OVALDI tool against OVAL defined in SCAP 1.2

Help
2013-10-30
2013-11-12
  • Kamlesh Mallick

    Kamlesh Mallick - 2013-10-30

    Hi Experts,

    I downloaded the OVALDI interpreter and i ran it against a sample OVAL XML file like this in Command Prompt

    ovaldi -m -a "C:\Program Files\OVAL\ovaldi-5.10.1-x64\xml" -o microsoft.windows.server.2008.r2.xml -r result.xml -x result.html -d system-characteristics.xml

    This generates RESULT XML which is great!

    But i'm working on OVAL Definitions mentioned in SCAP 1.2 sample
    (SCAP - Security Content Automation Protocol) - from the XML below
    http://scap.nist.gov/revision/1.2/source_data_stream_collection_sample.xml

    From the above XML, I take the XML found inside the 'OVAL_DEfinitions' tag and create an XML File. I have attached the XML file (ovaltest.xml)

    Now i run OVAL interpreter against this OVAL definition found in SCAP 1.2

    c:\Program Files\OVAL\ovaldi-5.10.1-x64>ovaldi -m -a "C:\Program Files\OVAL\ovaldi-5.10.1-x64\xml" -o ovaltest.xml -r result.xml -x result.html -d system-characteristics.xml


    OVAL Definition Interpreter
    Version: 5.10 Build: 1
    Build date: Sep 14 2011 16:53:20
    Copyright (c) 2002-2011 - The MITRE Corporation


    Start Time: Wed Oct 30 14:12:46 2013

    ** parsing ovaltest.xml file.
    - validating xml schema.
    Error while parsing xml file:
    Severity: Fatal Error
    Message: The XML or Text declaration must start at line/column 1/1
    File: c:\Program Files\OVAL\ovaldi-5.10.1-x64/ovaltest.xml
    Line 1
    At char 9

    Why doesnt OVAL Intepreter, intepret XML OVAL Definitions from SCAP 1.2?
    Are the namespaces not supported?

     
    Last edit: Kamlesh Mallick 2013-10-30
  • Danny Haynes

    Danny Haynes - 2013-10-30

    Hi Kamlesh,

    OVALDI does not support the processing of SCAP 1.2 documents. You have a couple of things that you can try.

    1) You can check for a commercial product that supports SCAP 1.2. The list of products in the OVAL Adoption Program and the SCAP Validated Products list should give you a good starting point.

    2) You can use the SCAP Interpreter (https://sourceforge.net/projects/scapexec/).

    3) You can apply the extract.scap.oval.xsl stylesheet (https://sourceforge.net/p/ovalutils/code/HEAD/tree/trunk/xsl/extract.scap.oval.xsl) to break the SCAP 1.2 datastream into its component documents (XCCDF, OVAL, CPE-OVAL, etc.) and run it in the XCCDF Interpreter (https://sourceforge.net/projects/xccdfexec/) or you can further break it down with a stylesheet (I will dig this up if you are interested in trying this) to convert the XCCDF document into an OVAL Variables document and run it with OVALDI.

    You probably want option 1, but, option 2 and 3 will allow you to try it out and run the content. I should also add that option 2 and 3 just make use of reference implementations and are not recommended for use as enterprise scanners.

    Thanks,

    Danny

     
    • Kamlesh Mallick

      Kamlesh Mallick - 2013-10-31

      Hi Danny Haynes,

      I managed to run OVALDI against the OVAL XML defined in SCAP 1.2 XML file. See post below.

      But thank you for your insightful suggestions.
      WE will definitely use your tips while working on SCAP 1.2 XML, in case we run into issues.

      Much appreciated.

      Thanks,
      Kamlesh

       
  • Michael Chisholm

    If I understand correctly, you created a definition from the contents of the SCAP document, you didn't try to process the SCAP doc itself? Anyway, it doesn't look like ovaldi got far enough to error out on the content of the XML. It died in the XML parsing. Your error sounds like the XML parser found something other than the beginning of the XML directive as the first bytes in the file. XML parsers can be picky about that. Make sure the first bytes in the file are

    <?xml
    

    Look at the bytes in a hex editor if you want to be really sure.

    Andy

     
  • Kamlesh Mallick

    Kamlesh Mallick - 2013-10-31

    Hey Michael Chrisholm,

    Thanks to your suggestion, i took another look at the XML that i extracted from the SCAP 1.2 XML file.

    Then i found that the validation tools threw up an error like this.
    The prefix "xsi" for attribute "xsi:schemaLocation" associated with an element type "oval_definitions" is not bound.

    Then i realized that i needed to define 'xsi'
    So all i needed to do was add this declaration
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" in the top most 'oval_dfinition' tag.

    I have attached the XML file.

    Then i ran OVALDI
    ovaldi -m -a "C:\Program Files\OVAL\ovaldi-5.10.1-x64\xml" -o ovalwow.xml -r result.xml -x result.html -d system-characteristics.xml

    And voila it worked.

    So SCAP 1.2 XML files is missing a namespace definition at the top!

    Thanks for the suggestions.
    I Appreciate it.

     
    Last edit: Kamlesh Mallick 2013-10-31
  • Kamlesh Mallick

    Kamlesh Mallick - 2013-11-06

    Hi Danny Haynes,

    This is regarding, parsing SCAP 1.2 datastream with OVALDI

    I took your advice and applied the following stylesheet extract.scap.oval.xsl stylesheet to break the SCAP 1.2 datastream into its component documents (XCCDF, OVAL, CPE-OVAL, etc.)

    I Used SAXON .jar to achieve this as we need an XSL processor supporting XSL 2.0 specification. I used a sample SCAP 1.2 xml file (source_data_stream_collection_sample.xml)

    java -jar saxon9.jar -xsl:extract.scap.oval.xsl -s:source_data_stream_collection_sample.xml

    This generated multiple XML files - CPE, OVAL and XCCDF
    scap_gov.nist_comp_ALPHA-ie8-cpe-dictionary.xml
    scap_gov.nist_comp_ALPHA-ie8-cpe-oval.xml
    scap_gov.nist_comp_ALPHA-ie8-oval.xml
    scap_gov.nist_comp_ALPHA-ie8-patches.xml
    scap_gov.nist_comp_ALPHA-ie8-xccdf.xml
    xccdf_gov.nist_profile_united_states_government_configuration_baseline_version_1.1.0.0_ext_vars.xml

    Now we are only interested in Parsing OVAL XML checks and not interested in XCCDF checks.
    So we ran the 3 OVAL files
    scap_gov.nist_comp_ALPHA-ie8-cpe-oval.xml
    scap_gov.nist_comp_ALPHA-ie8-oval.xml
    scap_gov.nist_comp_ALPHA-ie8-patches.xml

    against OVALDI and it worked. I could generate REPORTS.

    So in a way due to your magical XSL, OVALDI supports SCAP 1.2.
    Right? Do you want me to keep in mind anything i missed?

    Also i used SAXON JAR file to process your XSLT,
    Do you know if there are any C++ based libraries which support XSLT 2.0 spec. I tried the 'xsltproc' utility but it only supports XSLT 1.0 spec.

    Thank you again for ur help. Its been immense.
    Kamlesh

     
    Last edit: Kamlesh Mallick 2013-11-06
  • Danny Haynes

    Danny Haynes - 2013-11-06

    That is great to hear Kamlesh. One of the drivers for creating that XSL was to allow people to leverage SCAP 1.2 datastreams even if their tools only supported SCAP 1.0, SCAP 1.1, or even just OVAL. I don't think you missed anything if you were able to get split out the content and run it in OVALDI :).

    Yes, for a C++ XSLT processor, you may want to check out Xalan-C/C++ (https://xalan.apache.org/xalan-c/). This is actually what we use in OVALDI to process XSLTs. Right now, we only use Xerces 2.7/2.8 and Xalan 1.10 in OVALDI, but, we will be upgrading to Xalan 1.11 very shortly and the code in /branches/ovaldi_xerces3 (https://sourceforge.net/p/ovaldi/code/HEAD/tree/branches/ovaldi_xerces3/) builds against Xerces 3.1.1 and Xalan 1.11.

     
  • Danny Haynes

    Danny Haynes - 2013-11-06

    Hi Kamlesh,

    It looks like I made a mistake. Thanks to Andy for letting me know :). It turns out Xalan C++ only supports XSLT 1.0 right now, but, it sounds like they will support it for the next major release (https://xalan.apache.org/xalan-c/#xsltStandards).

    However, you might try the following libraries which say they support XSLT 2.0 although I haven't tried either of them.

    http://manual.altova.com/AltovaXML/altovaxmlcommunity/

    http://xqilla.sourceforge.net/XSLT2 (appears to have partial XSLT 2.0 support)

    Sorry for any confusion. Hope this helps.

    Thanks,

    Danny

     
  • Kamlesh Mallick

    Kamlesh Mallick - 2013-11-08

    Hi Danny Haynes,

    Thanks for the suggestions.
    I'm trying Altova's RAPTOR XML and XQilla.

    Apparently both the tools are confused by the legendary SCAP 1.2 XML :)
    So i have popped the question in their forums.

    SAXON should work for the time being.
    Thanks again for the help.

    p.s
    I have been given the super exciting task of compiling OVALDI in MAcOSX, Linux32, Linux64. Wish me luck :)

     
  • Danny Haynes

    Danny Haynes - 2013-11-12

    Good luck! Please see our build instructions in the /docs directory which should help build OVALDI on those platforms. I would also add that we do not currently support OVALDI on 64-bit Linux although I believe Andy was able to do it successfully. Unfortunately, I don't remember if there is anything special that he had to do so I will let him jump if there is anything to add here :).

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks