Installing openscap on OS X?
by Greg Elin
Has anyone tried to install openSCAP on OS-X?
Is there an open source SCAP scanner for OS-X?
Greg Elin
personal cell: 917-304-3488
personal email: greg(a)fotonotes.net
email: gregelin(a)gitmachines.com
9 years, 11 months
Re: scap-security-guide Digest, Vol 33, Issue 38
by Derek Warner
We have been allowed to use CENTOS on a variety of DoD systems. We do not
connect to the GIG however. These are systems which do not connect or
connect to very controlled networks. RHEL is just costing our program too
much money so we switched to CENTOS.
V/R
Derek Warner – CISSP-ISSEP
Information System Security Engineer
Riptide Software
w- 321-296-0068 x 136
c- 407-716-9223
derek.warner(a)riptidesoftware.com
derek.a.warner(a)us.army.mil
On Thu, May 22, 2014 at 6:14 PM, <
scap-security-guide-request(a)lists.fedorahosted.org> wrote:
> Send scap-security-guide mailing list submissions to
> scap-security-guide(a)lists.fedorahosted.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>
> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
> or, via email, send a message with subject or body 'help' to
> scap-security-guide-request(a)lists.fedorahosted.org
>
> You can reach the person managing the list at
> scap-security-guide-owner(a)lists.fedorahosted.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of scap-security-guide digest..."
>
>
> Today's Topics:
>
> 1. Re: Scap for Centos (Shawn Wells)
> 2. Re: Scap for Centos (Andrew Gilmore)
> 3. Interesting RH specific discussion on OpenSCAP (Andrew Gilmore)
> 4. Re: Scap for Centos (Colvin, Ron (GSFC-700.0)[VALADOR INC])
> 5. Re: Scap for Centos (Shawn Wells)
> 6. Re: Scap for Centos (Mike Johnson)
> 7. Re: Scap for Centos (Andrew Gilmore)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 22 May 2014 17:13:07 -0400
> From: Shawn Wells <shawn(a)redhat.com>
> To: SCAP Security Guide <scap-security-guide(a)lists.fedorahosted.org>
> Subject: Re: Scap for Centos
> Message-ID: <537E6863.3050704(a)redhat.com>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
>
> On 5/22/14, 5:06 PM, Shawn Wells wrote:
> >
> > On 5/22/14, 3:43 PM, Derek Warner wrote:
> >> Any chance anyone is working on getting SCAP to work on CENTOS? I
> >> would love to use the scap security guide and secstate to validate
> >> CENTOS 6.5. Right now its a manual process going line by line in the
> >> RHEL 5 STIG. I would really love to find out if anyone has anything
> >> automated that works on CENTOS.
> >
> > Given that CentOS isn't allowed on DoD networks, there is no STIG, no
> > common criteria, no support, and doesn't meet any of the mandatory
> > regulatory requirements, what's driving the need?
>
> (p.s. Yes, that was worded a little silly, but I'm serious (and not just
> because I'm @redhat.com))
>
> And actually, this does bring up a good question: have many people been
> briefed on the Fedora/CentOS/RHEL roadmap and divergence? It's an area
> that RHT is extremely passionate to inform customers and partners on. If
> there's interest, I might be able to setup a community call and bring in
> the CentOS/RHEL leaders to chat about future plans.
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 22 May 2014 15:35:14 -0600
> From: Andrew Gilmore <agilmore2(a)gmail.com>
> To: SCAP Security Guide <scap-security-guide(a)lists.fedorahosted.org>
> Subject: Re: Scap for Centos
> Message-ID:
> <CAD1s7uzxvQ7KPn_0QKTd2D7cNw3Kp=9KUUUNJ5svMR1=
> 6atY3Q(a)mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> SSG is not just for DoD, I sure hope!
>
> I'm sure there are many CentOS deployments in .gov, I believe there are
> several just in my agency alone. Do we really want to not support them, or
> force them into manual edits to get scans to work?
>
> I've seen nothing announced on CentOS roadmap. More information would be
> good.
>
>
>
>
> On Thu, May 22, 2014 at 3:13 PM, Shawn Wells <shawn(a)redhat.com> wrote:
>
> >
> > On 5/22/14, 5:06 PM, Shawn Wells wrote:
> >
> >>
> >> On 5/22/14, 3:43 PM, Derek Warner wrote:
> >>
> >>> Any chance anyone is working on getting SCAP to work on CENTOS? I would
> >>> love to use the scap security guide and secstate to validate CENTOS
> 6.5.
> >>> Right now its a manual process going line by line in the RHEL 5 STIG. I
> >>> would really love to find out if anyone has anything automated that
> works
> >>> on CENTOS.
> >>>
> >>
> >> Given that CentOS isn't allowed on DoD networks, there is no STIG, no
> >> common criteria, no support, and doesn't meet any of the mandatory
> >> regulatory requirements, what's driving the need?
> >>
> >
> > (p.s. Yes, that was worded a little silly, but I'm serious (and not just
> > because I'm @redhat.com))
> >
> > And actually, this does bring up a good question: have many people been
> > briefed on the Fedora/CentOS/RHEL roadmap and divergence? It's an area
> that
> > RHT is extremely passionate to inform customers and partners on. If
> there's
> > interest, I might be able to setup a community call and bring in the
> > CentOS/RHEL leaders to chat about future plans.
> >
> > _______________________________________________
> > scap-security-guide mailing list
> > scap-security-guide(a)lists.fedorahosted.org
> > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> https://lists.fedorahosted.org/pipermail/scap-security-guide/attachments/...
> >
>
> ------------------------------
>
> Message: 3
> Date: Thu, 22 May 2014 15:38:45 -0600
> From: Andrew Gilmore <agilmore2(a)gmail.com>
> To: SCAP Security Guide <scap-security-guide(a)lists.fedorahosted.org>
> Subject: Interesting RH specific discussion on OpenSCAP
> Message-ID:
> <CAD1s7uweBe_XQ5tMn0ObMMhacQ=
> LjBD23XQ_K8dQSeOAYgy4Vg(a)mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> https://access.redhat.com/site/discussions/666153
>
> And yes, CIS shows up almost immediately.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> https://lists.fedorahosted.org/pipermail/scap-security-guide/attachments/...
> >
>
> ------------------------------
>
> Message: 4
> Date: Thu, 22 May 2014 22:00:09 +0000
> From: "Colvin, Ron (GSFC-700.0)[VALADOR INC]" <ron.colvin(a)nasa.gov>
> To: SCAP Security Guide <scap-security-guide(a)lists.fedorahosted.org>
> Subject: Re: Scap for Centos
> Message-ID: <8D12BAED-0B1C-40C6-82B5-B43984A99838(a)nasa.gov>
> Content-Type: text/plain; charset="us-ascii"
>
> Organizations and Agencies that allow CentOS on their networks?
>
> Mobile
>
> > On May 22, 2014, at 5:06 PM, "Shawn Wells" <shawn(a)redhat.com> wrote:
> >
> >
> >> On 5/22/14, 3:43 PM, Derek Warner wrote:
> >> Any chance anyone is working on getting SCAP to work on CENTOS? I would
> love to use the scap security guide and secstate to validate CENTOS 6.5.
> Right now its a manual process going line by line in the RHEL 5 STIG. I
> would really love to find out if anyone has anything automated that works
> on CENTOS.
> >
> > Given that CentOS isn't allowed on DoD networks, there is no STIG, no
> common criteria, no support, and doesn't meet any of the mandatory
> regulatory requirements, what's driving the need?
> > _______________________________________________
> > scap-security-guide mailing list
> > scap-security-guide(a)lists.fedorahosted.org
> > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
>
>
> ------------------------------
>
> Message: 5
> Date: Thu, 22 May 2014 18:00:43 -0400
> From: Shawn Wells <shawn(a)redhat.com>
> To: SCAP Security Guide <scap-security-guide(a)lists.fedorahosted.org>
> Subject: Re: Scap for Centos
> Message-ID: <537E738B.4010100(a)redhat.com>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
>
> On 5/22/14, 5:35 PM, Andrew Gilmore wrote:
> > SSG is not just for DoD, I sure hope!
> >
> > I'm sure there are many CentOS deployments in .gov, I believe there
> > are several just in my agency alone. Do we really want to not support
> > them, or force them into manual edits to get scans to work?
>
> Very correct -- there's broad content supporting a wide range of needs;
> ranging from commercial (the C2S profile) to classified (e.g. STIG and
> CS2).
>
> Lacking Common Criteria and FIPS certification, CentOS is not consumable
> by the U.S. Government per the National Security Telecommunications and
> Information Systems Security Policy (NSTISSP) #11, now known as the
> Committee on National Security Systems (CNSS). It's always bugged me
> that policies exist ("all software procurements must be common criteria
> certified!"), of which Red Hat (my employer) is held to simply because
> we're a commercial entity, yet freeware derivatives (e.g. Scientific
> Linux) aren't held to the same standards. Anywhoo, I suppose that
> conversation is a rabbit hole we need not go down.
>
>
> > I've seen nothing announced on CentOS roadmap. More information would
> > be good.
> There's a ton of good information at
> https://community.redhat.com/centos-faq/.
>
> In essence CentOS will be diverging from a RHEL derivative to being it's
> own, organic community. CentOS variants will spin up and feed *into*
> RHEL, instead of being a downstream derivative. I'll poke around
> internally to RHT and setup a community call if there are others
> interested in the Fedora/CentOS/RHEL roadmap.
>
>
> ------------------------------
>
> Message: 6
> Date: Thu, 22 May 2014 18:05:22 -0400
> From: Mike Johnson <mikerjohnson(a)gmail.com>
> To: scap-security-guide(a)lists.fedorahosted.org
> Subject: Re: Scap for Centos
> Message-ID:
> <CA+3jfow3ur1EN2VTvRzwBg_-P4mk+Roh3mP8HB76==
> yvdN2fFQ(a)mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> The VA has adopted the DISA STIG and CentOS has been approved for
> development servers. I think there are enclave requirements, nevertheless,
> it can be used.
>
> Mike
>
>
> > Date: Thu, 22 May 2014 17:06:32 -0400
> > From: Shawn Wells <shawn(a)redhat.com>
> > To: SCAP Security Guide <scap-security-guide(a)lists.fedorahosted.org>
> > Subject: Re: Scap for Centos
> > Message-ID: <537E66D8.9040604(a)redhat.com>
> > Content-Type: text/plain; charset=UTF-8; format=flowed
> >
> >
> > On 5/22/14, 3:43 PM, Derek Warner wrote:
> > > Any chance anyone is working on getting SCAP to work on CENTOS? I
> > > would love to use the scap security guide and secstate to validate
> > > CENTOS 6.5. Right now its a manual process going line by line in the
> > > RHEL 5 STIG. I would really love to find out if anyone has anything
> > > automated that works on CENTOS.
> >
> > Given that CentOS isn't allowed on DoD networks, there is no STIG, no
> > common criteria, no support, and doesn't meet any of the mandatory
> > regulatory requirements, what's driving the need?
> >
> >
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> https://lists.fedorahosted.org/pipermail/scap-security-guide/attachments/...
> >
>
> ------------------------------
>
> Message: 7
> Date: Thu, 22 May 2014 16:14:31 -0600
> From: Andrew Gilmore <agilmore2(a)gmail.com>
> To: SCAP Security Guide <scap-security-guide(a)lists.fedorahosted.org>
> Subject: Re: Scap for Centos
> Message-ID:
> <
> CAD1s7uxEcdMbDWOtK1x23C2SWbznZreuTa6zmzJ62tf0w29Vwg(a)mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> I don't get it. Reading this line from the FAQ
> "No, CentOS releases will follow shortly after the release of Red Hat
> Enterprise Linux source. "
> leads me to believe that CentOS will be largely usable as it has been, as a
> free, completely compatible version of RHEL. Yes, with challenges in errata
> availability, but that's the use case.
>
> Suggesting that CentOS is going to be *upstream* of RHEL suggests several
> other valuable, but completely different, uses. I'm not sure this is a
> great move, as I see bigger challenges coming from the free and polished
> desktop side (*cough* Ubuntu).
>
> RHEL 7 should be very interesting.
>
>
>
> On Thu, May 22, 2014 at 4:05 PM, Mike Johnson <mikerjohnson(a)gmail.com
> >wrote:
>
> > The VA has adopted the DISA STIG and CentOS has been approved for
> > development servers. I think there are enclave requirements,
> nevertheless,
> > it can be used.
> >
> > Mike
> >
> >
> >> Date: Thu, 22 May 2014 17:06:32 -0400
> >> From: Shawn Wells <shawn(a)redhat.com>
> >> To: SCAP Security Guide <scap-security-guide(a)lists.fedorahosted.org>
> >> Subject: Re: Scap for Centos
> >> Message-ID: <537E66D8.9040604(a)redhat.com>
> >> Content-Type: text/plain; charset=UTF-8; format=flowed
> >>
> >>
> >>
> >> On 5/22/14, 3:43 PM, Derek Warner wrote:
> >> > Any chance anyone is working on getting SCAP to work on CENTOS? I
> >> > would love to use the scap security guide and secstate to validate
> >> > CENTOS 6.5. Right now its a manual process going line by line in the
> >> > RHEL 5 STIG. I would really love to find out if anyone has anything
> >> > automated that works on CENTOS.
> >>
> >> Given that CentOS isn't allowed on DoD networks, there is no STIG, no
> >> common criteria, no support, and doesn't meet any of the mandatory
> >> regulatory requirements, what's driving the need?
> >>
> >>
> >>
> > _______________________________________________
> > scap-security-guide mailing list
> > scap-security-guide(a)lists.fedorahosted.org
> > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
> >
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> https://lists.fedorahosted.org/pipermail/scap-security-guide/attachments/...
> >
>
> ------------------------------
>
> _______________________________________________
> scap-security-guide mailing list
> scap-security-guide(a)lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
>
>
> End of scap-security-guide Digest, Vol 33, Issue 38
> ***************************************************
>
9 years, 11 months
[PATCH 0/3] Couple of stabilization fixes for issues reported by verify-references & verify-input-sanity scripts
by Jan Lieskovsky
From 03e874118dcb54f48f2a92609d091d6650ca671a Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky <jlieskov(a)redhat.com>
Date: Thu, 22 May 2014 18:59:06 +0200
Subject: [PATCH 0/3] Couple of stabilization fixes for issues reported
by verify-references & verify-input-sanity scripts
This patchset provides couple of stabilization fixes for issues reported
by verify-references & verify input sanity scripts. All three patches
have been tested on RHEL-6 (& RHEL-7 where appropriate), the packages
build & work properly.
Please review.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
Jan Lieskovsky (3):
[RHEL/6, RHEL/7, shared] Fix "Invalid OVAL definition referenced by
XCCDF Rule: install_vsftpd" utils/verify-references.py issue
[RHEL/6] Fix "Invalid OVAL definition referenced by XCCDF Rule:
root_path_no_dot" ../utils/verify-references.py warning message
[RHEL/6] Fix couple of XML syntax errors in files: *
src/input/profiles/nist-CL-IL-AL.xml *
RHEL/6/input/auxiliary/nist_support.xml as reported by
verify-input-sanity.py script (the other two files
currently reported too are red herrings)
RHEL/6/input/auxiliary/nist_support.xml | 10 +-
RHEL/6/input/checks/package_vsftpd_installed.xml | 1 +
RHEL/6/input/checks/root_path_no_dot.xml | 18 +-
.../input/checks/templates/packages_installed.csv | 1 +
RHEL/6/input/profiles/ftp.xml | 2 +-
RHEL/6/input/profiles/nist-CL-IL-AL.xml | 467
++++++++++-----------
RHEL/6/input/services/ftp.xml | 2 +-
RHEL/7/input/checks/package_vsftpd_installed.xml | 1 +
RHEL/7/input/services/ftp.xml | 2 +-
shared/fixes/bash/package_vsftpd_installed.sh | 1 +
shared/oval/package_vsftpd_installed.xml | 27 ++
11 files changed, 280 insertions(+), 252 deletions(-)
create mode 120000 RHEL/6/input/checks/package_vsftpd_installed.xml
create mode 120000 RHEL/7/input/checks/package_vsftpd_installed.xml
create mode 100644 shared/fixes/bash/package_vsftpd_installed.sh
create mode 100644 shared/oval/package_vsftpd_installed.xml
--
1.8.3.1
9 years, 11 months
"notapplicable" in scap results?
by Greg Elin
We ran a couple different RHEL profiles on CentOS 6.4 virtual machine and
received "not applicable" for all results.
That's the first time I've seen nonapplicable and I'm trying understand
what it means. (I know it means not applicable, but I want to make sure we
don't have a configuration issue set incorrectly.)
Here's what we ran:
*oscap xccdf eval --profile DOD_baseline_1.0.0.1 --cpe
dcb-rhel5_cpe-dictionary.xml --results result.xml --oval-results
dcb-rhel5_xccdf.xml*
Sample below.
---------- Forwarded message ----------
From: Rodney Cobb <rocobb(a)gitmachines.com>
Date: Thu, May 22, 2014 at 4:10 PM
Subject: Scap Results
To: Greg Elin <gregelin(a)gitmachines.com>
Greg,
Here is snippet of the results:
*Title Disable Samba if Possible*
*Rule dcb-rhel5-3.18.1.a*
*Ident CCE-4551-8*
*Result notapplicable*
*Title Require Client SMB Packet Signing, if using smbclient*
*Rule dcb-rhel5-3.18.2.10.a*
*Ident CCE-14075-6*
*Result notapplicable*
*Title Require Client SMB Packet Signing, if using mount.cifs*
*Rule dcb-rhel5-3.18.2.11.a*
*Ident CCE-15029-2*
*Result notapplicable*
*Title Disable Squid if Possible*
*Rule dcb-rhel5-3.19.1.a*
*Ident CCE-4556-7*
*Result notapplicable*
*Title Uninstall Squid if Possible*
*Rule dcb-rhel5-3.19.1.b*
*Ident CCE-4076-6*
*Result notapplicable*
Here is the command given in terminal that produced previous results:
*oscap xccdf eval --profile DOD_baseline_1.0.0.1 --cpe
dcb-rhel5_cpe-dictionary.xml --results result.xml --oval-results
dcb-rhel5_xccdf.xml*
Rodney
9 years, 11 months
19-MAY DISA RHEL6 STIG rebase
by Shawn Wells
This morning DISA FSO released an update against the Red Hat Enterprise
Linux 6 STIG.
- Clarifying language on contentious requirements;
- For customers performing manual system verification, there's been
a focus on properly documenting pass/fail tests;
- A few dozen bug fixes;
- Now includes OVAL automation;
- Release notes clearly indicate SSG as upstream consensus content! :)
Official content can be found on the DISA FSO website:
http://iase.disa.mil/stigs/os/unix/red_hat.html
I put a note out on social media for those (like myself) who didn't
receive FSO's EMail. Feel free to help pass the word!
LinkedIn:
http://linkd.in/1jjQwtV
Or twitter:
http://bit.ly/1kjLDBp
9 years, 11 months
GNOME Login Inactivity Timeout
by Matos, Carlos M (ES)
Hello all,
Not sure if this has been tackled yet but figured I'd ask anyways.
This is for the stig-rhel6-server-upstream xccdf profile for Security Identifier CCE-26828-4 it states the following:
Set GNOME Login Inactivity Timeout
Run the following command to set the idle time-out value for inactivity in the GNOME desktop to 15 minutes:
# gconftool-2 \
--direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type int \
--set /apps/gnome-screensaver/idle_delay 15
Setting the idle delay controls when the screensaver will start, and can be combined with screen locking to prevent access from passersby.
To check the current idle time-out value, run the following command:
$ gconftool-2 -g /apps/gnome-screensaver/idle_delay
If properly configured, the output should be 15.
There is two parts of my question:
1. I believe that this is checking the wrong location for this setting. Setting an idle_delay value in /apps/gnome-screensaver/idle_delay has no effect on actually locking this setting down. In fact, the correct location should be: /desktop/gnome/session/idle_delay and the proper way to set this would be:
# gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type int --set /desktop/gnome/session/idle_delay 15
a. This has been tested and verified and you can also see: Red Hat bug 867945<https://bugzilla.redhat.com/show_bug.cgi?id=867945>
2. I think it is well known that environments are always different. With that being said, in my instance, we set this value to 10, not 15, so of course this will fail.
a. Is there a way to update this to check to ensure that this value is either <= 15 OR maybe between 5 and 15?
Carlos
9 years, 11 months
[PATCH 0/2] sshd idle timeout modifications
by David Smith
This patchset addresses concerns raised last week about the excessively short timeout window for SSH sessions in the CS2 profile:
1) adds two new values to the SSH idle timeout rule, 1 and 2 hours
2) specifies 1 hour timeout value in the CS2 profile
For some reason, a ton of unprintable/special characters appeared at the end of every line of the CS2 profile, so I nixed all of those -- thus the 700+ changed lines in the profile.
David Smith (2):
additional sshd timeout values
specified sshd timeout value
RHEL/6/input/profiles/CS2.xml | 748 ++++++++++++++++++++--------------------
RHEL/6/input/services/ssh.xml | 2 +
2 files changed, 376 insertions(+), 374 deletions(-)
9 years, 11 months
Re: Scap for Centos
by Mike Johnson
The VA has adopted the DISA STIG and CentOS has been approved for
development servers. I think there are enclave requirements, nevertheless,
it can be used.
Mike
> Date: Thu, 22 May 2014 17:06:32 -0400
> From: Shawn Wells <shawn(a)redhat.com>
> To: SCAP Security Guide <scap-security-guide(a)lists.fedorahosted.org>
> Subject: Re: Scap for Centos
> Message-ID: <537E66D8.9040604(a)redhat.com>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
>
> On 5/22/14, 3:43 PM, Derek Warner wrote:
> > Any chance anyone is working on getting SCAP to work on CENTOS? I
> > would love to use the scap security guide and secstate to validate
> > CENTOS 6.5. Right now its a manual process going line by line in the
> > RHEL 5 STIG. I would really love to find out if anyone has anything
> > automated that works on CENTOS.
>
> Given that CentOS isn't allowed on DoD networks, there is no STIG, no
> common criteria, no support, and doesn't meet any of the mandatory
> regulatory requirements, what's driving the need?
>
>
>
9 years, 11 months