You guys.
As of yesterday, SSG is now shipping natively in RHEL 6.6! A sampling of included profiles: - RHEL6 STIG (DoD baseline) - CS2 (Ft Meade baseline) - C2S (CIA commercial cloud baseline) - Red Hat CCP (for RHEL cloud images, e.g. Amazon AMIs) - CSCF (MLS baseline used at NRO)
The inclusion of SSG is also being picked up by the press, including international sites/magazines: - http://www.zdnet.com/red-hat-enterprise-linux-6-6-arrives-7000034675/ - http://news.softpedia.com/news/Red-Hat-Enterprise-Linux-6-6-Arrives-with-UEF... - http://www.admin-magazin.de/News/Red-Hat-Enterprise-Linux-6.6-verfuegbar - http://soft.mail.ru/pressrl_page.php?id=56721
This inclusion reflects almost 3 years of work by the community, and brings RHEL to a point where tooling+content is natively included for STIG compliance. This is exceptionally badass. It's been an amazing ride to get us here -- thank you for everyone who has participated!!
For those in the Northern VA/DC/Maryland area, an SSG happy hour is in order. First round on me. Say next Thursday (23-OCT), DuClaws at Arundel Mills?
-------- Original Message -------- Subject: [Bug 1066390] Include scap-security-guide in Red Hat Enterprise Linux 6 Date: Tue, 14 Oct 2014 06:42:15 +0000 From: bugzilla@redhat.com To: swells@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1066390
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|VERIFIED |CLOSED Resolution|--- |ERRATA Last Closed| |2014-10-14 02:42:15
--- Comment #42 from errata-xmlrpc errata-xmlrpc@redhat.com --- Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.
For information on the advisory, and where to find the updated files, follow the link below.
If the solution does not work for you, open a new bug report.
http://rhn.redhat.com/errata/RHEA-2014-1471.html
Awesome!
Greg Elin P: 917-304-3488 E: gregelin@gitmachines.com
Sent from my iPhone
On Oct 15, 2014, at 4:54 PM, Shawn Wells shawn@redhat.com wrote:
You guys.
As of yesterday, SSG is now shipping natively in RHEL 6.6! A sampling of included profiles:
- RHEL6 STIG (DoD baseline)
- CS2 (Ft Meade baseline)
- C2S (CIA commercial cloud baseline)
- Red Hat CCP (for RHEL cloud images, e.g. Amazon AMIs)
- CSCF (MLS baseline used at NRO)
The inclusion of SSG is also being picked up by the press, including international sites/magazines:
- http://www.zdnet.com/red-hat-enterprise-linux-6-6-arrives-7000034675/
- http://news.softpedia.com/news/Red-Hat-Enterprise-Linux-6-6-Arrives-with-UEF...
- http://www.admin-magazin.de/News/Red-Hat-Enterprise-Linux-6.6-verfuegbar
- http://soft.mail.ru/pressrl_page.php?id=56721
This inclusion reflects almost 3 years of work by the community, and brings RHEL to a point where tooling+content is natively included for STIG compliance. This is exceptionally badass. It's been an amazing ride to get us here -- thank you for everyone who has participated!!
For those in the Northern VA/DC/Maryland area, an SSG happy hour is in order. First round on me. Say next Thursday (23-OCT), DuClaws at Arundel Mills?
-------- Original Message -------- Subject: [Bug 1066390] Include scap-security-guide in Red Hat Enterprise Linux 6 Date: Tue, 14 Oct 2014 06:42:15 +0000 From: bugzilla@redhat.com To: swells@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1066390
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added
Status|VERIFIED |CLOSED Resolution|--- |ERRATA Last Closed| |2014-10-14 02:42:15--- Comment #42 from errata-xmlrpc errata-xmlrpc@redhat.com --- Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.
For information on the advisory, and where to find the updated files, follow the link below.
If the solution does not work for you, open a new bug report.
http://rhn.redhat.com/errata/RHEA-2014-1471.html
-- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=9Q6ih4rslS&a=cc_unsubscribe
-- Shawn Wells Director, Innovation Programs shawn@redhat.com | 443.534.0130 @shawndwells
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
Woohoo! Can we confirm whether remediation scripts are included, or scanning tools and content?
Just had to manually download and install openscap tools to a new VM this week, and was hoping this was coming soon.
Congratulations to all!
On Wed, Oct 15, 2014 at 4:16 PM, Greg Elin gregelin@gitmachines.com wrote:
Awesome!
Greg Elin P: 917-304-3488 E: gregelin@gitmachines.com
Sent from my iPhone
On Oct 15, 2014, at 4:54 PM, Shawn Wells shawn@redhat.com wrote:
You guys.
As of yesterday, SSG is now shipping natively in RHEL 6.6! A sampling of included profiles:
- RHEL6 STIG (DoD baseline)
- CS2 (Ft Meade baseline)
- C2S (CIA commercial cloud baseline)
- Red Hat CCP (for RHEL cloud images, e.g. Amazon AMIs)
- CSCF (MLS baseline used at NRO)
The inclusion of SSG is also being picked up by the press, including international sites/magazines:
http://news.softpedia.com/news/Red-Hat-Enterprise-Linux-6-6-Arrives-with-UEF...
- http://www.admin-magazin.de/News/Red-Hat-Enterprise-Linux-6.6-verfuegbar
- http://soft.mail.ru/pressrl_page.php?id=56721
This inclusion reflects almost 3 years of work by the community, and brings RHEL to a point where tooling+content is natively included for STIG compliance. This is exceptionally badass. It's been an amazing ride to get us here -- thank you for everyone who has participated!!
For those in the Northern VA/DC/Maryland area, an SSG happy hour is in order. First round on me. Say next Thursday (23-OCT), DuClaws at Arundel Mills?
-------- Original Message -------- Subject: [Bug 1066390] Include scap-security-guide in Red Hat Enterprise Linux 6 Date: Tue, 14 Oct 2014 06:42:15 +0000 From: bugzilla@redhat.com To: swells@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1066390
errata-xmlrpc errata-xmlrpc@redhat.com errata-xmlrpc@redhat.com changed:
What |Removed |Added
Status|VERIFIED |CLOSED Resolution|--- |ERRATA Last Closed| |2014-10-14 02:42:15--- Comment #42 from errata-xmlrpc errata-xmlrpc@redhat.com errata-xmlrpc@redhat.com --- Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.
For information on the advisory, and where to find the updated files, follow the link below.
If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2014-1471.html
-- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=9Q6ih4rslS&a=cc_unsubscribe
-- Shawn Wells Director, Innovation Programsshawn@redhat.com | 443.534.0130 @shawndwells
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
Hi Andrew,
----- Original Message -----
From: "Andrew Gilmore" agilmore2@gmail.com To: "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Thursday, October 16, 2014 12:50:08 AM Subject: Re: [Bug 1066390] Include scap-security-guide in Red Hat Enterprise Linux 6
Woohoo! Can we confirm whether remediation scripts are included, or scanning tools and content?
Both the checks & remediation scripts are included. Maybe this is right opportunity to shed more light how Red Hat Enterprise Linux system scan works.
There are three major components required: * the [CLI] scanner (shipped within openscap-utils package), * the content (system checks + remediations, shipped within scap-security-guide package), * [optional] GUI tool to ease the task of checking particular system (shipped within scap-workbench package, which is for now available via EPEL-6 repository: [1] http://dl.fedoraproject.org/pub/epel/6/SRPMS/repoview/scap-workbench.html [2] https://fedorahosted.org/scap-workbench/ )
Given the assumption these three packages are installed, the scan can be then performed via: * oscap CLI as follows:
oscap xccdf eval --profile selected_profile_here --report place_where_to_store_the_HTML_report_of_the_system_scan \ path_to_rhel6_xccdf_file
See oscap(8) or scap-security-guide(8) manual page for further details.
* via scap-workbench tool:
Once run, provide path to RHEL6 XCCDF benchmark file (either in XML form: /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml or in datastream form: /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml) in the "Open Source Datastream or XCCDF file" dialog. Once selected, select particular profile yet (in the "Profile" select box) & see how the list of rules is refreshed. Then click the "Scan" button, see the progress & wait for the tool to finish. Once done, it's possible to see the HTML report (click the "Report" button) or save the generated artifacts for further inspection later (see "Save" select-button options).
Refer to scap-workbench manual (in HTML form) for further information: https://fedorahosted.org/scap-workbench/raw-attachment/wiki/UserManual/user_...
To perform also remediation (IOW corrections for those rules, that failed) use: * also --remediate option with the 'oscap xccdf eval ...' command above. E.g. something like:
oscap xccdf eval --remediate --profile selected_profile_here --report html_path \ path_to_ssg_rhel6_benchmark
* when using scap-workbench tool, after loading a selected content, selecting a profile & *before* clicking the "Scan" button ensure the "Online remediation" checkbox is selected too. Then click "Scan" as normal. The difference with the previous case being that in this scenario scap-workbench besides scanning / checking the system it will also attempt remediation / corrections for cases, where the particular requirement failed (results like 'fixed' should be visible in the main scap-workbench dialog).
Here again, people are encouraged to have a look at scap-workbench's user manual: https://fedorahosted.org/scap-workbench/raw-attachment/wiki/UserManual/user_...
which provides additional information (& covers this use case / scenario & many more).
To keep the reply relatively short, there's one more interesting feature of scap-workbench available yet - and that's being support for remote (via SSH) system scans. See section: https://fedorahosted.org/scap-workbench/raw-attachment/wiki/UserManual/user_...
for further details. Here it's necessary to pinpoint that only content / benchmark provided in datastream (*-ds.xml) format can be used for remote system scans.
Hope the above clarifies things a bit more. Should you have further questions, check oscap(8), scap-security-guide(8), scap-workbench(8) manual pages and / or the aforementioned scap-workbench HTML manual.
Of course should you find some unclear bit yet (not properly covered in the manuals) or just not obvious enough at first sight, feel free to bring it here.
Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
Just had to manually download and install openscap tools to a new VM this week, and was hoping this was coming soon.
Congratulations to all!
On Wed, Oct 15, 2014 at 4:16 PM, Greg Elin < gregelin@gitmachines.com > wrote:
Awesome!
Greg Elin P: 917-304-3488 E: gregelin@gitmachines.com
Sent from my iPhone
On Oct 15, 2014, at 4:54 PM, Shawn Wells < shawn@redhat.com > wrote:
You guys.
As of yesterday, SSG is now shipping natively in RHEL 6.6! A sampling of included profiles:
- RHEL6 STIG (DoD baseline)
- CS2 (Ft Meade baseline)
- C2S (CIA commercial cloud baseline)
- Red Hat CCP (for RHEL cloud images, e.g. Amazon AMIs)
- CSCF (MLS baseline used at NRO)
The inclusion of SSG is also being picked up by the press, including international sites/magazines:
http://news.softpedia.com/news/Red-Hat-Enterprise-Linux-6-6-Arrives-with-UEF...
- http://www.admin-magazin.de/News/Red-Hat-Enterprise-Linux-6.6-verfuegbar
- http://soft.mail.ru/pressrl_page.php?id=56721
This inclusion reflects almost 3 years of work by the community, and brings RHEL to a point where tooling+content is natively included for STIG compliance. This is exceptionally badass. It's been an amazing ride to get us here -- thank you for everyone who has participated!!
For those in the Northern VA/DC/Maryland area, an SSG happy hour is in order. First round on me. Say next Thursday (23-OCT), DuClaws at Arundel Mills?
-------- Original Message -------- Subject: [Bug 1066390] Include scap-security-guide in Red Hat Enterprise Linux 6 Date: Tue, 14 Oct 2014 06:42:15 +0000 From: bugzilla@redhat.com To: swells@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1066390 errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added
Status|VERIFIED |CLOSED Resolution|--- |ERRATA Last Closed| |2014-10-14 02:42:15--- Comment #42 from errata-xmlrpc errata-xmlrpc@redhat.com --- Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.
For information on the advisory, and where to find the updated files, follow the link below.
If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2014-1471.html -- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=9Q6ih4rslS&a=cc_unsubscribe
-- Shawn Wells Director, Innovation Programs shawn@redhat.com | 443.534.0130 @shawndwells
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
Thanks Jan! A couple of questions come to mind: How well does remote system scanning and remediation work? Using ssh as root? Wouldn't remediation of the sshd PermitRoot configuration lock root out of the system? Are the datastream formats also produced in the ssg make process?
On Thu, Oct 16, 2014 at 1:33 AM, Jan Lieskovsky jlieskov@redhat.com wrote:
Hi Andrew,
----- Original Message -----
From: "Andrew Gilmore" agilmore2@gmail.com To: "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Thursday, October 16, 2014 12:50:08 AM Subject: Re: [Bug 1066390] Include scap-security-guide in Red Hat
Enterprise Linux 6
Woohoo! Can we confirm whether remediation scripts are included, or
scanning
tools and content?
Both the checks & remediation scripts are included. Maybe this is right opportunity to shed more light how Red Hat Enterprise Linux system scan works.
There are three major components required:
- the [CLI] scanner (shipped within openscap-utils package),
- the content (system checks + remediations, shipped within
scap-security-guide package),
- [optional] GUI tool to ease the task of checking particular system
(shipped within scap-workbench package, which is for now available via EPEL-6 repository: [1] http://dl.fedoraproject.org/pub/epel/6/SRPMS/repoview/scap-workbench.html [2] https://fedorahosted.org/scap-workbench/ )
Given the assumption these three packages are installed, the scan can be then performed via:
oscap CLI as follows:
oscap xccdf eval --profile selected_profile_here --report
place_where_to_store_the_HTML_report_of_the_system_scan \ path_to_rhel6_xccdf_file
See oscap(8) or scap-security-guide(8) manual page for further details.
via scap-workbench tool:
Once run, provide path to RHEL6 XCCDF benchmark file (either in XML form: /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml or in
datastream form: /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml) in the "Open Source Datastream or XCCDF file" dialog. Once selected, select particular profile yet (in the "Profile" select box) & see how the list of rules is refreshed. Then click the "Scan" button, see the progress & wait for the tool to finish. Once done, it's possible to see the HTML report (click the "Report" button) or save the generated artifacts for further inspection later (see "Save" select-button options).
Refer to scap-workbench manual (in HTML form) for further information:
https://fedorahosted.org/scap-workbench/raw-attachment/wiki/UserManual/user_...
To perform also remediation (IOW corrections for those rules, that failed) use:
- also --remediate option with the 'oscap xccdf eval ...' command above.
E.g. something like:
oscap xccdf eval --remediate --profile selected_profile_here --report html_path \ path_to_ssg_rhel6_benchmark
- when using scap-workbench tool, after loading a selected content,
selecting a profile & *before* clicking the "Scan" button ensure the "Online remediation" checkbox is selected too. Then click "Scan" as normal. The difference with the previous case being that in this scenario scap-workbench besides scanning / checking the system it will also attempt remediation / corrections for cases, where the particular requirement failed (results like 'fixed' should be visible in the main scap-workbench dialog).
Here again, people are encouraged to have a look at scap-workbench's user manual:
https://fedorahosted.org/scap-workbench/raw-attachment/wiki/UserManual/user_...
which provides additional information (& covers this use case / scenario & many more).
To keep the reply relatively short, there's one more interesting feature of scap-workbench available yet - and that's being support for remote (via SSH) system scans. See section:
https://fedorahosted.org/scap-workbench/raw-attachment/wiki/UserManual/user_...
for further details. Here it's necessary to pinpoint that only content / benchmark provided in datastream (*-ds.xml) format can be used for remote system scans.
Hope the above clarifies things a bit more. Should you have further questions, check oscap(8), scap-security-guide(8), scap-workbench(8) manual pages and / or the aforementioned scap-workbench HTML manual.
Of course should you find some unclear bit yet (not properly covered in the manuals) or just not obvious enough at first sight, feel free to bring it here.
Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Technologies Team
Just had to manually download and install openscap tools to a new VM this week, and was hoping this was coming soon.
Congratulations to all!
On Wed, Oct 15, 2014 at 4:16 PM, Greg Elin < gregelin@gitmachines.com > wrote:
Awesome!
Greg Elin P: 917-304-3488 E: gregelin@gitmachines.com
Sent from my iPhone
On Oct 15, 2014, at 4:54 PM, Shawn Wells < shawn@redhat.com > wrote:
You guys.
As of yesterday, SSG is now shipping natively in RHEL 6.6! A sampling of included profiles:
- RHEL6 STIG (DoD baseline)
- CS2 (Ft Meade baseline)
- C2S (CIA commercial cloud baseline)
- Red Hat CCP (for RHEL cloud images, e.g. Amazon AMIs)
- CSCF (MLS baseline used at NRO)
The inclusion of SSG is also being picked up by the press, including international sites/magazines:
http://news.softpedia.com/news/Red-Hat-Enterprise-Linux-6-6-Arrives-with-UEF...
http://www.admin-magazin.de/News/Red-Hat-Enterprise-Linux-6.6-verfuegbar
This inclusion reflects almost 3 years of work by the community, and
brings
RHEL to a point where tooling+content is natively included for STIG compliance. This is exceptionally badass. It's been an amazing ride to
get
us here -- thank you for everyone who has participated!!
For those in the Northern VA/DC/Maryland area, an SSG happy hour is in
order.
First round on me. Say next Thursday (23-OCT), DuClaws at Arundel Mills?
-------- Original Message -------- Subject: [Bug 1066390] Include scap-security-guide in Red Hat
Enterprise
Linux 6 Date: Tue, 14 Oct 2014 06:42:15 +0000 From: bugzilla@redhat.com To: swells@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1066390 errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added
Status|VERIFIED |CLOSED Resolution|--- |ERRATA Last Closed| |2014-10-14 02:42:15--- Comment #42 from errata-xmlrpc errata-xmlrpc@redhat.com --- Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.
For information on the advisory, and where to find the updated files, follow the link below.
If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2014-1471.html -- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=9Q6ih4rslS&a=cc_unsubscribe
-- Shawn Wells Director, Innovation Programs shawn@redhat.com | 443.534.0130
@shawndwells
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
Hey Andrew,
On 10/16/2014 05:18 PM, Andrew Gilmore wrote:
How well does remote system scanning and remediation work? Using ssh as root? Wouldn't remediation of the sshd PermitRoot configuration lock root out of the system?
I believe that you can choose any user to scan the system with workbench. The connection dialog can take things like:
otto@doghouse.local.lan
Are the datastream formats also produced in the ssg make process?
Yes, datastreams are build natively from SSG using `make dist` in a particular directory.
Best regards,
scap-security-guide@lists.fedorahosted.org
-
Andrew Gilmore -
Greg Elin -
Jan Lieskovsky -
Shawn Wells -
Šimon Lukašík