Using CIS Benchmarks with openscap

Question

I am trying to get CIS Centos 6 benchmarks running with openscap. But it does not work. I am calling it like this:

oscap oval eval  /var/tmp/cis-cat-full/benchmarks/CIS_CentOS_Linux_6_Benchmark_v2.0.1-oval.xml

which produces tons of output like

File '/var/tmp/cis-cat-full/benchmarks/CIS_CentOS_Linux_6_Benchmark_v2.0.1-oval.xml' line 8464: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}object_component': No match found for key-sequence ['oval:org.cisecurity.benchmarks.o_centos_centos:obj:10389'] of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}objectKeyRef'.
File '/var/tmp/cis-cat-full/benchmarks/CIS_CentOS_Linux_6_Benchmark_v2.0.1-oval.xml' line 8470: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}object_component': No match found for key-sequence ['oval:org.cisecurity.benchmarks.o_centos_centos:obj:10391'] of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}objectKeyRef'.
File '/var/tmp/cis-cat-full/benchmarks/CIS_CentOS_Linux_6_Benchmark_v2.0.1-oval.xml' line 8476: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}object_component': No match found for key-sequence ['oval:org.cisecurity.benchmarks.o_centos_centos:obj:10391'] of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}objectKeyRef'.
File '/var/tmp/cis-cat-full/benchmarks/CIS_CentOS_Linux_6_Benchmark_v2.0.1-oval.xml' line 8482: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}object_component': No match found for key-sequence ['oval:org.cisecurity.benchmarks.o_centos_centos:obj:10393'] of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}objectKeyRef'.
File '/var/tmp/cis-cat-full/benchmarks/CIS_CentOS_Linux_6_Benchmark_v2.0.1-oval.xml' line 8488: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}object_component': No match found for key-sequence ['oval:org.cisecurity.benchmarks.o_centos_centos:obj:10393'] of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}objectKeyRef'.
File '/var/tmp/cis-cat-full/benchmarks/CIS_CentOS_Linux_6_Benchmark_v2.0.1-oval.xml' line 8494: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}object_component': No match found for key-sequence ['oval:org.cisecurity.benchmarks.o_centos_centos:obj:10395'] of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}objectKeyRef'.
File '/var/tmp/cis-cat-full/benchmarks/CIS_CentOS_Linux_6_Benchmark_v2.0.1-oval.xml' line 8500: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}object_component': No match found for key-sequence ['oval:org.cisecurity.benchmarks.o_centos_centos:obj:10395'] of keyref '{http://oval.mitre.org/XMLSchema/oval-definitions-5}objectKeyRef'.
OpenSCAP Error: Invalid OVAL Definition (5.11) content in /var/tmp/cis-cat-full/benchmarks/CIS_CentOS_Linux_6_Benchmark_v2.0.1-oval.xml. [oscap_source.c:268]

I tried getting around this with the --skip-valid, but that does not help either:

oscap oval eval --skip-valid /var/tmp/cis-cat-full/benchmarks/CIS_CentOS_Linux_6_Benchmark_v2.0.1-oval.xml 
OpenSCAP Error: Unknown test type oval:org.cisecurity.benchmarks.o_centos_centos:tst:10003. [oval_test.c:402]
Failed to import the OVAL Definitions from '/var/tmp/cis-cat-full/benchmarks/CIS_CentOS_Linux_6_Benchmark_v2.0.1-oval.xml'. [oval_session.c:238]

Has anyone experience running CIS benchmarks with openscap, and if so, how does this work?

Answer 1

I am an OpenSCAP developer. We use the official XML Schemas provided by MITRE and CIS. From the messages it looks like the OVAL file you got is not a valid OVAL 5.11 file.

You could work around it by using --skip-valid but a better solution is to report this issue to CIS and get it fixed.

Answer 2

Openscap 1.3.4 seems to not having AIX interim_fix capability which is causing to not to run the CIS unix.xml oval file.

Adding below lines and building the source code will fix the issue and ignore interim_fix tests

file : src/oval_enumerations.c

{OVAL_AIX_INTERIM_FIX, "interim_fix"},
{OVAL_AIX_NO, "no"},