Hello,.
I recently downloaded the SCAP source code and noticed there were some additional profiles listed in the profiles folder. How can I run a scan against these profiles? For instance wen trying to run a scan against the usgcb-rhel6-server.xml (after successfully using oscap xccdf validate) I get an "unknown document type" error. I think this is because I'm using the stig profile and the ssg cpe dictionary. If so how can I add a usgcb profile and cpe dictionary to successfully scan against this profile?
Thank you for the help.
Luke Kordell
On 9/26/13 1:16 PM, Kordell, Luke T wrote:
Hello,.
I recently downloaded the SCAP source code and noticed there were some additional profiles listed in the profiles folder. How can I run a scan against these profiles? For instance wen trying to run a scan against the usgcb-rhel6-server.xml (after successfully using oscap xccdf validate) I get an "unknown document type" error. I think this is because I'm using the stig profile and the ssg cpe dictionary. If so how can I add a usgcb profile and cpe dictionary to successfully scan against this profile?
Thank you for the help.
Good question!
There are a few profiles in the RHEL6/input/profiles/ directory which are still being completed, for example the FISMA, and a few which likely should be deleted (e.g. desktop).
To list out which profiles are compiled in:
$ grep "<Profile" output/ssg-rhel6-xccdf.xml
<Profile id="test"> <Profile id="CS2"> <Profile id="common"> <Profile id="desktop"> <Profile id="server"> <Profile id="ftp"> <Profile id="stig-rhel6-server">
Profile definitions from RHEL6/input/profiles/ are merged into the build process through the RHEL6/input/guide.xslt file: https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/RHEL6/input/g...
Since you're cloning the source (which is great!), I'll wager you're comfortable editing things. If you'd like to check out the (in progress) USGCB, add a line where you see the other apply-templates:
|<xsl:apply-templates select="document('profiles/||usgcb-rhel6-server.xml')" />|
From there, re-run 'make content' in the RHEL6 directory and you'll see an updated XCCDF in the output/ directory
Thank you for responding! I'm actually getting a bunch of unlinked files in my output directory. Should the usgcb file be usgcb-rhel6-server-xccdf.xml?
Luke ________________________________________ From: scap-security-guide-bounces@lists.fedorahosted.org [scap-security-guide-bounces@lists.fedorahosted.org] on behalf of Shawn Wells [shawn@redhat.com] Sent: Thursday, September 26, 2013 8:29 PM To: scap-security-guide@lists.fedorahosted.org Subject: EXTERNAL: Re: scan question
On 9/26/13 1:16 PM, Kordell, Luke T wrote:
Hello,.
I recently downloaded the SCAP source code and noticed there were some additional profiles listed in the profiles folder. How can I run a scan against these profiles? For instance wen trying to run a scan against the usgcb-rhel6-server.xml (after successfully using oscap xccdf validate) I get an "unknown document type" error. I think this is because I'm using the stig profile and the ssg cpe dictionary. If so how can I add a usgcb profile and cpe dictionary to successfully scan against this profile?
Thank you for the help.
Good question!
There are a few profiles in the RHEL6/input/profiles/ directory which are still being completed, for example the FISMA, and a few which likely should be deleted (e.g. desktop).
To list out which profiles are compiled in: $ grep "<Profile" output/ssg-rhel6-xccdf.xml <Profile id="test"> <Profile id="CS2"> <Profile id="common"> <Profile id="desktop"> <Profile id="server"> <Profile id="ftp"> <Profile id="stig-rhel6-server">
Profile definitions from RHEL6/input/profiles/ are merged into the build process through the RHEL6/input/guide.xslt file: https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/RHEL6/input/g...
Since you're cloning the source (which is great!), I'll wager you're comfortable editing things. If you'd like to check out the (in progress) USGCB, add a line where you see the other apply-templates:
<xsl:apply-templates select="document('profiles/usgcb-rhel6-server.xml')" />
From there, re-run 'make content' in the RHEL6 directory and you'll see an updated XCCDF in the output/ directory
On 9/27/13 6:11 PM, Kordell, Luke T wrote:
Thank you for responding! I'm actually getting a bunch of unlinked files in my output directory.
The Make process involves several iterative XSLT transforms, which generate the unlinked-* files. If you're looking for something usable, they can be completely ignored.
The final content is reflected in the ssg-rhel6-* files under the output/ directory after you do a 'make content'. Alternatively, you could do a 'make dist' which may be easier to consume:
[shawn@SSG-RHEL6 RHEL6]$ pwd /var/www/html/scap-security-guide/RHEL6
[shawn@SSG-RHEL6 RHEL6]$ make dist /...... build process runs ...../
[shawn@SSG-RHEL6 RHEL6]$ ll dist/ total 12 drwxrwxr-x. 2 shawn shawn 4096 Sep 29 22:06 content drwxrwxr-x. 2 shawn shawn 4096 Sep 29 22:06 guide drwxrwxr-x. 2 shawn shawn 4096 Sep 29 22:06 policytables [shawn@SSG-RHEL6 RHEL6]$ ll dist/content/ total 1892 -rw-rw-r--. 1 shawn shawn 600 Sep 29 22:07 ssg-rhel6-cpe-dictionary.xml -rw-rw-r--. 1 shawn shawn 3640 Sep 29 22:07 ssg-rhel6-cpe-oval.xml -rw-rw-r--. 1 shawn shawn 751809 Sep 29 22:07 ssg-rhel6-oval.xml -rw-rw-r--. 1 shawn shawn 1172552 Sep 29 22:07 ssg-rhel6-xccdf.xml
Should the usgcb file be usgcb-rhel6-server-xccdf.xml?
The profile will be included within ssg-rhel6-xccdf.xml. You could verify that by grepping the ssg-rhel6-xccdf.xml file:
$ grep "<Profile" output/ssg-rhel6-xccdf.xml <Profile id="test"> <Profile id="CS2"> <Profile id="common"> <Profile id="desktop"> <Profile id="server"> <Profile id="ftp"> <Profile id="stig-rhel6-server"> <Profile id="usgcb-rhel6-server">
Note that the USGCB is *very* rough and does not [yet] reflect a comprehensive profile. But if people are willing to test it, then it makes sense to begin including it... lemme whip up a patch....
Shawn
On 9/29/13 10:16 PM, Shawn Wells wrote:
On 9/27/13 6:11 PM, Kordell, Luke T wrote:
Thank you for responding! I'm actually getting a bunch of unlinked files in my output directory.
The Make process involves several iterative XSLT transforms, which generate the unlinked-* files. If you're looking for something usable, they can be completely ignored.
The final content is reflected in the ssg-rhel6-* files under the output/ directory after you do a 'make content'. Alternatively, you could do a 'make dist' which may be easier to consume:
[shawn@SSG-RHEL6 RHEL6]$ pwd /var/www/html/scap-security-guide/RHEL6
[shawn@SSG-RHEL6 RHEL6]$ make dist /...... build process runs ...../
[shawn@SSG-RHEL6 RHEL6]$ ll dist/ total 12 drwxrwxr-x. 2 shawn shawn 4096 Sep 29 22:06 content drwxrwxr-x. 2 shawn shawn 4096 Sep 29 22:06 guide drwxrwxr-x. 2 shawn shawn 4096 Sep 29 22:06 policytables [shawn@SSG-RHEL6 RHEL6]$ ll dist/content/ total 1892 -rw-rw-r--. 1 shawn shawn 600 Sep 29 22:07 ssg-rhel6-cpe-dictionary.xml -rw-rw-r--. 1 shawn shawn 3640 Sep 29 22:07 ssg-rhel6-cpe-oval.xml -rw-rw-r--. 1 shawn shawn 751809 Sep 29 22:07 ssg-rhel6-oval.xml -rw-rw-r--. 1 shawn shawn 1172552 Sep 29 22:07 ssg-rhel6-xccdf.xml
Should the usgcb file be usgcb-rhel6-server-xccdf.xml?
The profile will be included within ssg-rhel6-xccdf.xml. You could verify that by grepping the ssg-rhel6-xccdf.xml file: $ grep "<Profile" output/ssg-rhel6-xccdf.xml
<Profile id="test"> <Profile id="CS2"> <Profile id="common"> <Profile id="desktop"> <Profile id="server"> <Profile id="ftp"> <Profile id="stig-rhel6-server"> <Profile id="usgcb-rhel6-server">
Note that the USGCB is *very* rough and does not [yet] reflect a comprehensive profile. But if people are willing to test it, then it makes sense to begin including it... lemme whip up a patch....
Created a patch to add USGCB to the build process.... if ACK'd, you'll be able to just do:
oscap xccdf eval --profile usgcb-rhel6-server \ --results /var/www/html/ssg-results/results.xml \ --report /var/www/html/ssg-results/report.html \ --cpe-dict ssg-rhel6-cpe-dictionary.xml \ ssg-rhel6-xccdf.xml
Hi,
I double-checked to make sure I added the correct line to the guide.xslt file but when I greped the ssg-rhel6=xccdf.xml file it did not return the usgcb file. I wish I could pull the latest update and patches quickly but am unable to do so with my RHEL machine at the moment.
Basically what I'm trying to do is find a good starting-point for a completely customized profile that calls a particular set of rules I will define. I think I need to conduct a little more research to make-sure I fully understand how to use the scripts to generate OVAL content and how to create a profile. I think I have the rule creation/adding part down. Can you point me in the right direction?
As always thank you for the assistance!
Luke K ________________________________________ From: scap-security-guide-bounces@lists.fedorahosted.org [scap-security-guide-bounces@lists.fedorahosted.org] on behalf of Shawn Wells [shawn@redhat.com] Sent: Sunday, September 29, 2013 8:16 PM To: scap-security-guide@lists.fedorahosted.org Subject: Re: EXTERNAL: Re: scan question
On 9/27/13 6:11 PM, Kordell, Luke T wrote:
Thank you for responding! I'm actually getting a bunch of unlinked files in my output directory.
The Make process involves several iterative XSLT transforms, which generate the unlinked-* files. If you're looking for something usable, they can be completely ignored.
The final content is reflected in the ssg-rhel6-* files under the output/ directory after you do a 'make content'. Alternatively, you could do a 'make dist' which may be easier to consume:
[shawn@SSG-RHEL6 RHEL6]$ pwd /var/www/html/scap-security-guide/RHEL6
[shawn@SSG-RHEL6 RHEL6]$ make dist ...... build process runs .....
[shawn@SSG-RHEL6 RHEL6]$ ll dist/ total 12 drwxrwxr-x. 2 shawn shawn 4096 Sep 29 22:06 content drwxrwxr-x. 2 shawn shawn 4096 Sep 29 22:06 guide drwxrwxr-x. 2 shawn shawn 4096 Sep 29 22:06 policytables [shawn@SSG-RHEL6 RHEL6]$ ll dist/content/ total 1892 -rw-rw-r--. 1 shawn shawn 600 Sep 29 22:07 ssg-rhel6-cpe-dictionary.xml -rw-rw-r--. 1 shawn shawn 3640 Sep 29 22:07 ssg-rhel6-cpe-oval.xml -rw-rw-r--. 1 shawn shawn 751809 Sep 29 22:07 ssg-rhel6-oval.xml -rw-rw-r--. 1 shawn shawn 1172552 Sep 29 22:07 ssg-rhel6-xccdf.xml
Should the usgcb file be usgcb-rhel6-server-xccdf.xml?
The profile will be included within ssg-rhel6-xccdf.xml. You could verify that by grepping the ssg-rhel6-xccdf.xml file:
$ grep "<Profile" output/ssg-rhel6-xccdf.xml <Profile id="test"> <Profile id="CS2"> <Profile id="common"> <Profile id="desktop"> <Profile id="server"> <Profile id="ftp"> <Profile id="stig-rhel6-server"> <Profile id="usgcb-rhel6-server">
Note that the USGCB is *very* rough and does not [yet] reflect a comprehensive profile. But if people are willing to test it, then it makes sense to begin including it... lemme whip up a patch....
Shawn
On 10/2/13 8:04 PM, Kordell, Luke T wrote:
Hi,
I double-checked to make sure I added the correct line to the guide.xslt file but when I greped the ssg-rhel6=xccdf.xml file it did not return the usgcb file. I wish I could pull the latest update and patches quickly but am unable to do so with my RHEL machine at the moment.
If you do a 'git pull', or simply reclone, you'll notice the new profile in there. It should make the next RPM release too.
Basically what I'm trying to do is find a good starting-point for a completely customized profile that calls a particular set of rules I will define. I think I need to conduct a little more research to make-sure I fully understand how to use the scripts to generate OVAL content and how to create a profile. I think I have the rule creation/adding part down. Can you point me in the right direction?
As always thank you for the assistance!
Consider exploring the XCCDF "extends" option, as used in the STIG: https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/RHEL6/input/p...
Specifically:
|<Profile id="stig-rhel6-server" extends="common">|
The STIG inherits *everything* from the common profile, located here: https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/RHEL6/input/p...
Once inherited, anything in the STIG profile takes precedence, allowing for customization of things like password lengh, audit retention, etc.
If you wanted to change a refine value, such as maximum age of passwords, simply use a refine-value tag:
|<refine-value idref="var_acounts_maximum_age_login_defs" selector="5"/>|
... which would change the value from the STIG (which is 180 days), to 5 in your custom profile
Or perhaps there's a STIG rule which you disagree with, disable it via the selected operator:
|<select idref="password_require_uppercases" selected="false"/>|
Great! I noticed that the stig profile also refines values inherited from the common profile. Thank you again for the help. Once I begin developing my own profile I will share any major modifications or creations.
Luke Kordell ________________________________________ From: scap-security-guide-bounces@lists.fedorahosted.org [scap-security-guide-bounces@lists.fedorahosted.org] on behalf of Shawn Wells [shawn@redhat.com] Sent: Wednesday, October 02, 2013 8:22 PM To: scap-security-guide@lists.fedorahosted.org Subject: Re: EXTERNAL: Re: scan question
On 10/2/13 8:04 PM, Kordell, Luke T wrote:
Hi,
I double-checked to make sure I added the correct line to the guide.xslt file but when I greped the ssg-rhel6=xccdf.xml file it did not return the usgcb file. I wish I could pull the latest update and patches quickly but am unable to do so with my RHEL machine at the moment.
If you do a 'git pull', or simply reclone, you'll notice the new profile in there. It should make the next RPM release too.
Basically what I'm trying to do is find a good starting-point for a completely customized profile that calls a particular set of rules I will define. I think I need to conduct a little more research to make-sure I fully understand how to use the scripts to generate OVAL content and how to create a profile. I think I have the rule creation/adding part down. Can you point me in the right direction?
As always thank you for the assistance!
Consider exploring the XCCDF "extends" option, as used in the STIG: https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/RHEL6/input/p...
Specifically:
<Profile id="stig-rhel6-server" extends="common">
The STIG inherits *everything* from the common profile, located here: https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/RHEL6/input/p...
Once inherited, anything in the STIG profile takes precedence, allowing for customization of things like password lengh, audit retention, etc.
If you wanted to change a refine value, such as maximum age of passwords, simply use a refine-value tag:
<refine-value idref="var_acounts_maximum_age_login_defs" selector="5"/>
... which would change the value from the STIG (which is 180 days), to 5 in your custom profile
Or perhaps there's a STIG rule which you disagree with, disable it via the selected operator:
<select idref="password_require_uppercases" selected="false"/>
On 10/3/13 5:05 PM, Kordell, Luke T wrote:
Great! I noticed that the stig profile also refines values inherited from the common profile. Thank you again for the help. Once I begin developing my own profile I will share any major modifications or creations.
Absolutely! Let us know if your profile would be of interest for a larger group, perhaps we could evaluate it for inclusion.
scap-security-guide@lists.fedorahosted.org