VMs, containers vs. bare-metal machines in SSG
by Martin Preisler
We have had increasing requests to scan containers and VM storage images
for compliance. In those use-cases a lot of our rules don't make sense.
For example separate partition for /tmp isn't really applicable to containers.
I thought about how we can deal with this in SSG. We have several options:
1) Separate benchmark and datastreams for containers and VM storage images:
ssg-rhel7-ds.xml and ssg-rhel7-container-ds.xml
2) Separate profile for containers and VM storage images:
pci-dss and pci-dss-container
3) Use applicability and CPE platforms to distinguish between what is being
scanned. That allows us to use the same pci-dss profile for bare-metal, VM,
VM storage image and container image.
Right now I am leaning towards 3) because it "unlocks" the feature
transparently to our users. There is nothing extra they have to study to
start scanning containers. The downside is that we will have to add "fake"
CPE IDs for platforms like "vm-storage" and "container". Rules that apply
to everything will have no <platform> element in them. Rules that apply
to just containers will have something like:
<platform idref="cpe:/a:*:container-image"/>
or
<platform idref="cpe:/a:*:vm-storage"/>
Official NIST CPE ID dictionary has these related CPE IDs
cpe:/a:redhat:docker:1.5.0-27
cpe:/a:linuxcontainers:lxc:0.5.0
cpe:/a:redhat:libvirt:1.2.7
Not sure we want to go with any of those though. I would like to keep it
container and VM tech agnostic.
Before I start hacking this I would like to hear your thoughts.
--
Martin Preisler
Identity Management and Platform Security | Red Hat, Inc.
6 years, 7 months
Importing to SecurityCenter
by Todd, Charles
Has anyone else zipped up one or more output files and gotten SecurityCenter ala ACAS to successfully scan with it?
I'm using the SSG in CentOS and openscap works great. SC recognizes the xccdf and rhel7 oval file zipped up as OVAL content. But I get errors about XML Schema validation when I actually scan. X-tool won't parse it either.
Thanks,
Charlie Todd
Ball Aerospace
This message and any enclosures are intended only for the addressee. Please
notify the sender by email if you are not the intended recipient. If you are
not the intended recipient, you may not use, copy, disclose, or distribute this
message or its contents or enclosures to any other person and any such actions
may be unlawful. Ball reserves the right to monitor and review all messages
and enclosures sent to or from this email address.
7 years, 1 month
Problems with adding custom checks
by Michael Ward
Hey,
I'm hoping someone on this list can point me in the direction of what I'm doing wrong..
We would like to add some custom checks specific to our environment to the scap-security-guide content.
Since this is the first time I've tried to write any OVAL or XCCDF content, I thought I'd start with a nice simple package installed check for RHEL 6 (vmware-tools-core) as a method of learning more about how it all hangs together.
So I created an OVAL file based on some of the other package installed ones:
$ cat RHEL/6/input/oval/package_vmware-tools-core_installed.xml
<def-group>
<definition class="compliance" id="package_vmware-tools-core_installed"
version="1">
<metadata>
<title>Package vmware-tools-core Installed</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>The RPM package vmware-tools-core should be installed.</description>
</metadata>
<criteria>
<criterion comment="package vmware-tools-core is installed"
test_ref="test_package_vmware-tools-core_installed" />
</criteria>
</definition>
<linux:rpminfo_test check="all" check_existence="all_exist"
id="test_package_vmware-tools-core_installed" version="1"
comment="package vmware-tools-core is installed">
<linux:object object_ref="obj_package_vmware-tools-core_installed" />
</linux:rpminfo_test>
<linux:rpminfo_object id="obj_package_vmware-tools-core_installed" version="1">
<linux:name>vmware-tools-core</linux:name>
</linux:rpminfo_object>
</def-group>
And created a group / rule for it in xccdf:
$ cat RHEL/6/input/xccdf/system/test.xml
<Group id="test">
<title>Test Checks</title>
<description>Test Checks stuff..
and stuff...</description>
<Rule id="package_vmware-tools-core_installed" severity="medium">
<title>VMWare Tools must be installed</title>
<description>
VMWare Tools must be installed on all VMware based VM's.
<yum-macro install="true" package="vmware-tools-core"/>
</description>
<ocil clause="the package is not installed" >
<package-check-macro package="vmware-tools-core" />
<br /><br />
If the system isn't a VMWare Based VM, this isn't applicable.
</ocil>
<rationale>Required package for operational support.</rationale>
<oval id="package_vmware-tools-core_installed" />
</Rule>
</Group>
Added a line into the common profile (RHEL/6/input/profiles/common.xml:
<select idref="package_vmware-tools-core_installed" selected="true" />
And finally, an entry in the RHEL/6/input/guide.xslt
<xsl:template match="Group[@id='test']">
<xsl:copy>
<xsl:copy-of select="@*|node()" />
<xsl:apply-templates select="document('xccdf/services/test.xml')" />
</xsl:copy>
</xsl:template>
However, attempting to make just the RHEL6 content fails:
$ make
xsltproc -stringparam ref "nist" -o output/table-rhel6-nistrefs.html transforms/xccdf2table-byref.xslt output/xccdf-unlinked-empty-groups.xml
xsltproc -stringparam profile "common" -o output/table-rhel6-nistrefs-common.html \
transforms/xccdf2table-profilenistrefs.xslt output/xccdf-unlinked-empty-groups.xml
xsltproc -o output/table-rhel6-cces.html transforms/xccdf2table-cce.xslt output/xccdf-unlinked-empty-groups.xml
xsltproc -stringparam map-to-items "../output/xccdf-unlinked-empty-groups.xml" -o output/table-rhel6-srgmap.html \
transforms/table-srgmap.xslt ../../shared/references/disa-os-srg-v1r4.xml
xsltproc -stringparam flat "y" -stringparam map-to-items "../output/xccdf-unlinked-empty-groups.xml" -o output/table-rhel6-srgmap-flat.html \
transforms/table-srgmap.xslt ../../shared/references/disa-os-srg-v1r4.xml
xmllint --xmlout --html --output output/table-rhel6-srgmap-flat.xhtml output/table-rhel6-srgmap-flat.html
# If openscap on the system supports OVAL-5.11 language version, include also OVAL-5.11 checks
# into final list of OVAL checks
# RHEL/6/input/oval/oval_5.11 is empty for now!!! Uncomment the next statement once required
# find input/oval/oval_5.11 -maxdepth 1 -type f -name '*.xml' -exec cp {} ';'
# System supports OVAL-5.11 => propagate 'RUNTIME_OVAL_VERSION' variable into the environment
find ../../shared/oval input/oval ../../shared/oval/oval_5.11 -name "*.xml" | xargs xmlwf
env RUNTIME_OVAL_VERSION='5.11' ../../shared/utils/combine-ovals.py ../../shared/../config rhel6 ../../shared/oval input/oval ../../shared/oval/oval_5.11 > output/unlinked-rhel6-oval.xml
Merged 499 OVAL checks.
WARNING: OVAL ID 'variable_cd_dvd_drive_alternative_names' is used multiple times and should represent the same elements.
Rewrite the OVAL checks. Place the identical IDs into their own definition and extend this definition by it.
WARNING: OVAL ID 'variable_cd_dvd_drive_regex_pattern' is used multiple times and should represent the same elements.
Rewrite the OVAL checks. Place the identical IDs into their own definition and extend this definition by it.
WARNING: OVAL ID 'variable_not_cd_dvd_drive_regex_pattern' is used multiple times and should represent the same elements.
Rewrite the OVAL checks. Place the identical IDs into their own definition and extend this definition by it.
WARNING: OVAL ID 'variable_cd_dvd_drive_alternative_names' is used multiple times and should represent the same elements.
Rewrite the OVAL checks. Place the identical IDs into their own definition and extend this definition by it.
WARNING: OVAL ID 'variable_cd_dvd_drive_regex_pattern' is used multiple times and should represent the same elements.
Rewrite the OVAL checks. Place the identical IDs into their own definition and extend this definition by it.
WARNING: OVAL ID 'variable_not_cd_dvd_drive_regex_pattern' is used multiple times and should represent the same elements.
Rewrite the OVAL checks. Place the identical IDs into their own definition and extend this definition by it.
xmllint --format --output output/unlinked-rhel6-oval.xml output/unlinked-rhel6-oval.xml
xsltproc -o output/table-rhel6-stig.html transforms/xccdf2table-stig.xslt ../../shared/references/disa-stig-rhel6-v1r12-xccdf.xml
xsltproc -o output/table-rhel6-stig-manual.html transforms/xccdf2table-stig.xslt ../../shared/references/disa-stig-rhel6-v1r12-xccdf-manual.xml
xsltproc -stringparam profile "stig-rhel6-server-upstream" -stringparam testinfo "y" -o output/table-stig-rhel6-testinfo.html \
transforms/xccdf2table-profileccirefs.xslt output/xccdf-unlinked-final.xml
xsltproc -stringparam overlay "../input/auxiliary/stig_overlay.xml" -o output/unlinked-stig-rhel6-xccdf.xml \
transforms/xccdf-apply-overlay-stig.xslt output/xccdf-unlinked-final.xml
xsltproc -o output/table-rhel6-stig.html transforms/xccdf2table-stig.xslt output/unlinked-stig-rhel6-xccdf.xml
cp output/xccdf-unlinked-final.xml output/unlinked-rhel6-xccdf.xml
xsltproc -o output/unlinked-rhel6-xccdf-guide.xml transforms/xccdf-removeaux.xslt output/unlinked-rhel6-xccdf.xml
../../shared/utils/cpe-generate.py output/unlinked-rhel6-oval.xml input/oval/platform/rhel6-cpe-dictionary.xml ssg
../../shared/utils/relabel-ids.py unlinked-rhel6-xccdf.xml ssg
WARNING: OVAL check 'package_sssd_installed' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'service_sssd_enabled' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'sssd_memcache_timeout' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'sssd_offline_cred_expiration' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'sssd_ssh_known_hosts_timeout' was not found, removing <check-content> element from the XCCDF rule.
../../shared/utils/relabel-ids.py xccdf-unlinked-ocilrefs.xml ssg
WARNING: OVAL check 'package_sssd_installed' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'service_sssd_enabled' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'sssd_memcache_timeout' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'sssd_offline_cred_expiration' was not found, removing <check-content> element from the XCCDF rule.
WARNING: OVAL check 'sssd_ssh_known_hosts_timeout' was not found, removing <check-content> element from the XCCDF rule.
xsltproc --stringparam reverse_DNS org.ssgproject.content /usr/share/openscap/xsl/xccdf_1.1_to_1.2.xsl \
output/ssg-rhel6-xccdf.xml > output/ssg-rhel6-xccdf-1.2.xml
sed -i 's/style="SCAP_1.1"/style="SCAP_1.2"/' output/ssg-rhel6-xccdf-1.2.xml
oscap ds sds-compose output/ssg-rhel6-xccdf-1.2.xml output/ssg-rhel6-ds.xml
File '/home/rpmbuild/new/scap-security-guide/RHEL/6/output/ssg-rhel6-ds.xml' line 21316: Element '{http://checklists.nist.gov/xccdf/1.2}select', attribute 'idref': 'dangling reference to package_vmware-tools-core_installed!' is not a valid value of the atomic type 'xs:NCName'.
File '/home/rpmbuild/new/scap-security-guide/RHEL/6/output/ssg-rhel6-ds.xml' line 21316: Element '{http://checklists.nist.gov/xccdf/1.2}select', attribute 'idref': Warning: No precomputed value available, the value was either invalid or something strange happend.
File '/home/rpmbuild/new/scap-security-guide/RHEL/6/output/ssg-rhel6-ds.xml' line 21716: Element '{http://checklists.nist.gov/xccdf/1.2}select', attribute 'idref': 'dangling reference to package_vmware-tools-core_installed!' is not a valid value of the atomic type 'xs:NCName'.
File '/home/rpmbuild/new/scap-security-guide/RHEL/6/output/ssg-rhel6-ds.xml' line 21716: Element '{http://checklists.nist.gov/xccdf/1.2}select', attribute 'idref': Warning: No precomputed value available, the value was either invalid or something strange happend.
<SNIP>
OpenSCAP Error: Unknown document type: 'ssg-rhel6-ocil.xml' [oscap_source.c:172]
Invalid SCAP Source Datastream (1.2) content in /home/rpmbuild/new/scap-security-guide/RHEL/6/output/ssg-rhel6-ds.xml. [oscap_source.c:268]
make: *** [content] Error 1
Is anyone able to point me in the direction of what I've missed ?
Kind regards,
Michael Ward.
7 years, 3 months