OpenSCAP and SCAP Workbench on Windows

In the past week I merged Daniel Kopecek’s patches to the master branch and applied new patches to make openscap master build and run on Windows. After a bit of gnulib wrestling I do have a working OpenSCAP and SCAP Workbench executables that can be tested.

The following screenshots were taken on Windows 7 with openscap from master branch (69626aeaf9dbb16b99bb9f3cd43423a3d00df179) and scap-workbench from master branch (d4ac3e4c49abb660e02f436b262315bd2b85679f). Everything was compiled using the mingw32 toolchain on Fedora 21.

workbench_win_1 workbench_win_2 workbench_win_3

Executables for testing

Please keep in mind that this is a preliminary release that is in no way official. It just shows what is possible right now and allows me to outline future plans. You should NOT use this in production!

Download: scap-workbench-win32-prealpha.zip

After extraction, run the scap-workbench.bat script. In the final release the bat script won’t be necessary, it just sets all the paths for now.

How to build (Fedora 21)

$ sudo dnf install mingw32-gcc mingw32-binutils mingw32-libxml2 \
  mingw32-libgcrypt mingw32-pthreads mingw32-libxslt \
  mingw32-curl mingw32-pcre \
  automake autoconf libtool
$ cd openscap
$ ./autogen.sh
# EDIT: Also disable oscap-docker because it needs bz2-devel
$ mingw32-configure --disable-probes --disable-python --disable-util-oscap-docker
$ make -j 4
$ sudo make install

$ sudo dnf install mingw32-qt
$ cd scap-workbench
$ mkdir build/
$ cd build/
$ mingw32-cmake ../
$ make -j 4
$ sudo make install

What works

  • Opening XCCDF files and source datastreams
  • Changing profiles
  • Opening tailoring, saving tailoring
  • Customizing profiles
  • Saving all into a directory
  • Opening user manual

What doesn’t work

  • Local scanning
  • Remote scanning
  • Saving as RPM

Plans

The high level goal is to enable remote scanning from Windows machines, that is the most immediate plan.

I am not sure about save-as-rpm. It is a great feature but getting all the necessary tools on Windows is a lot of pain.

After that I hope to add MacOS X support.

Also see the mailing list thread about this blog post on open-scap-list.

Go to Part 2

7 thoughts on “OpenSCAP and SCAP Workbench on Windows”

  1. Hi Martin,

    my apologies if this is answered somewhere else. (Google was NOT my friend.) I’ve been trying to use scap-workbench under Windows 7. When I hit “scan”, I get the a popup with the following text:

    13:37:02
    info
    scap-workbench 1.1.0rc1, compiled with Qt 4.8.6, using openscap 1.3.0

    13:37:08
    info
    Opened file ‘C:/scap-workbench/ssg/Windows7/ssg-Windows7-ds.xml’.

    13:37:38
    info
    Querying capabilities…

    13:37:38
    error
    Exception was thrown while evaluating! Details follow: There was a problem with SyncProcess! Starting process ‘oscap –v’ failed. The process is not in a running state.

    Thanks for any help you may provide,

    Dave

    1. Hi, thanks for your comment.

      This is expected behavior, openscap does not support scanning Windows machines yet. At this point workbench can only be used as a tailoring tool on Windows. Local scanning on Windows may be implemented in the future but right now we don’t have plans to do it.

      In future releases I will make this more clear by graying out the local scan option. See https://github.com/OpenSCAP/scap-workbench/commit/68412550a441ed04e0d9e5be2eac7458001b43b5

  2. Hey Martin,

    Can you say more about “After a bit of gnulib wrestling” ?
    I am trying to install oscap on Windows but i have some errors when i try to build, autogen.sh more precisely …
    I am using Cygwin and I’ve received this following error:
    error: expected source file, required through AC_LIBSOURCES, not found

    Can you help me to perform this installation on Windows ?

    Thanks for any help you may provide,
    Hussein

    1. I used the mingw32 toolchain in Fedora so I actually ran ./autogen.sh using the Fedora toolchain, not cygwin or mingw32. Then I used mingw32-configure.

      Is that an option for you? Perhaps you can install a Linux VM, run autogen.sh and then use cygwin for the configure.

      If you find a solution to the issue we are definitely interested in merging it but I won’t have time in the near future to look into fixing it myself.

  3. Hey Martin,
    In fact, I’ve already installed OpenScap on Kali (Debian) system, and it works very well. The problem is that I need to have openscap installed with Windows environment and I’ve saw that you succeeded to install it with Windows and it works with SCAP Workbench, my Workbench on Windows is ok but i need oscap binary to use SCAP on Windows and it doesn’t works without oscap.
    It’s quite weird because I can see a lot of OVAL tests for Windows on Internet but I don’t see anywhere a way to install it on Windows.
    Thanks in advance for your help.
    Hussein

  4. I have ubuntu server and i would like to scan ubuntu and openstack server over it using OpenSCAP…

    Please guide me how this can be achieved….

Leave a Reply to Martin Preisler Cancel reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.