Error when using --fetch-remote-resources

[bkogami]

Hi,

When I run the standard compliance check using this command.
oscap xccdf eval --profile ospp-rhel7-server --report /root/oscap_usgcb_report.html /root/scap-security-guide/RHEL/7/output/ssg-rhel7-xccdf.xml
This works without any issue.

But, when I run the remediate option with --fetch-remote-resources, I get an error.
oscap xccdf eval --remediate --fetch-remote-resources --profile ospp-rhel7-server --report /root/oscap_usgcb_report_remediate2.html /root/scap-security-guide/RHEL/7/output/ssg-rhel7-xccdf.xml
Downloading: http://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 ... ok
/tmp/oscap.RNVUP7/downloaded.d3YNjP:1: parser error : Start tag expected, '<' not found
BZh91AY&SYپ}T�?�_�x]�����������
^
/tmp/oscap.RNVUP7/downloaded.d3YNjP:1: parser error : Start tag expected, '<' not found
BZh91AY&SYپ}T�?�_�x]�����������
^
/tmp/oscap.RNVUP7/downloaded.d3YNjP:1: parser error : Start tag expected, '<' not found
BZh91AY&SYپ}T�?�_�x]�����������
^
OpenSCAP Error: Start tag expected, '<' not found [/tmp/oscap.RNVUP7/downloaded.d3YNjP:1] [oscap_source.c:186]
Unable to parse XML at: '/tmp/oscap.RNVUP7/downloaded.d3YNjP' [oscap_source.c:187]
Start tag expected, '<' not found [/tmp/oscap.RNVUP7/downloaded.d3YNjP:1] [oscap_source.c:186]
Unable to parse XML at: '/tmp/oscap.RNVUP7/downloaded.d3YNjP' [oscap_source.c:187]
Could not determine version for file: /tmp/oscap.RNVUP7/downloaded.d3YNjP [validate.c:226]
Start tag expected, '<' not found [/tmp/oscap.RNVUP7/downloaded.d3YNjP:1] [oscap_source.c:186]
Unable to parse XML at: '/tmp/oscap.RNVUP7/downloaded.d3YNjP' [oscap_source.c:187]
Unrecognized document type for: [oscap_source.c:202]
Invalid XCCDF Checklist (1.1) content in http://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 [xccdf_session.c:738]

Has anyone seen this before?

Bruce

[mpreisler]

Looks like you are using new SCAP Security Guide with old openscap. The old openscap versions don't support bzip2 files. Could you please paste oscap -V?

[ybznek]

According to code - if openscap was compiled WITHOUT bz2 support - It will not try to check whether content is bz2.

#ifdef HAVE_BZ2
                if (bz2_fd_is_bzip(fd)) {
                    source->xml.doc = bz2_fd_read_doc(fd);
                } else
#endif
                {

I think we should print error message in such cases.

@bkogami
You probably have old openscap OR you need to have openscap compiled with bzip2 support

[bkogami]

Thanks for you help guys!

Here's a little bit of info. Rhel 7.2 comes with oscap 1.2.5 which appears that it does not have bzip2 support.
I updated to oscap 1.2.9 and it appears to work.
Only problem is, there's no error but there was no remediation. I scored the same before and after using the remediation option.

Bruce

oscap -V

OpenSCAP command line tool (oscap) 1.2.5
Copyright 2009--2015 Red Hat Inc., Durham, North Carolina.

==== Supported specifications ====
XCCDF Version: 1.2
OVAL Version: 5.11
CPE Version: 2.3
CVSS Version: 2.0
CVE Version: 2.0
Asset Identification Version: 1.1
Asset Reporting Format Version: 1.1

==== Capabilities added by auto-loaded plugins ====
No plugins have been auto-loaded...

==== Paths ====
Schema files: /usr/share/openscap/schemas
Default CPE files: /usr/share/openscap/cpe
Probes: /usr/libexec/openscap

==== Inbuilt CPE names ====
Red Hat Enterprise Linux - cpe:/o:redhat:enterprise_linux
Red Hat Enterprise Linux 5 - cpe:/o:redhat:enterprise_linux:5
Red Hat Enterprise Linux 6 - cpe:/o:redhat:enterprise_linux:6
Red Hat Enterprise Linux 7 - cpe:/o:redhat:enterprise_linux:7
Community Enterprise Operating System 5 - cpe:/o:centos:centos:5
Community Enterprise Operating System 6 - cpe:/o:centos:centos:6
Community Enterprise Operating System 7 - cpe:/o:centos:centos:7
Scientific Linux 5 - cpe:/o:scientificlinux:scientificlinux:5
Scientific Linux 6 - cpe:/o:scientificlinux:scientificlinux:6
Scientific Linux 7 - cpe:/o:scientificlinux:scientificlinux:7
Fedora 16 - cpe:/o:fedoraproject:fedora:16
Fedora 17 - cpe:/o:fedoraproject:fedora:17
Fedora 18 - cpe:/o:fedoraproject:fedora:18
Fedora 19 - cpe:/o:fedoraproject:fedora:19
Fedora 20 - cpe:/o:fedoraproject:fedora:20
Fedora 21 - cpe:/o:fedoraproject:fedora:21
Fedora 22 - cpe:/o:fedoraproject:fedora:22
Fedora 23 - cpe:/o:fedoraproject:fedora:23
Red Hat Enterprise Linux Optional Productivity Applications - cpe:/a:redhat:rhel_productivity
Red Hat Enterprise Linux Optional Productivity Applications 5 - cpe:/a:redhat:rhel_productivity:5

==== Supported OVAL objects and associated OpenSCAP probes ====
system_info probe_system_info
family probe_family
filehash probe_filehash
environmentvariable probe_environmentvariable
textfilecontent54 probe_textfilecontent54
textfilecontent probe_textfilecontent
variable probe_variable
xmlfilecontent probe_xmlfilecontent
environmentvariable58 probe_environmentvariable58
filehash58 probe_filehash58
inetlisteningservers probe_inetlisteningservers
rpminfo probe_rpminfo
partition probe_partition
iflisteners probe_iflisteners
rpmverify probe_rpmverify
rpmverifyfile probe_rpmverifyfile
rpmverifypackage probe_rpmverifypackage
selinuxboolean probe_selinuxboolean
selinuxsecuritycontext probe_selinuxsecuritycontext
systemdunitproperty probe_systemdunitproperty
systemdunitdependency probe_systemdunitdependency
file probe_file
interface probe_interface
password probe_password
process probe_process
runlevel probe_runlevel
shadow probe_shadow
uname probe_uname
xinetd probe_xinetd
sysctl probe_sysctl
process58 probe_process58
fileextendedattribute probe_fileextendedattribute
routingtable probe_routingtable
symlink probe_symlink

New version - Works with remediation

oscap -V

OpenSCAP command line tool (oscap) 1.2.9
Copyright 2009--2016 Red Hat Inc., Durham, North Carolina.

==== Supported specifications ====
XCCDF Version: 1.2
OVAL Version: 5.11.1
CPE Version: 2.3
CVSS Version: 2.0
CVE Version: 2.0
Asset Identification Version: 1.1
Asset Reporting Format Version: 1.1

==== Capabilities added by auto-loaded plugins ====
No plugins have been auto-loaded...

==== Paths ====
Schema files: /usr/share/openscap/schemas
Default CPE files: /usr/share/openscap/cpe
Probes: /usr/libexec/openscap

==== Inbuilt CPE names ====
Red Hat Enterprise Linux - cpe:/o:redhat:enterprise_linux
Red Hat Enterprise Linux 5 - cpe:/o:redhat:enterprise_linux:5
Red Hat Enterprise Linux 6 - cpe:/o:redhat:enterprise_linux:6
Red Hat Enterprise Linux 7 - cpe:/o:redhat:enterprise_linux:7
Community Enterprise Operating System 5 - cpe:/o:centos:centos:5
Community Enterprise Operating System 6 - cpe:/o:centos:centos:6
Community Enterprise Operating System 7 - cpe:/o:centos:centos:7
Scientific Linux 5 - cpe:/o:scientificlinux:scientificlinux:5
Scientific Linux 6 - cpe:/o:scientificlinux:scientificlinux:6
Scientific Linux 7 - cpe:/o:scientificlinux:scientificlinux:7
Fedora 16 - cpe:/o:fedoraproject:fedora:16
Fedora 17 - cpe:/o:fedoraproject:fedora:17
Fedora 18 - cpe:/o:fedoraproject:fedora:18
Fedora 19 - cpe:/o:fedoraproject:fedora:19
Fedora 20 - cpe:/o:fedoraproject:fedora:20
Fedora 21 - cpe:/o:fedoraproject:fedora:21
Fedora 22 - cpe:/o:fedoraproject:fedora:22
Fedora 23 - cpe:/o:fedoraproject:fedora:23
Fedora 24 - cpe:/o:fedoraproject:fedora:24
Fedora 25 - cpe:/o:fedoraproject:fedora:25
SUSE Linux Enterprise all versions - cpe:/o:suse:sle
SUSE Linux Enterprise Server 10 - cpe:/o:suse:sles:10
SUSE Linux Enterprise Desktop 10 - cpe:/o:suse🛷10
SUSE Linux Enterprise Server 11 - cpe:/o:suse:sles:11
SUSE Linux Enterprise Desktop 11 - cpe:/o:suse🛷11
SUSE Linux Enterprise Server 12 - cpe:/o:suse:sles:12
SUSE Linux Enterprise Desktop 12 - cpe:/o:suse🛷12
openSUSE 11.4 - cpe:/o:opensuse:opensuse:11.4
openSUSE 13.1 - cpe:/o:opensuse:opensuse:13.1
openSUSE 13.2 - cpe:/o:opensuse:opensuse:13.2
openSUSE All Versions - cpe:/o:opensuse:opensuse
Red Hat Enterprise Linux Optional Productivity Applications - cpe:/a:redhat:rhel_productivity
Red Hat Enterprise Linux Optional Productivity Applications 5 - cpe:/a:redhat:rhel_productivity:5

==== Supported OVAL objects and associated OpenSCAP probes ====
system_info probe_system_info
family probe_family
filehash probe_filehash
environmentvariable probe_environmentvariable
textfilecontent54 probe_textfilecontent54
textfilecontent probe_textfilecontent
variable probe_variable
xmlfilecontent probe_xmlfilecontent
environmentvariable58 probe_environmentvariable58
filehash58 probe_filehash58
inetlisteningservers probe_inetlisteningservers
rpminfo probe_rpminfo
partition probe_partition
iflisteners probe_iflisteners
rpmverify probe_rpmverify
rpmverifyfile probe_rpmverifyfile
rpmverifypackage probe_rpmverifypackage
selinuxboolean probe_selinuxboolean
selinuxsecuritycontext probe_selinuxsecuritycontext
systemdunitproperty probe_systemdunitproperty
systemdunitdependency probe_systemdunitdependency
file probe_file
interface probe_interface
password probe_password
process probe_process
runlevel probe_runlevel
shadow probe_shadow
uname probe_uname
xinetd probe_xinetd
sysctl probe_sysctl
process58 probe_process58
fileextendedattribute probe_fileextendedattribute
routingtable probe_routingtable
symlink probe_symlink

[mpreisler]

The remediation issue should be fixed by PR #1515. Please check it out.