Skip to content
This repository has been archived by the owner on Sep 27, 2024. It is now read-only.

SCAP Workbench does not support nameless multi-check rules #242

Open
jan-cerny opened this issue Jan 6, 2020 · 0 comments
Open

SCAP Workbench does not support nameless multi-check rules #242

jan-cerny opened this issue Jan 6, 2020 · 0 comments

Comments

@jan-cerny
Copy link
Member

Problem: When a rule with multi-check is evaluated, only the last result of checks is disaplyed and all other check results are ignored. Also, the rule is displayed only once in SCAP Workbench window. Moreover, there is no information displayed to the user that the rule consists of multiple checks. This is against XCCDF 1.2 specification Section 7.2.3.5.2, which states:

if an xccdf:check element leads to the execution of
multiple checks (i.e., an xccdf:check-content-ref that lacks a @name attribute is used) and
the @multi-check attribute is set to true, each check executed MUST be reported separately.

In practice, this problem happens when evaluating rule "Security patches are up-to-date" in SCAP 1.3 content. The rule results displayed in SCAP Workbench are wrong, because it displays results for the last vulnerability in the CVE list and it doesn't even show which one.

We have discovered this problem in Workbench when we were working on improving the standard output of OpenSCAP and HTML report for these types of rules - see https://bugzilla.redhat.com/show_bug.cgi?id=1771438 and OpenSCAP/openscap#1426

I think the implementation of this feature in Workbench will not trivial.

Currently, SCAP Workbench first obtains a list of XCCDF rules and displays them in the main window (libopenscap API is used to get the list). During the evaluation it updates the result column based on parsing of oscap stdout. oscap is running in --progress mode.

My proposal is:

  • create a new API function in OpenSCAP library which will fetch rules including the used checks
  • change --progress output of openscap to show also check ID (OVAL ID) to distinguish between results of the same rule ID. Optionally create a new output format of oscap if change of --progress output format would break something.
  • change SCAP Workbench to use the previous 2 points.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant