Checklist and ARF results not accepted by DISA STIG Viewer, STIG Manager, OpenRMF or Heimdall2

[gmisura]

I'm wondering if I'm doing something wrong, but with "confirmation" that 3 of these tools don't like the results produced by oscap I feel pretty confident it's not me (?)

I'm generating --stig-viewer and -results-arf for both RHEL9 and AL2023:

AL2023:

wget -q https://github.com/ComplianceAsCode/content/releases/download/v0.1.76/scap-security-guide-0.1.76.zip
unzip -q scap-security-guide-0.1.76.zip
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis --stig-viewer aws-al2023_ssg-results.ckl --results-arf aws-al2023_ssg-results.xml --report aws-al2023_ssg-report.html scap-security-guide-0.1.76/ssg-al2023-ds.xml

RHEL9:

wget -q https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_9_V2R4_STIG_SCAP_1-3_Benchmark.zip
unzip -q U_RHEL_9_V2R4_STIG_SCAP_1-3_Benchmark.zip
oscap xccdf eval --stig-viewer ib-ubi9_disa-stig.ckl --results-arf ib-ubi9_disa-stig-results.xml --report ib-ubi9_disa-stig-report.html U_RHEL_9_V2R4_STIG_SCAP_1-3_Benchmark.xml

wget -q https://github.com/ComplianceAsCode/content/releases/download/v0.1.76/scap-security-guide-0.1.76.zip
unzip -q scap-security-guide-0.1.76.zip
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --stig-viewer ib-ubi9_ssg-result.ckl --results-arf ib-ubi9_ssg-results.xml --report ib-ubi9_ssg-report.html scap-security-guide-0.1.76/ssg-rhel9-ds.xml

STIG manager says:
For file results.ckl: No CHECKLIST element
For file results.xml: No Benchmark or TestResult element

OpenRMF says:
results.ckl (i'll add these when I can)
results.xml (i'll add these when I can)

Heimdall2 says:
results.ckl - Control count: 0
results.xml - Control count: 0

oscap --version
OpenSCAP command line tool (oscap) 1.3.11

[evgenyz]

Hey! Can you please try with 1.3.12 (should be available any moment now on EUSes).

[gmisura]

I'm installing via

dnf install -y openscap-scanner

I do see that 1.3.12 is available now

[root@ip-172-31-40-160 openscap-1.4.2]# oscap --version
OpenSCAP command line tool (oscap) 1.3.12

Just reran and still not able to import the files into Heimdall2 (openRMF and STIG-Manager are not running at the moment so I can't confirm, but I feel like they will also fail).

How can I try 1.4.2? Downloaded https://github.com/OpenSCAP/openscap/releases/download/1.4.2/openscap-1.4.2.tar.gz but I guess I need to make it?

[Amndeep7]

@gmisura you might also want to try using DISA's StigViewer application (available on public.cyber.mil) and/or any XML viewer application/text editor.

[gmisura]

@gmisura you might also want to try using DISA's StigViewer application (available on public.cyber.mil) and/or any XML viewer application/text editor.

yeah, except I'm on a mac. I'm confirming with my security team they are ok with me moving files from my work Mac to my personal PC so I can use the STIG viewer. Ug!

[Amndeep7]

If you are using the XML-based CKL files, then you can use the 2.x line of StigViewer to view your checklist file. You will need to install the JAR version and then download a Java runtime as well as some Java modules, but it possible to run StigViewer 2.x off of your mac.

[gmisura]

I installed v2 of the STIG viewer.
The .ckl says "Failed to load checklist. There was an error"

[gmisura]

I installed v3.1 of the DISA STIG viewer onto a Windows VM and when I tried to load the .ckl into it, I got the same error.