OpenSCAP and SCAP Workbench on Windows

In the past week I merged Daniel Kopecek’s patches to the master branch and applied new patches to make openscap master build and run on Windows. After a bit of gnulib wrestling I do have a working OpenSCAP and SCAP Workbench executables that can be tested.

The following screenshots were taken on Windows 7 with openscap from master branch (69626aeaf9dbb16b99bb9f3cd43423a3d00df179) and scap-workbench from master branch (d4ac3e4c49abb660e02f436b262315bd2b85679f). Everything was compiled using the mingw32 toolchain on Fedora 21.

workbench_win_1 workbench_win_2 workbench_win_3

Executables for testing

Please keep in mind that this is a preliminary release that is in no way official. It just shows what is possible right now and allows me to outline future plans. You should NOT use this in production!

Download: scap-workbench-win32-prealpha.zip

After extraction, run the scap-workbench.bat script. In the final release the bat script won’t be necessary, it just sets all the paths for now.

How to build (Fedora 21)

$ sudo dnf install mingw32-gcc mingw32-binutils mingw32-libxml2 \
  mingw32-libgcrypt mingw32-pthreads mingw32-libxslt \
  mingw32-curl mingw32-pcre \
  automake autoconf libtool
$ cd openscap
$ ./autogen.sh
# EDIT: Also disable oscap-docker because it needs bz2-devel
$ mingw32-configure --disable-probes --disable-python --disable-util-oscap-docker
$ make -j 4
$ sudo make install

$ sudo dnf install mingw32-qt
$ cd scap-workbench
$ mkdir build/
$ cd build/
$ mingw32-cmake ../
$ make -j 4
$ sudo make install

What works

  • Opening XCCDF files and source datastreams
  • Changing profiles
  • Opening tailoring, saving tailoring
  • Customizing profiles
  • Saving all into a directory
  • Opening user manual

What doesn’t work

  • Local scanning
  • Remote scanning
  • Saving as RPM

Plans

The high level goal is to enable remote scanning from Windows machines, that is the most immediate plan.

I am not sure about save-as-rpm. It is a great feature but getting all the necessary tools on Windows is a lot of pain.

After that I hope to add MacOS X support.

Also see the mailing list thread about this blog post on open-scap-list.

Go to Part 2

SCAP Workbench 1.1.0rc1

Before I release the final 1.1.0 I wanted to make a release candidate with COPR repos for Fedora 20 and 21. This should be less painful than compiling everything from source so I am hoping to get more feedback and testing that way.

Feedback would be greatly appreciated. I expect to have a final release out by the end of February.

ssg_integration intro_screenshot tailoring_dialog_opened

What’s new?

1.1.0 will be a packed major release, the number of changes is second only to the 0.8.0 C++ rewrite.

  • Complete redesign of the main window, with rich-text rule descriptions
  • Better SCAP Security Guide integration
  • Tailoring window greatly improved – shows relationships between values and rules
  • Opens bzip2 files
  • Performance improvements when loading big SCAP files
  • Countless UX improvements
  • And a lot more, a total of 34 tickets fixed

How to test?

If you have x86_64 Fedora 20 or 21 you can just enable my COPR repo and install scap-workbench via yum or dnf.

# dnf install dnf-plugins-core

# dnf copr enable mpreisle/scap-workbench

# dnf install scap-workbench

Please consider also installing scap-security-guide to test the new integration dialog. We may opt to make scap-workbench depend on scap-security-guide for the final release but the decision has not been made yet.

# dnf install scap-security-guide

Otherwise you have to pull from the git repository or download the 1.1.0rc1 tarball and build workbench yourself.

Where to report issues?

The best place to report issues is the trac bug tracker. However I also accept reports via the mailing list or even comments to this blog post.