Ubuntu
openscap package

[SRU] OpenSCAP packages should be updated to the latest versions on Ubuntu 14.04 and 16.04 LTS

Bug #1658529 reported by Norbert
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openscap (Ubuntu)
Won't Fix
Undecided
Unassigned

Bug Description

I have asked question about SCAP definitions for Ubuntu in 2014 with no result (see https://answers.launchpad.net/ubuntu/+source/openscap/+question/242354). Today I compiled OpenSCAP components from sources.

What we have today:
* OVAL definitions are placed on ubuntu-security (https://people.canonical.com/~ubuntu-security/oval/).

Expected results:
* User is able to scan system with oscap (from libopenscap1, libopenscap8 packages) against OVAL files.

Actual results:
* Ubuntu 14.04, 16.04 have very old OpenSCAP versions, which do not support OVAL files from ubuntu-security.
* User should compile openscap from git-repository and install it manually (see my comment 27 on https://answers.launchpad.net/ubuntu/+source/openscap/+question/242354).

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: libopenscap1 (not installed)
ProcVersionSignature: Ubuntu 3.13.0-107.154~precise1-generic 3.13.11-ckt39
Uname: Linux 3.13.0-107-generic x86_64
ApportVersion: 2.0.1-0ubuntu17.15
Architecture: amd64
Date: Mon Jan 23 00:36:03 2017
InstallationMedia: Ubuntu 12.04.4 LTS "Precise Pangolin" - Release amd64 (20140204)
MarkForUpload: True
SourcePackage: openscap
UpgradeStatus: No upgrade log present (probably fresh install)

See original description
Revision history for this message
Norbert (nrbrtx) wrote :
tags: added: trusty
removed: amd64 running-unity
summary: - [needs-packaging][SRU] OpenSCAP packages should be updated to the latest
- version to support OVAL files
+ [SRU] OpenSCAP packages should be updated to the latest versions on
+ Ubuntu 12.04 and 14.04 LTS
description: updated
Revision history for this message
Norbert (nrbrtx) wrote : Re: [SRU] OpenSCAP packages should be updated to the latest versions on Ubuntu 12.04 and 14.04 LTS

Steps to reproduce on Ubuntu 12.04.5 LTS:
1. sudo apt-get install libopenscap1 # this will install 0.8.0-4build1
2. cd /tmp
3. wget https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.precise.cve.oval.xml
4. oscap oval eval --results /tmp/results-precise.xml --report /tmp/report-precise.html /tmp/com.ubuntu.precise.cve.oval.xml

Expected result:
Files /tmp/results-precise.xml and /tmp/report-precise.html are produced.

Actual result:
Files /tmp/results-precise.xml and /tmp/report-precise.html are not produced.
Got many errors such as
1 1824 In file '/tmp/com.ubuntu.precise.cve.oval.xml' on line 12: Element '{http://oval.mitre.org/XMLSchema/oval-common-5}schema_version': '5.11.1' is not a valid value of the atomic type 'xs:decimal'.
...
1 1871 In file '/tmp/com.ubuntu.precise.cve.oval.xml' on line 44: Element '{http://oval.mitre.org/XMLSchema/oval-common-5}notes': This element is not expected. Expected is one of ( {http://oval.mitre.org/XMLSchema/oval-definitions-5}notes, {http://oval.mitre.org/XMLSchema/oval-definitions-5}criteria ).
...
1 1866 In file '/tmp/com.ubuntu.precise.cve.oval.xml' on line 284: Element '{http://oval.mitre.org/XMLSchema/oval-definitions-5}extend_definition', attribute 'applicability_check': The attribute 'applicability_check' is not allowed.
...

So oscap 0.8.0-4build1 is not compatible with com.ubuntu.precise.cve.oval.xml file.

Solution - build openscap from sources (see my comment 27 on https://answers.launchpad.net/ubuntu/+source/openscap/+question/242354).

Revision history for this message
Norbert (nrbrtx) wrote :

Steps to reproduce on Ubuntu 12.04.5 LTS:
1. sudo apt-get install libopenscap8 # this will install 1.0.2-1
2. cd /tmp
3. wget https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.trusty.cve.oval.xml
4. oscap oval eval --results /tmp/results-trusty.xml --report /tmp/report-trusty.html /tmp/com.ubuntu.trusty.cve.oval.xml

Expected result:
Files /tmp/results-trusty.xml and /tmp/report-trusty.html are produced.

Actual result:
Files /tmp/results-trusty.xml and /tmp/report-trusty.html are not produced.
Got error:
OpenSCAP Error: Schema file not found when trying to validate '/tmp/com.ubuntu.trusty.cve.oval.xml' [../../../src/common/oscapxml.c:325]

So oscap 1.0.2-1 is not compatible with com.ubuntu.trusty.cve.oval.xml file.

Solution - build openscap from sources (see my comment 27 on https://answers.launchpad.net/ubuntu/+source/openscap/+question/242354).

But please update OpenSCAP in Ubuntu 14.04 repositories. All Ubuntu-system admins will be happy.

Revision history for this message
Norbert (nrbrtx) wrote :

In comment 3 I mean of course "Steps to reproduce on Ubuntu 14.04.5 LTS:", I'm sorry.

Norbert (nrbrtx)
summary: [SRU] OpenSCAP packages should be updated to the latest versions on
- Ubuntu 12.04 and 14.04 LTS
+ Ubuntu 14.04 and 16.04 LTS
tags: added: xenial
Revision history for this message
Norbert (nrbrtx) wrote :

As today Xenial has outdated version of openscap (see my comment 7 on bug 1658759).

Norbert (nrbrtx)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openscap (Ubuntu):
status: New → Confirmed
Norbert (nrbrtx)
tags: removed: precise trusty
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

I'm changing this to Won't Fix since both 14.04 and 16.04 are under ESM at this point.
If you have any other issues, please let us know.

Changed in openscap (Ubuntu):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.