Hello Daniel,
thank you for checking.
----- Original Message -----
From: "Dan Warburton" dan.warburton@jvncomm.com To: "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Monday, June 29, 2015 4:19:20 PM Subject: Re: [New Release] SCAP Security Guide 0.1.23 is now live
Jan,
Did you generate the per-builts? I do not see them.
No sorry, I didn't create them yet. Originally planned to make them manually, then starting from the future versions to add new Makefile target that would build them automatically.
But later I changed my mind - it's better to start creating them automatically right from the scratch (read as add new SSG GitHub repo Makefile target, that would create them upon request).
This way we can find an agreement wrt e.g. to paths, where the content should be installed etc. (wanted to do this earlier, but in the meantime got distracted by other issues).
I will do make that pull request tomorrow (so tomorrow in the evening they could be available already).
Sorry for the delay (and thanks for the remainder!)
Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
On June 23, 2015 at 11:53 AM Jan Lieskovsky jlieskov@redhat.com wrote:
Hello folks,
we are thrilled to announce the GA for the SCAP Security Guide of version 0.1.23 -- the highlights for this release include:
- Start porting of PCI-DSS profile from RHEL-6 to RHEL-7
- Add OVAL-5.11 language support for RHEL-7 product if underlying system's
oscap version supports OVAL-5.11 already
- Start generating benchmarks for derivative OSes (CentOS, Scientific Linux)
- Get rid of using symbolic links mechanism for OVAL checks shared across
multiple products (RHEL/6, RHEL/7, and Fedora)
- Enhance XML files validation performed via make validate target for all
products (optimize speed, validate all XML files against schematron where possible etc.)
For a more detailed Changelog / Release Notes for this release kindly have a look at: [1] https://github.com/OpenSCAP/scap-security-guide/releases
For the instructions how to try the new upstream version from source tarball kindly have a look at: [2] https://github.com/OpenSCAP/scap-security-guide/wiki/Building-from-Source
For the prebuilt XML files -- I will try to generate them within tomorrow and update the v0.1.23 tag page appropriately when done.
Please report any issues encountered with the newly added (but also formerly existing) SSG content via GH tickets interface: [3] https://github.com/OpenSCAP/scap-security-guide/issues/new
Happy hardening!
Regards, Jan
Jan iankko Lieskovsky (on behalf of the SCAP Security Guide upstream team)
SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
Dan Warburton / JVN Communications w: 609-485-4480 m: 609-457-0154
Hello,
Is there a guide on how to use the RHEL SCAP content for CentOS? When I try to use it, I get a lot of "Result: notapplicable". What needs to be done?
I'm using it with OpenSCAP per the manual:
# oscap xccdf eval --profile stig-rhel6-server-upstream \ --results /tmp/`hostname`-ssg-results.xml \ --report /tmp/`hostname`-ssg-results.html \ --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml \ /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
TIA, -Bond
Bond,
The RHEL SCAP content actually contains an OVAL test of the platform you are on. Since you are on CentOS, rather than RHEL, all the tests in the profile test fails and all the test evaluate as non-applicable.
*This can be fixed a couple ways.* 1) Alter the actual OVAL test to test for CentOS instead of RHEL (see below) 2) Build SCAP-Security-Guide content for CentOS from the GitHub repo 3) Take a look at https://github.com/openprivacy/ansible-scap
*More details* 1) Use the CentOS quick start in https://github.com/GovReady/govready if you are working with RHEL 6.5 content.
2) I should know this, but not off the top of my head (and I have to run out). But I believe we can now build SSG from https://github.com/OpenSCAP/scap-security-guide
3) https://github.com/openprivacy/ansible-scap is very cool b/c it builds SSG from source for RHEL 7 and it shows how to use GovReady and OpenSCAP-ssh to remotely scan machines.
*Background* (re-posted from a previous email to list)
SCAP (Security Content Automation Protocol) is actually a set of multiple standards and specifications that are used together to enable automatically testing hundreds of nerd settings. Let me emphasize that: *SCAP is not a single XML specification -- SCAP is multiple standards and specs*. Whenever you give "SCAP Content" to a scanner to check a system configurations you are giving the scanner multiple XML files representing multiple standards.
- XCCDF describes the checklist (Extensible Configuration Checklist Description Format). [1] - CCE are unique identifiers and descriptive material for specific configuration settings (Common Configuration Enumeration). [1] - OVAL is the XML that describes tests, including multi-part tests, that assess if a CCE identified configuration setting is correct on a system. (Open Vulnerability Assessment Language) [1] - CPE is as unique string of text to uniquely identify a "platform" of software, hardware, or application (Common Platform Enumeration). The idea is that CPE string can be used to associate a checklist (XCCDF), a configuration setting (CCE) or test (OVAL) with a specific platform. (Oy!) [1]
And the list goes on. But to understand how to use SCAP-Security-Guide on CentOS we only need to worry about XCCDF, CCE, OVAL, and CPE. (At least I think...)
Almost all RHEL CCE's (config settings) and OVAL (test criterion) work on CentOS. The exception are those settings/tests like the RHEL GPG key installed which only make sense in relation to a RHEL subscription and do not apply to CentOS.
So why does OpenSCAP run SCAP-Security-Guide on CentOS, but the results come back "not applicable?" Two reasons: 1) Because the XCCDF in RHEL refers to CPE XML file that specifies RHEL and not CentOS. 2) Because CPE platform string is verified with an OVAL test that checks the RPMs for platform identification.
Thus, to get OpenSCAP to work on CentOS, we need to tell OpenSCAP to use a CPE-dictionary.xml file that includes a CPE string for CentOS *and* we need to have a corrected OVAL test that validates we are on CentOS.
And how do we do this reliability? Part of what I'm trying to do with my software, GovReady [2], is to make things like this easier.
But you don't have to use GovReady. If you read the CentOS quick start in the GovReady README, you will see link to a CentOS ssg-centos6-cpe-oval.xml and ssg-centos6-cpe-oval.xml file that make the necessary adjustments. You just need to copy them to your local CentOS server and then correctly specify their path when running OpenSCAP. Like so:
oscap xccdf eval --oval-results --profile server --cpe scap/content/ssg-centos6-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
Alternatively, you could manually update the CPE and OVAL XML file using (e.g., using a sed statement).
It's still kind of confusing for me. So I hope I have the above correct.
[1] http://wiki.gentoo.org/wiki/SCAP [2] https://github.com/GovReady/govready
Greg Elin http://govready.org - Making FISMA compliance easier for innovators
email: gregelin@gitmachines.com phone: 917-304-3488
On Tue, Jun 30, 2015 at 5:56 PM, Bond Masuda bond.masuda@hexadiam.com wrote:
Hello,
Is there a guide on how to use the RHEL SCAP content for CentOS? When I try to use it, I get a lot of "Result: notapplicable". What needs to be done?
I'm using it with OpenSCAP per the manual:
# oscap xccdf eval --profile stig-rhel6-server-upstream \ --results /tmp/`hostname`-ssg-results.xml \ --report /tmp/`hostname`-ssg-results.html \ --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml \ /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
TIA,
-Bond
SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
Hey Bond,
As of SCAP Security Guide release 0.1.23, CentOS content is now available (any older version will require tweaking). See the announcement here: https://lists.fedorahosted.org/pipermail/scap-security-guide/2015-June/00646...
You can download and build the SSG content from https://github.com/OpenSCAP/scap-security-guide
When you run the XCCDF, you have to specify the CentOS XCCDF like below:
# oscap xccdf eval --profile stig-rhel6-server-upstream \ --results /tmp/`hostname`-ssg-results.xml \ --report /tmp/`hostname`-ssg-results.html \ --cpe /usr/share/xml/scap/ssg/content/ssg-centos6-cpe-dictionary.xml \ /usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml
Please note that I believe that ssg-centos6-cpe-dictionary.xml is not being built with SSG. OpenSCAP is here: https://github.com/openscap/openscap and the announcement here: So I believe all that needs to be done is:
# oscap xccdf eval --profile stig-rhel6-server-upstream \ --results /tmp/`hostname`-ssg-results.xml \ --report /tmp/`hostname`-ssg-results.html \ /usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml
Thanks,
Gabe https://lists.fedorahosted.org/pipermail/scap-security-guide/2015-June/006462.html
On Tue, Jun 30, 2015 at 3:56 PM, Bond Masuda bond.masuda@hexadiam.com wrote:
Hello,
Is there a guide on how to use the RHEL SCAP content for CentOS? When I try to use it, I get a lot of "Result: notapplicable". What needs to be done?
I'm using it with OpenSCAP per the manual:
# oscap xccdf eval --profile stig-rhel6-server-upstream \ --results /tmp/`hostname`-ssg-results.xml \ --report /tmp/`hostname`-ssg-results.html \ --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml \ /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
TIA,
-Bond
SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
On 6/30/15 6:54 PM, Gabe Alford wrote:
Hey Bond,
As of SCAP Security Guide release 0.1.23, CentOS content is now available (any older version will require tweaking). See the announcement here: https://lists.fedorahosted.org/pipermail/scap-security-guide/2015-June/00646...
You can download and build the SSG content from https://github.com/OpenSCAP/scap-security-guide
Spot on. CentOS users can now clone the repo, run make, and they'll see various CentOS content files generated.
When you run the XCCDF, you have to specify the CentOS XCCDF like below:
# oscap xccdf eval --profile stig-rhel6-server-upstream \ --results /tmp/`hostname`-ssg-results.xml \ --report /tmp/`hostname`-ssg-results.html \ --cpe /usr/share/xml/scap/ssg/content/ssg-centos6-cpe-dictionary.xml \ /usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml
Please note that I believe that ssg-centos6-cpe-dictionary.xml is not being built with SSG. OpenSCAP is here: https://github.com/openscap/openscap and the announcement here: So I believe all that needs to be done is:
# oscap xccdf eval --profile stig-rhel6-server-upstream \ --results /tmp/`hostname`-ssg-results.xml \ --report /tmp/`hostname`-ssg-results.html \ /usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml
Thanks,
How close are we to having all tests applicable to CentOS actually available in the profiles?
This question about SSG content is getting asked often enough that it deserves an FAQ entry somewhere. On Jul 1, 2015 10:00 AM, "Shawn Wells" shawn@redhat.com wrote:
On 6/30/15 6:54 PM, Gabe Alford wrote:
Hey Bond,
As of SCAP Security Guide release 0.1.23, CentOS content is now available (any older version will require tweaking). See the announcement here: https://lists.fedorahosted.org/pipermail/scap-security-guide/2015-June/00646...
You can download and build the SSG content from https://github.com/OpenSCAP/scap-security-guide
Spot on. CentOS users can now clone the repo, run make, and they'll see various CentOS content files generated.
When you run the XCCDF, you have to specify the CentOS XCCDF like below:
# oscap xccdf eval --profile stig-rhel6-server-upstream \ --results /tmp/`hostname`-ssg-results.xml \ --report /tmp/`hostname`-ssg-results.html \ --cpe /usr/share/xml/scap/ssg/content/ssg-centos6-cpe-dictionary.xml \ /usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml
Please note that I believe that ssg-centos6-cpe-dictionary.xml is not being built with SSG. OpenSCAP is here: https://github.com/openscap/openscap and the announcement here: So I believe all that needs to be done is:
# oscap xccdf eval --profile stig-rhel6-server-upstream \ --results /tmp/`hostname`-ssg-results.xml \ --report /tmp/`hostname`-ssg-results.html \ /usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml
Thanks,
-- Shawn Wells Director, Innovation Programs shawn@redhat.com | 443.534.0130 @shawndwells
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
On 07/01/2015 06:09 PM, Andrew Gilmore wrote:
How close are we to having all tests applicable to CentOS actually available in the profiles?
My understanding is that SSG is under active development. The completness of the various profiles changes rapidly.
I have seen some github milestones implemented in SSG. These can be of some help
https://github.com/OpenSCAP/scap-security-guide/milestones
This question about SSG content is getting asked often enough that it deserves an FAQ entry somewhere.
Again things change rapidly. Updating a FAQ is tedious task for developers. Especially if it needs to be done each month.
Would anybody volunteer?
Thanks! ~š.
On Jul 1, 2015 10:00 AM, "Shawn Wells" <shawn@redhat.com mailto:shawn@redhat.com> wrote:
On 6/30/15 6:54 PM, Gabe Alford wrote: Hey Bond, As of SCAP Security Guide release 0.1.23, CentOS content is now available (any older version will require tweaking). See the announcement here: https://lists.fedorahosted.org/pipermail/scap-security-guide/2015-June/006462.html You can download and build the SSG content from https://github.com/OpenSCAP/scap-security-guide Spot on. CentOS users can now clone the repo, run make, and they'll see various CentOS content files generated. When you run the XCCDF, you have to specify the CentOS XCCDF like below: # oscap xccdf eval --profile stig-rhel6-server-upstream \ --results /tmp/`hostname`-ssg-results.xml \ --report /tmp/`hostname`-ssg-results.html \ --cpe /usr/share/xml/scap/ssg/content/ssg-centos6-cpe-dictionary.xml \ /usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml Please note that I believe that ssg-centos6-cpe-dictionary.xml is not being built with SSG. OpenSCAP is here: https://github.com/openscap/openscap and the announcement here: So I believe all that needs to be done is: # oscap xccdf eval --profile stig-rhel6-server-upstream \ --results /tmp/`hostname`-ssg-results.xml \ --report /tmp/`hostname`-ssg-results.html \ /usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml Thanks, -- Shawn Wells Director, Innovation Programs shawn@redhat.com <mailto:shawn@redhat.com> | 443.534.0130 <tel:443.534.0130> @shawndwells -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org <mailto:scap-security-guide@lists.fedorahosted.org> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
Gabe,
Thanks for providing the links to SSG's integration of CentOS!
Greg
On Tue, Jun 30, 2015 at 6:54 PM, Gabe Alford redhatrises@gmail.com wrote:
Hey Bond,
As of SCAP Security Guide release 0.1.23, CentOS content is now available (any older version will require tweaking). See the announcement here: https://lists.fedorahosted.org/pipermail/scap-security-guide/2015-June/00646...
You can download and build the SSG content from https://github.com/OpenSCAP/scap-security-guide
When you run the XCCDF, you have to specify the CentOS XCCDF like below:
# oscap xccdf eval --profile stig-rhel6-server-upstream \ --results /tmp/`hostname`-ssg-results.xml \ --report /tmp/`hostname`-ssg-results.html \ --cpe /usr/share/xml/scap/ssg/content/ssg-centos6-cpe-dictionary.xml \ /usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml
Please note that I believe that ssg-centos6-cpe-dictionary.xml is not being built with SSG. OpenSCAP is here: https://github.com/openscap/openscap and the announcement here: So I believe all that needs to be done is:
# oscap xccdf eval --profile stig-rhel6-server-upstream \ --results /tmp/`hostname`-ssg-results.xml \ --report /tmp/`hostname`-ssg-results.html \ /usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml
Thanks,
Gabe
https://lists.fedorahosted.org/pipermail/scap-security-guide/2015-June/006462.html
On Tue, Jun 30, 2015 at 3:56 PM, Bond Masuda bond.masuda@hexadiam.com wrote:
Hello,
Is there a guide on how to use the RHEL SCAP content for CentOS? When I try to use it, I get a lot of "Result: notapplicable". What needs to be done?
I'm using it with OpenSCAP per the manual:
# oscap xccdf eval --profile stig-rhel6-server-upstream \ --results /tmp/`hostname`-ssg-results.xml \ --report /tmp/`hostname`-ssg-results.html \ --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml \ /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
TIA,
-Bond
SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
Hi Gabe,
Thank you for your reply. I'm trying to use the 0.1.23 release, but having issues building the content. The error I get is:
Skipping datastream composition, use OpenSCAP 1.2.2 or later! mkdir -p dist/content cp output/ssg-fedora-xccdf.xml dist/content cp output/ssg-fedora-oval.xml dist/content cp output/ssg-fedora-ds.xml dist/content cp: cannot stat `output/ssg-fedora-ds.xml': No such file or directory make[1]: *** [dist] Error 1 make[1]: Leaving directory `/root/scap-security-guide-0.1.23/Fedora' make: *** [fedora] Error 2
I suspect the missing "ssg-fedora-ds.xml" has something to do with the "Skipping datastream composition" message above?
I'm on CentOS6, and this is the version I got from the yum repos:
[root@openscap-testing scap-security-guide-0.1.23]# rpm -qa openscap* openscap-1.0.8-1.0.1.el6.centos.1.x86_64 openscap-content-1.0.8-1.0.1.el6.centos.1.noarch openscap-utils-1.0.8-1.0.1.el6.centos.1.x86_64
So, is this a matter of not being compatible with the version of openscap I'm using? Or, is the make process suppose to handle older versions of openscap more gracefully?
Thanks, -Bond
On 06/30/2015 03:54 PM, Gabe Alford wrote:
Hey Bond,
As of SCAP Security Guide release 0.1.23, CentOS content is now available (any older version will require tweaking). See the announcement here: https://lists.fedorahosted.org/pipermail/scap-security-guide/2015-June/00646...
You can download and build the SSG content from https://github.com/OpenSCAP/scap-security-guide
When you run the XCCDF, you have to specify the CentOS XCCDF like below:
# oscap xccdf eval --profile stig-rhel6-server-upstream \ --results /tmp/`hostname`-ssg-results.xml \ --report /tmp/`hostname`-ssg-results.html \ --cpe /usr/share/xml/scap/ssg/content/ssg-centos6-cpe-dictionary.xml \ /usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml
Please note that I believe that ssg-centos6-cpe-dictionary.xml is not being built with SSG. OpenSCAP is here: https://github.com/openscap/openscap and the announcement here: So I believe all that needs to be done is:
# oscap xccdf eval --profile stig-rhel6-server-upstream \ --results /tmp/`hostname`-ssg-results.xml \ --report /tmp/`hostname`-ssg-results.html \ /usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml
Thanks,
Gabe
On Tue, Jun 30, 2015 at 3:56 PM, Bond Masuda <bond.masuda@hexadiam.com mailto:bond.masuda@hexadiam.com> wrote:
Hello, Is there a guide on how to use the RHEL SCAP content for CentOS? When I try to use it, I get a lot of "Result: notapplicable". What needs to be done? I'm using it with OpenSCAP per the manual: # oscap xccdf eval --profile stig-rhel6-server-upstream \ --results /tmp/`hostname`-ssg-results.xml \ --report /tmp/`hostname`-ssg-results.html \ --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml \ /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml TIA, -Bond -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org <mailto:scap-security-guide@lists.fedorahosted.org> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
Hello Bond,
thank you for your report.
----- Original Message -----
From: "Bond Masuda" bond.masuda@hexadiam.com To: scap-security-guide@lists.fedorahosted.org Sent: Saturday, July 4, 2015 7:33:26 AM Subject: Re: Using the RHEL specific SCAP content for CentOS
Hi Gabe,
Thank you for your reply. I'm trying to use the 0.1.23 release, but having issues building the content. The error I get is:
Skipping datastream composition, use OpenSCAP 1.2.2 or later! mkdir -p dist/content cp output/ssg-fedora-xccdf.xml dist/content cp output/ssg-fedora-oval.xml dist/content cp output/ssg-fedora-ds.xml dist/content cp: cannot stat `output/ssg-fedora-ds.xml': No such file or directory make[1]: *** [dist] Error 1 make[1]: Leaving directory `/root/scap-security-guide-0.1.23/Fedora' make: *** [fedora] Error 2
I can reproduce that issue, when issuing just 'plain' "make" in the scap-security-guide-0.1.23 folder. The issue is Fedora content by default requires OVAL-5.11 language version already, and the version of the openscap RPM you are trying to build Fedora content against (openscap-1.0.8-1.0.1.el6.centos.1.x86_64) does not support OVAL-5.11 language version yet.
We will correct this problem in an official way in the upcoming 0.1.24 upstream release (should be available for download during next week).
For now please use the following workaround (in the scap-security-guide-0.1.23 directory after expanding the tarball), issue the following command:
# make SSG_VERSION_IS_GIT_SNAPSHOT=no rpm
This will correctly produce working RPM that can be subsequently used on RHEL-6 / CentOS6 system.
The difference between calling just "make" without arguments, and the more concrete Makefile target above being, that in the latter case we won't be building Fedora content, and therefore the problematic code part won't get touched / encountered.
I suspect the missing "ssg-fedora-ds.xml" has something to do with the "Skipping datastream composition" message above?
I'm on CentOS6, and this is the version I got from the yum repos:
[root@openscap-testing scap-security-guide-0.1.23]# rpm -qa openscap* openscap-1.0.8-1.0.1.el6.centos.1.x86_64 openscap-content-1.0.8-1.0.1.el6.centos.1.noarch openscap-utils-1.0.8-1.0.1.el6.centos.1.x86_64
So, is this a matter of not being compatible with the version of openscap I'm using? Or, is the make process suppose to handle older versions of openscap more gracefully?
As already mentioned, we will fix this officially in the upcoming 0.1.24 release (you are correct it's possible to handle this case more gracefully). For now please use the aforementioned workaround (different Makefile target) to produce the RPM.
Hope the above being helpful.
Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
Thanks, -Bond
On 06/30/2015 03:54 PM, Gabe Alford wrote:
Hey Bond,
As of SCAP Security Guide release 0.1.23, CentOS content is now available (any older version will require tweaking). See the announcement here: https://lists.fedorahosted.org/pipermail/scap-security-guide/2015-June/00646...
You can download and build the SSG content from https://github.com/OpenSCAP/scap-security-guide
When you run the XCCDF, you have to specify the CentOS XCCDF like below:
# oscap xccdf eval --profile stig-rhel6-server-upstream \ --results /tmp/`hostname`-ssg-results.xml \ --report /tmp/`hostname`-ssg-results.html \ --cpe /usr/share/xml/scap/ssg/content/ssg-centos6-cpe-dictionary.xml \ /usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml
Please note that I believe that ssg-centos6-cpe-dictionary.xml is not being built with SSG. OpenSCAP is here: https://github.com/openscap/openscap and the announcement here: So I believe all that needs to be done is:
# oscap xccdf eval --profile stig-rhel6-server-upstream \ --results /tmp/`hostname`-ssg-results.xml \ --report /tmp/`hostname`-ssg-results.html \ /usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml
Thanks,
Gabe
On Tue, Jun 30, 2015 at 3:56 PM, Bond Masuda < bond.masuda@hexadiam.com > wrote:
Hello,
Is there a guide on how to use the RHEL SCAP content for CentOS? When I try to use it, I get a lot of "Result: notapplicable". What needs to be done?
I'm using it with OpenSCAP per the manual:
# oscap xccdf eval --profile stig-rhel6-server-upstream \ --results /tmp/`hostname`-ssg-results.xml \ --report /tmp/`hostname`-ssg-results.html \ --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml \ /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
TIA,
-Bond
SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
Thanks Jan! Please see inline response below...
On 07/04/2015 04:32 AM, Jan Lieskovsky wrote:
Hello Bond,
thank you for your report.
----- Original Message -----
I can reproduce that issue, when issuing just 'plain' "make" in the scap-security-guide-0.1.23 folder. The issue is Fedora content by default requires OVAL-5.11 language version already, and the version of the openscap RPM you are trying to build Fedora content against (openscap-1.0.8-1.0.1.el6.centos.1.x86_64) does not support OVAL-5.11 language version yet.
We will correct this problem in an official way in the upcoming 0.1.24 upstream release (should be available for download during next week).
For now please use the following workaround (in the scap-security-guide-0.1.23 directory after expanding the tarball), issue the following command:
# make SSG_VERSION_IS_GIT_SNAPSHOT=no rpm
This will correctly produce working RPM that can be subsequently used on RHEL-6 / CentOS6 system.
Yes, I was able to build the RPM, however not able to run with oscap. More below...
As of SCAP Security Guide release 0.1.23, CentOS content is now available (any older version will require tweaking). See the announcement here: https://lists.fedorahosted.org/pipermail/scap-security-guide/2015-June/00646...
You can download and build the SSG content from https://github.com/OpenSCAP/scap-security-guide
When you run the XCCDF, you have to specify the CentOS XCCDF like below:
# oscap xccdf eval --profile stig-rhel6-server-upstream \ --results /tmp/`hostname`-ssg-results.xml \ --report /tmp/`hostname`-ssg-results.html \ --cpe /usr/share/xml/scap/ssg/content/ssg-centos6-cpe-dictionary.xml \ /usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml
Please note that I believe that ssg-centos6-cpe-dictionary.xml is not being built with SSG. OpenSCAP is here: https://github.com/openscap/openscap and the announcement here: So I believe all that needs to be done is:
# oscap xccdf eval --profile stig-rhel6-server-upstream \ --results /tmp/`hostname`-ssg-results.xml \ --report /tmp/`hostname`-ssg-results.html \ /usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml
Trying to run the last command above without specifying CPE, results in all tests being "notapplicable". And I confirmed there is no cpe-dictionary.xml being built for CentOS6.
What am I missing? -Bond
Bond,
You have to two files for CentOS: - ssg-centos6-cpe-dictionary.xml - ssg-centos6-cpe-oval.xml
ssg-centos6-cpe-dictionary.xml describes the platform. (CPE stands for Common Platform Enumeration).
But ssg-centos6-cpe-oval.xml consists of the "Open Vulnerability Assessment Language" code that _tests_ whether your platform is is CentOS. You must have both, b/c the first file refers to the second file.
You can get them here: https://raw.githubusercontent.com/GovReady/govready/xplatform/templates/ssg-... https://raw.githubusercontent.com/GovReady/govready/xplatform/templates/ssg-...
You can put the files anywhere, just make sure they are in the same directory together, and reference the full path/to/ssg-centos6-cpe-dictionary.xml
Greg
On Mon, Jul 6, 2015 at 5:46 PM, Bond Masuda bond.masuda@hexadiam.com wrote:
Thanks Jan! Please see inline response below...
On 07/04/2015 04:32 AM, Jan Lieskovsky wrote:
Hello Bond,
thank you for your report.
----- Original Message -----
I can reproduce that issue, when issuing just 'plain' "make" in the scap-security-guide-0.1.23 folder. The issue is Fedora content by default requires OVAL-5.11 language version already, and the version of the openscap RPM you are trying to build Fedora content against (openscap-1.0.8-1.0.1.el6.centos.1.x86_64) does not support OVAL-5.11 language version yet.
We will correct this problem in an official way in the upcoming 0.1.24 upstream release (should be available for download during next week).
For now please use the following workaround (in the
scap-security-guide-0.1.23
directory after expanding the tarball), issue the following command:
# make SSG_VERSION_IS_GIT_SNAPSHOT=no rpm
This will correctly produce working RPM that can be subsequently used on RHEL-6 / CentOS6 system.
Yes, I was able to build the RPM, however not able to run with oscap. More below...
As of SCAP Security Guide release 0.1.23, CentOS content is now
available
(any older version will require tweaking). See the announcement here:
https://lists.fedorahosted.org/pipermail/scap-security-guide/2015-June/00646...
You can download and build the SSG content from https://github.com/OpenSCAP/scap-security-guide
When you run the XCCDF, you have to specify the CentOS XCCDF like below:
# oscap xccdf eval --profile stig-rhel6-server-upstream \ --results /tmp/`hostname`-ssg-results.xml \ --report /tmp/`hostname`-ssg-results.html \ --cpe /usr/share/xml/scap/ssg/content/ssg-centos6-cpe-dictionary.xml \ /usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml
Please note that I believe that ssg-centos6-cpe-dictionary.xml is not
being
built with SSG. OpenSCAP is here: https://github.com/openscap/openscap
and
the announcement here: So I believe all that needs to be done is:
# oscap xccdf eval --profile stig-rhel6-server-upstream \ --results /tmp/`hostname`-ssg-results.xml \ --report /tmp/`hostname`-ssg-results.html \ /usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml
Trying to run the last command above without specifying CPE, results in all tests being "notapplicable". And I confirmed there is no cpe-dictionary.xml being built for CentOS6.
What am I missing?
-Bond
SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
Greg,
Thank you for your links and help. Confirmed that with your CPE dictionary and OVAL file, I was able to run the content in oscap.
Jan or Gabe:
The SCAP content from 0.1.23 release, even after getting it to build with the suggested 'make' argument by Jan, does not appear to be functional. Is this a bug or is it because I'm not doing something correctly?
Thanks, -Bond
On 07/06/2015 03:20 PM, Greg Elin wrote:
Bond,
You have to two files for CentOS:
- ssg-centos6-cpe-dictionary.xml
- ssg-centos6-cpe-oval.xml
ssg-centos6-cpe-dictionary.xml describes the platform. (CPE stands for Common Platform Enumeration).
But ssg-centos6-cpe-oval.xml consists of the "Open Vulnerability Assessment Language" code that _tests_ whether your platform is is CentOS. You must have both, b/c the first file refers to the second file.
You can get them here: https://raw.githubusercontent.com/GovReady/govready/xplatform/templates/ssg-... https://raw.githubusercontent.com/GovReady/govready/xplatform/templates/ssg-...
You can put the files anywhere, just make sure they are in the same directory together, and reference the full path/to/ssg-centos6-cpe-dictionary.xml
Greg
On Mon, Jul 6, 2015 at 5:46 PM, Bond Masuda <bond.masuda@hexadiam.com mailto:bond.masuda@hexadiam.com> wrote:
Thanks Jan! Please see inline response below... On 07/04/2015 04:32 AM, Jan Lieskovsky wrote: > Hello Bond, > > thank you for your report. > > ----- Original Message ----- > > I can reproduce that issue, when issuing just 'plain' "make" in the > scap-security-guide-0.1.23 folder. The issue is Fedora content by > default requires OVAL-5.11 language version already, and the version > of the openscap RPM you are trying to build Fedora content against > (openscap-1.0.8-1.0.1.el6.centos.1.x86_64) does not support OVAL-5.11 > language version yet. > > We will correct this problem in an official way in the upcoming 0.1.24 > upstream release (should be available for download during next week). > > For now please use the following workaround (in the scap-security-guide-0.1.23 > directory after expanding the tarball), issue the following command: > > # make SSG_VERSION_IS_GIT_SNAPSHOT=no rpm > > This will correctly produce working RPM that can be subsequently used > on RHEL-6 / CentOS6 system. Yes, I was able to build the RPM, however not able to run with oscap. More below... >> As of SCAP Security Guide release 0.1.23, CentOS content is now available >> (any older version will require tweaking). See the announcement here: >> https://lists.fedorahosted.org/pipermail/scap-security-guide/2015-June/006462.html >> >> You can download and build the SSG content from >> https://github.com/OpenSCAP/scap-security-guide >> >> When you run the XCCDF, you have to specify the CentOS XCCDF like below: >> >> # oscap xccdf eval --profile stig-rhel6-server-upstream \ >> --results /tmp/`hostname`-ssg-results.xml \ >> --report /tmp/`hostname`-ssg-results.html \ >> --cpe /usr/share/xml/scap/ssg/content/ssg-centos6-cpe-dictionary.xml \ >> /usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml >> >> Please note that I believe that ssg-centos6-cpe-dictionary.xml is not being >> built with SSG. OpenSCAP is here: https://github.com/openscap/openscap and >> the announcement here: So I believe all that needs to be done is: >> >> # oscap xccdf eval --profile stig-rhel6-server-upstream \ >> --results /tmp/`hostname`-ssg-results.xml \ >> --report /tmp/`hostname`-ssg-results.html \ >> /usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml >> Trying to run the last command above without specifying CPE, results in all tests being "notapplicable". And I confirmed there is no cpe-dictionary.xml being built for CentOS6. What am I missing? -Bond -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org <mailto:scap-security-guide@lists.fedorahosted.org> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
Bond,
Try running the following:
# oscap xccdf eval --profile stig-rhel6-server-upstream \ --results /tmp/`hostname`-ssg-results.xml \ --report /tmp/`hostname`-ssg-results.html \ --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml \ /usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml
On Mon, Jul 6, 2015 at 6:19 PM, Bond Masuda bond.masuda@hexadiam.com wrote:
Greg,
Thank you for your links and help. Confirmed that with your CPE dictionary and OVAL file, I was able to run the content in oscap.
Jan or Gabe:
The SCAP content from 0.1.23 release, even after getting it to build with the suggested 'make' argument by Jan, does not appear to be functional. Is this a bug or is it because I'm not doing something correctly?
Thanks, -Bond
On 07/06/2015 03:20 PM, Greg Elin wrote:
Bond,
You have to two files for CentOS:
- ssg-centos6-cpe-dictionary.xml
- ssg-centos6-cpe-oval.xml
ssg-centos6-cpe-dictionary.xml describes the platform. (CPE stands for Common Platform Enumeration).
But ssg-centos6-cpe-oval.xml consists of the "Open Vulnerability Assessment Language" code that _tests_ whether your platform is is CentOS. You must have both, b/c the first file refers to the second file.
You can get them here:
https://raw.githubusercontent.com/GovReady/govready/xplatform/templates/ssg-...
https://raw.githubusercontent.com/GovReady/govready/xplatform/templates/ssg-...
You can put the files anywhere, just make sure they are in the same directory together, and reference the full path/to/ssg-centos6-cpe-dictionary.xml
Greg
On Mon, Jul 6, 2015 at 5:46 PM, Bond Masuda bond.masuda@hexadiam.com wrote:
Thanks Jan! Please see inline response below...
On 07/04/2015 04:32 AM, Jan Lieskovsky wrote:
Hello Bond,
thank you for your report.
----- Original Message -----
I can reproduce that issue, when issuing just 'plain' "make" in the scap-security-guide-0.1.23 folder. The issue is Fedora content by default requires OVAL-5.11 language version already, and the version of the openscap RPM you are trying to build Fedora content against (openscap-1.0.8-1.0.1.el6.centos.1.x86_64) does not support OVAL-5.11 language version yet.
We will correct this problem in an official way in the upcoming 0.1.24 upstream release (should be available for download during next week).
For now please use the following workaround (in the
scap-security-guide-0.1.23
directory after expanding the tarball), issue the following command:
# make SSG_VERSION_IS_GIT_SNAPSHOT=no rpm
This will correctly produce working RPM that can be subsequently used on RHEL-6 / CentOS6 system.
Yes, I was able to build the RPM, however not able to run with oscap. More below...
As of SCAP Security Guide release 0.1.23, CentOS content is now
available
(any older version will require tweaking). See the announcement here:
https://lists.fedorahosted.org/pipermail/scap-security-guide/2015-June/00646...
You can download and build the SSG content from https://github.com/OpenSCAP/scap-security-guide
When you run the XCCDF, you have to specify the CentOS XCCDF like
below:
# oscap xccdf eval --profile stig-rhel6-server-upstream \ --results /tmp/`hostname`-ssg-results.xml \ --report /tmp/`hostname`-ssg-results.html \ --cpe /usr/share/xml/scap/ssg/content/ssg-centos6-cpe-dictionary.xml \ /usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml
Please note that I believe that ssg-centos6-cpe-dictionary.xml is not
being
built with SSG. OpenSCAP is here: https://github.com/openscap/openscap
and
the announcement here: So I believe all that needs to be done is:
# oscap xccdf eval --profile stig-rhel6-server-upstream \ --results /tmp/`hostname`-ssg-results.xml \ --report /tmp/`hostname`-ssg-results.html \ /usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml
Trying to run the last command above without specifying CPE, results in all tests being "notapplicable". And I confirmed there is no cpe-dictionary.xml being built for CentOS6.
What am I missing?
-Bond
SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
Hello Bond,
replies inline below.
----- Original Message -----
From: "Bond Masuda" bond.masuda@hexadiam.com To: scap-security-guide@lists.fedorahosted.org Sent: Tuesday, July 7, 2015 2:19:47 AM Subject: Re: Using the RHEL specific SCAP content for CentOS
Greg,
Thank you for your links and help. Confirmed that with your CPE dictionary and OVAL file, I was able to run the content in oscap.
Jan or Gabe:
The SCAP content from 0.1.23 release, even after getting it to build with the suggested 'make' argument by Jan, does not appear to be functional. Is this a bug or is it because I'm not doing something correctly?
The issue you were experiencing is a bit more wider. The OpenSCAP scanner / "oscap" tool when deciding if particular benchmark is applicable to system in question uses two sources of the CPE information: * the file provided on the command line, * but also the internal CPE database.
I am not sure which of these is used with higher priority (you would need to check on the OpenSCAP mailing list). In any case, OpenSCAP versions shipped in Red Hat Enterprise Linux 7 / CentOS7 and newer already have inbuilt CPE definitions for CentOS / Scientific Linux operating systems. While the 1.0.8 version you were trying to run the content against not yet.
This problem should be solved though in the most recent scap-security-guide-0.1.24 release (see my announcement in the previous email), therefore you should not be experiencing any more issues when trying to scan CentOS6 system.
Though in the case you encounter some, feel free to file a ticket or report here.
Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
Thanks, -Bond
On 07/06/2015 03:20 PM, Greg Elin wrote:
Bond,
You have to two files for CentOS:
- ssg-centos6-cpe-dictionary.xml
- ssg-centos6-cpe-oval.xml
ssg-centos6-cpe-dictionary.xml describes the platform. (CPE stands for Common Platform Enumeration).
But ssg-centos6-cpe-oval.xml consists of the "Open Vulnerability Assessment Language" code that _tests_ whether your platform is is CentOS. You must have both, b/c the first file refers to the second file.
You can get them here: https://raw.githubusercontent.com/GovReady/govready/xplatform/templates/ssg-... https://raw.githubusercontent.com/GovReady/govready/xplatform/templates/ssg-...
You can put the files anywhere, just make sure they are in the same directory together, and reference the full path/to/ssg-centos6-cpe-dictionary.xml
Greg
On Mon, Jul 6, 2015 at 5:46 PM, Bond Masuda < bond.masuda@hexadiam.com > wrote:
Thanks Jan! Please see inline response below...
On 07/04/2015 04:32 AM, Jan Lieskovsky wrote:
Hello Bond,
thank you for your report.
----- Original Message -----
I can reproduce that issue, when issuing just 'plain' "make" in the scap-security-guide-0.1.23 folder. The issue is Fedora content by default requires OVAL-5.11 language version already, and the version of the openscap RPM you are trying to build Fedora content against (openscap-1.0.8-1.0.1.el6.centos.1.x86_64) does not support OVAL-5.11 language version yet.
We will correct this problem in an official way in the upcoming 0.1.24 upstream release (should be available for download during next week).
For now please use the following workaround (in the scap-security-guide-0.1.23 directory after expanding the tarball), issue the following command:
# make SSG_VERSION_IS_GIT_SNAPSHOT=no rpm
This will correctly produce working RPM that can be subsequently used on RHEL-6 / CentOS6 system.
Yes, I was able to build the RPM, however not able to run with oscap. More below...
As of SCAP Security Guide release 0.1.23, CentOS content is now available (any older version will require tweaking). See the announcement here: https://lists.fedorahosted.org/pipermail/scap-security-guide/2015-June/00646...
You can download and build the SSG content from https://github.com/OpenSCAP/scap-security-guide
When you run the XCCDF, you have to specify the CentOS XCCDF like below:
# oscap xccdf eval --profile stig-rhel6-server-upstream \ --results /tmp/`hostname`-ssg-results.xml \ --report /tmp/`hostname`-ssg-results.html \ --cpe /usr/share/xml/scap/ssg/content/ssg-centos6-cpe-dictionary.xml \ /usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml
Please note that I believe that ssg-centos6-cpe-dictionary.xml is not being built with SSG. OpenSCAP is here: https://github.com/openscap/openscap and the announcement here: So I believe all that needs to be done is:
# oscap xccdf eval --profile stig-rhel6-server-upstream \ --results /tmp/`hostname`-ssg-results.xml \ --report /tmp/`hostname`-ssg-results.html \ /usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml
Trying to run the last command above without specifying CPE, results in all tests being "notapplicable". And I confirmed there is no cpe-dictionary.xml being built for CentOS6.
What am I missing?
-Bond
SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
I'm not sure if this is the place to talk about the specific content of the security standards or if the SSG is more "meta"...
I see there is a test Rule ID: *package_aide_installed. *I am inclined to think that the spirit of this test is to have a file integrity monitoring (FIM) system. But why AIDE specifically? There are a few options for FIM, but not too many that one couldn't write tests to ensure that at least one of the handful of fully featured OSS FIM solutions is installed and configured. (other options that come to mind are OSSEC and Samhain) Additionally, AIDE development seems to be stagnant and perhaps not the best choice at this time.
Where is this guidance coming from? Is the source of the guidance really technology specific or is the choice of AIDE just a specific interpretation of a more general guidance for a FIM solution? What's the rationale, if so?
-Bond
I'm guessing it's because it comes with RHEL and is therefore supported and easy to test out of the box.
If your local Security Officer is willing to allow it, you could use pretty much anything in place of AIDE.
Trevor
On Tue, Jul 28, 2015 at 6:50 PM, Bond Masuda bond.masuda@hexadiam.com wrote:
I'm not sure if this is the place to talk about the specific content of the security standards or if the SSG is more "meta"...
I see there is a test Rule ID: *package_aide_installed. *I am inclined to think that the spirit of this test is to have a file integrity monitoring (FIM) system. But why AIDE specifically? There are a few options for FIM, but not too many that one couldn't write tests to ensure that at least one of the handful of fully featured OSS FIM solutions is installed and configured. (other options that come to mind are OSSEC and Samhain) Additionally, AIDE development seems to be stagnant and perhaps not the best choice at this time.
Where is this guidance coming from? Is the source of the guidance really technology specific or is the choice of AIDE just a specific interpretation of a more general guidance for a FIM solution? What's the rationale, if so?
-Bond
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
Exactly.
Oval content to extend to other tools would be most welcome!
-- Shawn Wells Director, Innovation Programs shawn@redhat.com | 443.534.0130 @shawndwells
On Jul 28, 2015, at 7:50 PM, Trevor Vaughan tvaughan@onyxpoint.com wrote:
I'm guessing it's because it comes with RHEL and is therefore supported and easy to test out of the box.
If your local Security Officer is willing to allow it, you could use pretty much anything in place of AIDE.
Trevor
On Tue, Jul 28, 2015 at 6:50 PM, Bond Masuda bond.masuda@hexadiam.com wrote: I'm not sure if this is the place to talk about the specific content of the security standards or if the SSG is more "meta"...
I see there is a test Rule ID: package_aide_installed. I am inclined to think that the spirit of this test is to have a file integrity monitoring (FIM) system. But why AIDE specifically? There are a few options for FIM, but not too many that one couldn't write tests to ensure that at least one of the handful of fully featured OSS FIM solutions is installed and configured. (other options that come to mind are OSSEC and Samhain) Additionally, AIDE development seems to be stagnant and perhaps not the best choice at this time.
Where is this guidance coming from? Is the source of the guidance really technology specific or is the choice of AIDE just a specific interpretation of a more general guidance for a FIM solution? What's the rationale, if so?
-Bond
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699
-- This account not approved for unencrypted proprietary information --
SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
Ok. I guess I will need to learn how to write OVAL and XCCDF content....
Besides that, my coworker and I just noticed that although we fail the AIDE test, we are passing the aide_periodic_cron_checking test. This might be a bug??? Can anyone replicate?
-Bond
On 07/28/2015 05:59 PM, Shawn Wells wrote:
Exactly.
Oval content to extend to other tools would be most welcome!
-- Shawn Wells Director, Innovation Programs shawn@redhat.com mailto:shawn@redhat.com | 443.534.0130 @shawndwells
On Jul 28, 2015, at 7:50 PM, Trevor Vaughan <tvaughan@onyxpoint.com mailto:tvaughan@onyxpoint.com> wrote:
I'm guessing it's because it comes with RHEL and is therefore supported and easy to test out of the box.
If your local Security Officer is willing to allow it, you could use pretty much anything in place of AIDE.
Trevor
On Tue, Jul 28, 2015 at 6:50 PM, Bond Masuda <bond.masuda@hexadiam.com mailto:bond.masuda@hexadiam.com> wrote:
I'm not sure if this is the place to talk about the specific content of the security standards or if the SSG is more "meta"... I see there is a test Rule ID: *package_aide_installed. *I am inclined to think that the spirit of this test is to have a file integrity monitoring (FIM) system. But why AIDE specifically? There are a few options for FIM, but not too many that one couldn't write tests to ensure that at least one of the handful of fully featured OSS FIM solutions is installed and configured. (other options that come to mind are OSSEC and Samhain) Additionally, AIDE development seems to be stagnant and perhaps not the best choice at this time. Where is this guidance coming from? Is the source of the guidance really technology specific or is the choice of AIDE just a specific interpretation of a more general guidance for a FIM solution? What's the rationale, if so? -Bond -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org <mailto:scap-security-guide@lists.fedorahosted.org> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699
-- This account not approved for unencrypted proprietary information --
SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org mailto:scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
On 7/30/15 5:57 PM, Bond Masuda wrote:
Ok. I guess I will need to learn how to write OVAL and XCCDF content....
Writing SCAP isn't the only way to contribute :)
If you can create guidance (just text) for a tool, people here can help convert to XCCDF. On the OVAL side, if you can help us understand what regex/files/system attributes need to be examined for a pass/fail, that's a huge jumping off point too.
Besides that, my coworker and I just noticed that although we fail the AIDE test, we are passing the aide_periodic_cron_checking test. This might be a bug??? Can anyone replicate?
Skimming the code, likely a bug. Do you mind opening a ticket? The OVAL code checks to see if aide is installed:
<criteria operator="AND"> <extend_definition comment="Aide is installed"definition_ref="package_aide_installed" /> <criteria operator="OR"> <criterion comment="run aide daily with cron" test_ref="test_aide_periodic_cron_checking" /> <criterion comment="run aide daily with cron" test_ref="test_aide_crond_checking" /> <criterion comment="run aide daily with cron" test_ref="test_aide_var_cron_checking" /> </criteria> </criteria>
On Tue, Aug 4, 2015 at 8:43 AM, Shawn Wells shawn@redhat.com wrote:
On 7/30/15 5:57 PM, Bond Masuda wrote:
Ok. I guess I will need to learn how to write OVAL and XCCDF content....
Writing SCAP isn't the only way to contribute :)
If you can create guidance (just text) for a tool, people here can help convert to XCCDF. On the OVAL side, if you can help us understand what regex/files/system attributes need to be examined for a pass/fail, that's a huge jumping off point too.
Besides that, my coworker and I just noticed that although we fail the
AIDE test, we are passing the aide_periodic_cron_checking test. This might be a bug??? Can anyone replicate?
Skimming the code, likely a bug. Do you mind opening a ticket? The OVAL code checks to see if aide is installed:
<criteria operator="AND"> <extend_definition comment="Aide is installed"definition_ref="package_aide_installed" /> <criteria operator="OR"> <criterion comment="run aide daily with cron" test_ref="test_aide_periodic_cron_checking" /> <criterion comment="run aide daily with cron" test_ref="test_aide_crond_checking" /> <criterion comment="run aide daily with cron" test_ref="test_aide_var_cron_checking" /> </criteria> </criteria>
This was recently fixed with https://github.com/OpenSCAP/scap-security-guide/pull/631 (which is actually listed above by Shawn)
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
Hello folks,
to provide status update on this issue.
----- Original Message -----
From: "Jan Lieskovsky" jlieskov@redhat.com To: "Dan Warburton" dan.warburton@jvncomm.com Cc: "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Tuesday, June 30, 2015 6:57:59 PM Subject: Re: [New Release] SCAP Security Guide 0.1.23 is now live
Hello Daniel,
thank you for checking.
----- Original Message -----
From: "Dan Warburton" dan.warburton@jvncomm.com To: "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Monday, June 29, 2015 4:19:20 PM Subject: Re: [New Release] SCAP Security Guide 0.1.23 is now live
Jan,
Did you generate the per-builts? I do not see them.
No sorry, I didn't create them yet. Originally planned to make them manually, then starting from the future versions to add new Makefile target that would build them automatically.
But later I changed my mind - it's better to start creating them automatically right from the scratch (read as add new SSG GitHub repo Makefile target, that would create them upon request).
While exploring the ways how to start providing the pre-built SCAP Security Guide XML files in a zip archive automatically, we encountered the following issue: [1] https://github.com/OpenSCAP/scap-security-guide/issues/590
This needs to be fixed first. Only then we can start shipping pre-built XML files zip archive. We are looking into fixing this issue and should be able to provide that promised pre-built zip archive very soon.
For now please use the process described in: [2] https://github.com/OpenSCAP/scap-security-guide/wiki/Building-from-Source
to build an scap-security-guide RPM.
Apologize for the inconvenience / delay.
This way we can find an agreement wrt e.g. to paths, where the content should be installed etc. (wanted to do this earlier, but in the meantime got distracted by other issues).
I will do make that pull request tomorrow (so tomorrow in the evening they could be available already).
Sorry for the delay (and thanks for the remainder!)
Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
On June 23, 2015 at 11:53 AM Jan Lieskovsky jlieskov@redhat.com wrote:
Hello folks,
we are thrilled to announce the GA for the SCAP Security Guide of version 0.1.23 -- the highlights for this release include:
- Start porting of PCI-DSS profile from RHEL-6 to RHEL-7
- Add OVAL-5.11 language support for RHEL-7 product if underlying system's
oscap version supports OVAL-5.11 already
- Start generating benchmarks for derivative OSes (CentOS, Scientific
Linux)
- Get rid of using symbolic links mechanism for OVAL checks shared across
multiple products (RHEL/6, RHEL/7, and Fedora)
- Enhance XML files validation performed via make validate target for all
products (optimize speed, validate all XML files against schematron where possible etc.)
For a more detailed Changelog / Release Notes for this release kindly have a look at: [1] https://github.com/OpenSCAP/scap-security-guide/releases
For the instructions how to try the new upstream version from source tarball kindly have a look at: [2] https://github.com/OpenSCAP/scap-security-guide/wiki/Building-from-Source
For the prebuilt XML files -- I will try to generate them within tomorrow and update the v0.1.23 tag page appropriately when done.
Please report any issues encountered with the newly added (but also formerly existing) SSG content via GH tickets interface: [3] https://github.com/OpenSCAP/scap-security-guide/issues/new
Happy hardening!
Regards, Jan
Jan iankko Lieskovsky (on behalf of the SCAP Security Guide upstream team)
SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
Dan Warburton / JVN Communications w: 609-485-4480 m: 609-457-0154
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
scap-security-guide@lists.fedorahosted.org
-
Andrew Gilmore -
Bond Masuda -
Gabe Alford -
Greg Elin -
Jan Lieskovsky -
Shawn Wells -
Trevor Vaughan -
Šimon Lukašík