I've been re-roaming through the SSG and this is probably the first of a
many part thread regarding different checks.
TL;DR; The potential risk caused by enabling 'repo_gpgcheck' outweighs any
potential benefit if TLS is enabled.
In my opinion, the following check should *only* be enabled if all of your
repositories are internally managed
The reason for this is that YUM presently does not (to my knowledge) have
any way to differentiate between package signing GPG keys and repo signing
This means that if, for instance, I host my packages via some shared Nexus,
then I have to add the Nexus GPG key to my trust list for the repo.
I fundamentally do *not* want to do this! I shouldn't be allowing my Nexus
maintainer to potentially install software on my system without my explicit
You should use TLS, and the repo should have a trusted certificate there
and that should be sufficient for the metadata until RPM can tell the
difference between these two certificates.
Please let me know if I've missed something, but I don't remember seeing
options to split out the two sets of certs.
Additionally, this is marked as 'high' severity and that seems to be
massive overkill considering that 1) the packages are still signed and
validated and 2) TLS is required.
Vice President, Onyx Point, Inc
(410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --
On 1/31/18 10:22 PM, Luke Salsich wrote:
> Hey all,
> I've been using OpenSCAP for a while on our servers and really
> appreciate what it does.
> I've been looking around for a way to store scan results and then
> query them and I can't seem to locate any plugins or apps which do
> this other than SCAPTimony.
> SCAPTimony sounds great, but I'm not sure it's currently maintained
> and I don't really want to dive into Foreman just to store Oscap results.
> What does the community use for this kind of scan / report storing and
> We're currently using Ansible AWX to run scans and to manage
> remediation. Love to find a way to pull that XML into a central
This week was DevConf in Brno  and this very topic came up multiple
times! The quick answer being broad agreement that "yes this must happen."
There are partner projects like Foreman (upstream) and Satellite
(downstream) which integrate scanning into their embedded databases. In
general there is a desire to unify SCAP with OpenControl for central
Many are in transit from Brno back home over the next few days, or
recovering locally from staying out all night for the past week :) Some
responses might be slightly delayed because of this.
If you could have database integration with SCAP.... what all would you
want it to do? Could you help the community form a few user stories?
Question on Ansible fixes: Might it be possible (and preferable per the DRY
principle) to have Ansible fixes invoke the Bash fixes which tend to be
Simple case in point: there are 6 bash/aide* fixes and only 2 ansible/aide*
fixes. Not to mention it's easier (at least for me) to build and test a
bash "fix" script than an Ansible one.
Related: When you provision a new instance, to harden do you run the bash
fixes (more complete) or the Ansible ones? I'm provisioning with Ansible so
guidance as to how best to harden it would be helpful.
Bonus question: How best to generate fixes? Should I run them all on a new
server, or can I run just those that match failing tests?
(apologies to list moderator - I initially sent this from an unsubscribed
There seems to be a mix of ansible and bash for fix-up scripts, in that
some rules only have bash fixes, others only have ansible fixes, while most
have both, and a few still have none. When applying remediation during a
scan, which ones get used? Is there a way to specify? If I have ansible
installed, will the ansible fixes automatically get used? If the ansible
ones are being used? Do the bash-only fixes get run as well? What about
rules that have both?
Staff R&D Engineer, Scientific Computing
I'm trying to write my first OVAL check and the associated remediation
script. For my first try, I decided to test with a simple check
I think, I succedeed writing the OVAL check but I have big issues with
the remediation : When I execute the remediate command using the results
file from the eval command, my remediation is never selected.
After some investigations, I realized that the fix wasn't generated into
the results file.
I must admit I'm a little bit lost and I don't understand why my
remediation fix is not generated into the results file.
That's why i'm looking for some help in order to understand how to
investigate for resolving that issue (Which i'm sure is a newbie thing)
I put my files on the following GIST :
Thanks for your help.
This check and some related ones require auditing for all users and root. The suggested line includes these elements:
-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=500 -F auid!=4294967295 -k delete
Should this check include "-F auid=0" to properly audit the root user?