我正在尝试使用 openscap 运行 CIS Centos 6 基准测试。但是它不起作用。我这样调用它:
oscap oval eval /var/tmp/cis-cat-full/benchmarks/CIS_CentOS_Linux_6_Benchmark_v2.0.1-oval.xml
产生大量的输出,例如
File '/var/tmp/cis-cat-full/benchmarks/CIS_CentOS_Linux_6_Benchmark_v2.0.1-oval.xml' line 8464: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}object_component': No match found for key-sequence ['oval:org.cisecurity.benchmarks.o_centos_centos:obj:10389'] of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}objectKeyRef'.
File '/var/tmp/cis-cat-full/benchmarks/CIS_CentOS_Linux_6_Benchmark_v2.0.1-oval.xml' line 8470: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}object_component': No match found for key-sequence ['oval:org.cisecurity.benchmarks.o_centos_centos:obj:10391'] of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}objectKeyRef'.
File '/var/tmp/cis-cat-full/benchmarks/CIS_CentOS_Linux_6_Benchmark_v2.0.1-oval.xml' line 8476: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}object_component': No match found for key-sequence ['oval:org.cisecurity.benchmarks.o_centos_centos:obj:10391'] of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}objectKeyRef'.
File '/var/tmp/cis-cat-full/benchmarks/CIS_CentOS_Linux_6_Benchmark_v2.0.1-oval.xml' line 8482: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}object_component': No match found for key-sequence ['oval:org.cisecurity.benchmarks.o_centos_centos:obj:10393'] of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}objectKeyRef'.
File '/var/tmp/cis-cat-full/benchmarks/CIS_CentOS_Linux_6_Benchmark_v2.0.1-oval.xml' line 8488: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}object_component': No match found for key-sequence ['oval:org.cisecurity.benchmarks.o_centos_centos:obj:10393'] of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}objectKeyRef'.
File '/var/tmp/cis-cat-full/benchmarks/CIS_CentOS_Linux_6_Benchmark_v2.0.1-oval.xml' line 8494: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}object_component': No match found for key-sequence ['oval:org.cisecurity.benchmarks.o_centos_centos:obj:10395'] of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}objectKeyRef'.
File '/var/tmp/cis-cat-full/benchmarks/CIS_CentOS_Linux_6_Benchmark_v2.0.1-oval.xml' line 8500: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}object_component': No match found for key-sequence ['oval:org.cisecurity.benchmarks.o_centos_centos:obj:10395'] of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}objectKeyRef'.
OpenSCAP Error: Invalid OVAL Definition (5.11) content in /var/tmp/cis-cat-full/benchmarks/CIS_CentOS_Linux_6_Benchmark_v2.0.1-oval.xml. [oscap_source.c:268]
我尝试用解决这个问题--skip-valid,但这也无济于事:
oscap oval eval --skip-valid /var/tmp/cis-cat-full/benchmarks/CIS_CentOS_Linux_6_Benchmark_v2.0.1-oval.xml
OpenSCAP Error: Unknown test type oval:org.cisecurity.benchmarks.o_centos_centos:tst:10003. [oval_test.c:402]
Failed to import the OVAL Definitions from '/var/tmp/cis-cat-full/benchmarks/CIS_CentOS_Linux_6_Benchmark_v2.0.1-oval.xml'. [oval_session.c:238]
是否有人使用 openscap 运行 CIS 基准测试的经验?如果有,那么它是如何工作的?
答案1
我是一名 OpenSCAP 开发人员。我们使用 MITRE 和 CIS 提供的官方 XML 模式。从消息来看,您收到的 OVAL 文件似乎不是有效的 OVAL 5.11 文件。
您可以使用 --skip-valid 解决此问题,但更好的解决方案是将此问题报告给 CIS 并修复它。
答案2
Openscap 1.3.4 似乎没有 AIX interim_fix 功能,这导致无法运行 CIS unix.xml 椭圆文件。
添加以下几行并构建源代码将修复该问题并忽略 interim_fix 测试
文件:src/oval_enumerations.c
{OVAL_AIX_INTERIM_FIX, "interim_fix"},
{OVAL_AIX_NO, "no"},