Ubuntu 16.04: OpenSCAP Error: Unable to open file: '/usr/share/openscap/cpe/openscap-cpe-dict.xml'

[jesuslinares]

Description of problem:

I'm using the lastest ssg policy and the latest oscap package. I'm not able to run a scan.

oscap info ssg-ubuntu1604-ds.xml

Document type: Source Data Stream
Imported: 2017-10-16T19:24:34

Stream: scap_org.open-scap_datastream_from_xccdf_ssg-ubuntu1604-xccdf-1.2.xml
Generated: (null)
Version: 1.2
Checklists:
Ref-Id: scap_org.open-scap_cref_ssg-ubuntu1604-xccdf-1.2.xml
Status: draft
Generated: 2017-08-29
Resolved: true
Profiles:
xccdf_org.ssgproject.content_profile_common
xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal
xccdf_org.ssgproject.content_profile_anssi_np_nt28_average
xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive
xccdf_org.ssgproject.content_profile_anssi_np_nt28_high
Referenced check files:
ssg-ubuntu1604-oval.xml
system: http://oval.mitre.org/XMLSchema/oval-definitions-5
ssg-ubuntu1604-ocil.xml
system: http://scap.nist.gov/schema/ocil/2
Checks:
Ref-Id: scap_org.open-scap_cref_ssg-ubuntu1604-oval.xml
Ref-Id: scap_org.open-scap_cref_ssg-ubuntu1604-ocil.xml
Ref-Id: scap_org.open-scap_cref_ssg-ubuntu1604-cpe-oval.xml
Dictionaries:
Ref-Id: scap_org.open-scap_cref_ssg-ubuntu1604-cpe-dictionary.xml
OpenSCAP Error: Unable to open file: '/usr/share/openscap/cpe/openscap-cpe-dict.xml' [../../../src/source/oscap_source.c:221]
Failed to add default CPE to newly created CPE Session. [../../../src/CPE/cpe_session.c:57]

oscap xccdf eval --verbose INFO --verbose-log-file log.txt ssg-ubuntu1604-ds.xml
cat log.txt | grep -P ^E

E: oscap: (../../../src/source/oscap_source.c:221:oscap_source_get_xmlDoc()) Unable to open file: '/usr/share/openscap/cpe/openscap-cpe-dict.xml'
E: oscap: (../../../src/CPE/cpe_session.c:57:cpe_session_new()) Failed to add default CPE to newly created CPE Session.
E: oscap: (../../../src/XCCDF_POLICY/check_engine_plugin.c:66:check_engine_plugin_load()) Failed to load extra check engine from 'libopenscap_sce.so.8'. Details: 'libopenscap_sce.so.8: cannot open shared object file: No such file or directory'.

SCAP Security Guide Version:

scap-security-guide-0.1.35
ssg-ubuntu1604-ds.xml

Operating System Version:

cat /etc/os-release
NAME="Ubuntu"
VERSION="16.04.2 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.2 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial

Openscap version

oscap version

OpenSCAP command line tool (oscap) 1.2.8
Copyright 2009--2016 Red Hat Inc., Durham, North Carolina.

==== Supported specifications ====
XCCDF Version: 1.2
OVAL Version: 5.11.1
CPE Version: 2.3
CVSS Version: 2.0
CVE Version: 2.0
Asset Identification Version: 1.1
Asset Reporting Format Version: 1.1

==== Capabilities added by auto-loaded plugins ====
No plugins have been auto-loaded...

==== Paths ====
Schema files: /usr/share/openscap/schemas
Default CPE files: /usr/share/openscap/cpe
Probes: /usr/lib/x86_64-linux-gnu/openscap

==== Inbuilt CPE names ====

==== Supported OVAL objects and associated OpenSCAP probes ====
system_info probe_system_info
family probe_family
filehash probe_filehash
environmentvariable probe_environmentvariable
textfilecontent54 probe_textfilecontent54
textfilecontent probe_textfilecontent
variable probe_variable
xmlfilecontent probe_xmlfilecontent
environmentvariable58 probe_environmentvariable58
filehash58 probe_filehash58
dpkginfo probe_dpkginfo
inetlisteningservers probe_inetlisteningservers
partition probe_partition
iflisteners probe_iflisteners
selinuxboolean probe_selinuxboolean
selinuxsecuritycontext probe_selinuxsecuritycontext
file probe_file
interface probe_interface
password probe_password
process probe_process
runlevel probe_runlevel
shadow probe_shadow
uname probe_uname
xinetd probe_xinetd
sysctl probe_sysctl
process58 probe_process58
fileextendedattribute probe_fileextendedattribute
routingtable probe_routingtable
symlink probe_symlink

dpkg -l | grep -i openscap

ii libopenscap8 1.2.8-1 amd64 Set of libraries enabling integration of the SCAP line of standards

[pthierry38]

Hello,

The miss of the default CPE dict is a bug of the openscap package from Debian (you can post a bug report on Debian directy) as no default CPE dict exists in the cpe/ dir. Nevertheless, here is how to correct it:

1. configure openscap to specify its cpe dir to point to scap-security-guide dir, this will permit openscap to use the scap-security-guide cpe files for the xccdf evaluation
2. OR copy the scap-security-guide ssg-ubuntu1604-cpe*.xml in the default openscap cpe dir (/usr/share/openscap/cpe)

This will resolve the xccdf execution, but the info will still generate an error on the default cpe dict. As you ar targetting an ubuntu, you can use the ssg-ubuntu1604-cpe-dict.xml as default dict (using a link or copying the file to the corresponding file name), because oscap will search for openscap-cpe-dict.xml

[redhatrises]

Closing as this is a downstream issue.