1896957 – (re)add support for DISA STIG Viewer into OpenSCAP

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1896957 - (re)add support for DISA STIG Viewer into OpenSCAP

Summary: (re)add support for DISA STIG Viewer into OpenSCAP

Keywords:
Status:	CLOSED DUPLICATE of bug 1918742
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	scap-security-guide
Sub Component:
Version:	8.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	8.0
Assignee:	Vojtech Polasek
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-11-11 22:33 UTC by Dan Yocum
Modified:	2024-06-13 23:24 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-01-21 14:17:46 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
oscap command (18.00 KB, image/jpeg) 2020-11-30 22:28 UTC, Dan Yocum	no flags	Details
oscap import error (251.94 KB, image/jpeg) 2020-11-30 22:29 UTC, Dan Yocum	no flags	Details
View All

Description Dan Yocum 2020-11-11 22:33:26 UTC

What problem/issue/behavior are you having trouble with? What do you expect to see?
Openscap documentation claims the output can be viewed with DISA STIG Viewer. With both RHEL8 (and RHEL7) this fails with hundreds of errors and no data imported into STIG viewer. Is there an example you can provide of the command the produces a compatible report. The example in the documentation fails.

Where are you experiencing the behavior? What environment?
RHEL 8

When does the behavior occur? Frequency? Repeatedly? At certain times?
Upon import

What information can you provide around timeframes and the business impact?
none

This is a standalone openscap install:
RHEL8 rpms -
Installed: openscap-1.3.2-6.el8.x86_64
Installed: openscap-scanner-1.3.2-6.el8.x86_64
Installed: scap-security-guide-0.1.48-7.el8.noarch

I ran the following command on RHEL8 that is supposed to produce a stig viewer compliant report:

oscap xccdf eval --report /home/tisysadmin/report-11-6-1.html --results /home/tisysadmin/results-11-6-1.xml --profile stig --stig-viewer /home/tisysadmin/stig-viewer-11-6-1.xml /usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml

Note - I've run the command with and without the --stig-viewer option.

I thought perhaps this was a RHEL8 bug and found this did not work on RHEL7 either. I then found the following RHEL7 bugzilla which points to the ability to now use openscap results with DISA stig viewer (with no real usage explanation): https://bugzilla.redhat.com/show_bug.cgi?id=1505517 <- however it does not work. I found a workaround for RHEL7 ... I download the benchmark file from the DISA web site and use that instead of the provided /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml.

DISA does not have a RHEL8 benchmark so I would like to find out how this is supposed to work from openscap without a benchmark file from DISA. I would like to know how to do this for both RHEL7 and RHEL8 but my primary concern is RHEL8.

Comment 2 Jan Černý 2020-11-19 11:10:52 UTC

Hi,

Which version of DISA STIG Viewer do you use? I have found that the man page says that with DISA STIG Viewer 2.6 or newer you can't use --stig-viewer option but you should use --results instead. So if you use newer version than 2.6 please check that you don't use --stig-viewer option with oscap but you use --results. I'm not able to reproduce your problem with DISA STIG Viewer 2.11. I haven't tried with older versions, though. Can you upgrade to DISA STIG Viewer 2.11? (It can be obtained from https://public.cyber.mil/stigs/srg-stig-tools/). Can you describe the steps you perform in the STIG viewer and paste the errors you see?

Comment 3 Gabriel Gaspar Becker 2020-11-23 10:28:05 UTC

Dan, 

I'll try to explain the expected behaviour of --stig-viewer option from OpenSCAP.

This option is solely intended to be used when you import the "benchmark file from the DISA web site" into stig-viewer. When activated, it will search for STIG id references in the content and it will map according to rules present in the DISA's benchmark, so that the results file contains the correct mapping to rules within DISA's benchmark.

That's why it won't work with /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml since the rule IDs in the results data don't match. To work with this file you should just use the output file from --results option.

But what about RHEL8 and STIG?

So, there is no official content released by DISA so far. They've published a draft, but that content is not reflected in scap-security-guide yet and that's the reason you cannot "import" the file into STIG viewer, but that's expected. So, if you want to load results into stig-viewer you would have to use /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml and the output file from --results option. Although I don't think it brings much benefit because it's much easier, in this case, to just check the HTML report that would be generated by the --report option in oscap.

Comment 7 Dan Yocum 2020-11-30 22:28:43 UTC

Created attachment 1734990 [details]
oscap command

Comment 8 Dan Yocum 2020-11-30 22:29:15 UTC

Created attachment 1734991 [details]
oscap import error

Comment 9 tims.rheladmin 2020-12-01 14:07:48 UTC

Gabriel,

Yes I was able to get RHEL7 to work with the RHEL7 benchmark as stated above. For any accreditation effort I must provide a STIG Viewer checklist (.ckl) to be uploaded in the DoD security tracking system and I would rather not go through the draft STIG manually, therefore it sounds like I will wait for the DISA benchmark and the official RHEL8 STIG. I have the html output for oscap which shows we are in good shape, so we are in a holding pattern.  I was just trying to find out why it didn't work, when the documentation I had found thus far indicated that the openscap results should be compatible with STIG Viewer.

Thx,

Shawn Henson

Comment 10 Jan Černý 2021-01-21 14:17:46 UTC

Thanks everybody for clarification.

We have found that the expected workflow for STIG Viewer support is:
1) run oscap with data stream from scap-security-guide package and --stig-viewer option
2) open DISA STIG from DISA's website in DISA STIG Viewer
3) import file produced by oscap --stig-viewer to DISA STIG Viewer

This workflow works in RHEL 7.

However, this workflow doesn't work on RHEL 8, because the stig profile in ssg-rhel8-ds.xml provided by scap-security-guide package doesn't contain the references to DISA STIG. The reason is that scap-security-guide in RHEL 8 hasn't been updated to match DISA STIG for RHEL 8. After scap-security-guide is updated to align with DISA STIG for RHEL 8 these steps should start to work also on RHEL 8. Update of scap-security-guide to match DISA STIG for RHEL 8 is tracked in https://bugzilla.redhat.com/show_bug.cgi?id=1918742.

The root cause of this BZ are missing references to DISA STIG in scap-security-guide in RHEL 8. Because adding references is a part of update process tracked in https://bugzilla.redhat.com/show_bug.cgi?id=1918742 we are closing this bug as a duplicate.

The documenataion for --stig-viewer is unfortunate, I have requested the improvement in https://bugzilla.redhat.com/show_bug.cgi?id=1918759

*** This bug has been marked as a duplicate of bug 1918742 ***

Note You need to log in before you can comment on or make changes to this bug.