nist.usgcb_profile_united_states_government_configuration_baseline
        Checks:
           Ref-Id: scap_org.open-scap_cref_usgcb-rhel5desktop-oval.xml
        No dictionaries.

In the DataStream, there are two components, the first is the XCCDF and the second is its OVAL dependency. We can use their identifiers to evaluate the USGCB.

        $ oscap xccdf eval \
           --datastream-id scap_org.open-scap_datastream_from_xccdf_usgcb-rhel5desktop-xccdf.xml \
           --xccdf-id scap_org.open-scap_cref_usgcb-rhel5desktop-xccdf.xml \
           --profile xccdf_gov.nist.usgcb_profile_united_states_government_configuration_baseline \
           --fetch-remote-resources \
           usgcb-rhel5desktop-ds.xml

However, in this case, when there is only one XCCDF within the DataStream, we can skip these arguments and let OpenSCAP to find it automatically.

        $ oscap xccdf eval \
           --profile xccdf_gov.nist.usgcb_profile_united_states_government_configuration_baseline \
           --fetch-remote-resources \
           usgcb-rhel5desktop-ds.xml

Attentive readers must have noticed that in the original archive, there were 4 files, but in the DataStream we have only 2 components. The CPE dictionary was not added to the DataStream during the sds-compose operation and it needs to be added separatelly.

        $ oscap ds sds-add usgcb-rhel5desktop-cpe-dictionary.xml usgcb-rhel5desktop-ds.xml
        $ oscap info usgcb-rhel5desktop-ds.xml
        Document type: Source Data Stream
        Imported: 2013-04-22T17:17:16

        Stream: scap_org.open-scap_datastream_from_xccdf_usgcb-rhel5desktop-xccdf.xml
        Generated: (null)
        Version: 1.2
        Checklists:
           Ref-Id: scap_org.open-scap_cref_usgcb-rhel5desktop-xccdf.xml
              Profile: xccdf_gov.nist.usgcb_profile_united_states_government_configuration_baseline
        Checks:
           Ref-Id: scap_org.open-scap_cref_usgcb-rhel5desktop-oval.xml
           Ref-Id: scap_org.open-scap_cref_usgcb-rhel5desktop-cpe-oval.xml
        Dictionaries:
           Ref-Id: scap_org.open-scap_cref_usgcb-rhel5desktop-cpe-dictionary.xml

We are done. The USGCB baseline is available in DataStream file format. The very same procedure may be used to convert Scap Security Guide into DataStream. However, there might be problems with broken identifiers which time to time appear during the development of SSG.

Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your IP address will be recorded 

  • 0 comments