Hello everybody,
I'm still working in checking how many STIG rules have implemented checks in OpenSCAP profiles. When executing oscap eval command, I identified that there are several checks in status notchecked.
After some investigation, I identified that there was no oval checks availables for these rules. After reading some documentation about OVAL language, I was wondering if it will be possible to implement a check for these rules.
For example, for the rule "homedirs must exist", the check consists in doing a "pwchk -r" in order to identify if the homedirs exists or not. With a shell script I know how to do that but in OVAL, i'm not sure if it is possible.
So I have several questions about these kind of checks : - Is it possible to implement them using OVAL with an oval rule which can do result command checks ? - Is it possible to implement these checks using another language. I heard about SCE but it seems to be only for OpenSCAP. - Will these checks stay manual checks with notchecked status on SSG ?
Thanks for your answers.
Regards, Olivier Bonhomme
On Tue, Nov 21, 2017 at 3:28 PM, Olivier BONHOMME obonhomme@nerim.net wrote:
Hello everybody,
I'm still working in checking how many STIG rules have implemented checks in OpenSCAP profiles. When executing oscap eval command, I identified that there are several checks in status notchecked.
After some investigation, I identified that there was no oval checks availables for these rules. After reading some documentation about OVAL language, I was wondering if it will be possible to implement a check for these rules.
For example, for the rule "homedirs must exist", the check consists in doing a "pwchk -r" in order to identify if the homedirs exists or not. With a shell script I know how to do that but in OVAL, i'm not sure if it is possible.
So I have several questions about these kind of checks :
- Is it possible to implement them using OVAL with an oval rule which
can do result command checks ?
Yes it is.
- Is it possible to implement these checks using another language. I
heard about SCE but it seems to be only for OpenSCAP.
You can definitely do that, but it won't be taken advantage of by Nessus and other scanners that use SCAP
- Will these checks stay manual checks with notchecked status on SSG ?
The plan is that these checks will have OVAL and remediation scripts in the future. It is really a matter of time, effort, and resources. There are tickets already open for each of them already. You can see them at https://github.com/OpenSCAP/scap-security-guide/projects/7 Getting the XCCDF into SSG is the easy part. The rest takes time. So if you or anyone is willing and able to help get us there, PRs are welcome. :)
Thanks for your answers.
Regards, Olivier Bonhomme _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists. fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@ lists.fedorahosted.org
Le 21/11/2017 à 23:46, Gabe Alford a écrit :
So I have several questions about these kind of checks : - Is it possible to implement them using OVAL with an oval rule which can do result command checks ?
Yes it is.
Hello Gabe,
That's great to read.Honestly, I am a little bit lost with the OVAL format but I try to learn and I wasn't sure such a thing was possible. When looking into OVAL spec, I found textfilecontent rule but nothing for parsing a command result.
If you have an entry point for doing such a check into the OVAL language spec, I would be happy to try to write the check :)
- Is it possible to implement these checks using another language. I heard about SCE but it seems to be only for OpenSCAP.
You can definitely do that, but it won't be taken advantage of by Nessus and other scanners that use SCAP
Ok. It's what I understood but it can be a good workaround in some cases.
The plan is that these checks will have OVAL and remediation scripts in the future. It is really a matter of time, effort, and resources. There are tickets already open for each of them already. You can see them at https://github.com/OpenSCAP/scap-security-guide/projects/7 Getting the XCCDF into SSG is the easy part. The rest takes time. So if you or anyone is willing and able to help get us there, PRs are welcome. :)
It would be a pleasure to help the project but before submitting PR, it's important for me to know if it is possible to do things or not :)
Thanks
Regards, Olivier Bonhomme
On 22/11/17 00:01, Olivier BONHOMME wrote:
If you have an entry point for doing such a check into the OVAL language spec, I would be happy to try to write the check :)
Hello,
These OVAL tests might help: - https://oval.mitre.org/language/version5.11/ovaldefinition/documentation/uni... - https://oval.mitre.org/language/version5.11/ovaldefinition/documentation/uni...
I think you can use password_state to get hold of a list of users' home directory into a variable, and then use file_test to check for their existence.
Below are some examples of the tests, they are not exactly what you need, but you can get inspired by them :) shared/checks/oval/no_files_unowned_by_user.xml shared/checks/oval/accounts_password_all_shadowed.xml shared/checks/oval/file_permissions_home_dirs.xml
On 11/22/2017 10:33 AM, Watson Yuuma Sato wrote:
On 22/11/17 00:01, Olivier BONHOMME wrote:
If you have an entry point for doing such a check into the OVAL language spec, I would be happy to try to write the check :)
Hello,
These OVAL tests might help:
https://oval.mitre.org/language/version5.11/ovaldefinition/documentation/uni...
https://oval.mitre.org/language/version5.11/ovaldefinition/documentation/uni...
I think you can use password_state to get hold of a list of users' home directory into a variable, and then use file_test to check for their existence.
Below are some examples of the tests, they are not exactly what you need, but you can get inspired by them :) shared/checks/oval/no_files_unowned_by_user.xml shared/checks/oval/accounts_password_all_shadowed.xml shared/checks/oval/file_permissions_home_dirs.xml
And to make it more explicit - OVAL does not support execution of scripts at all - you have to do with reading files, or using existing probes :(
Regards, Marek
scap-security-guide@lists.fedorahosted.org