Issue with Repo GPG Checking
by Trevor Vaughan
Hi All,
I've been re-roaming through the SSG and this is probably the first of a
many part thread regarding different checks.
TL;DR; The potential risk caused by enabling 'repo_gpgcheck' outweighs any
potential benefit if TLS is enabled.
In my opinion, the following check should *only* be enabled if all of your
repositories are internally managed
xccdf_org.ssgproject.content_rule_ensure_gpgcheck_repo_metadata.
The reason for this is that YUM presently does not (to my knowledge) have
any way to differentiate between package signing GPG keys and repo signing
GPG keys.
This means that if, for instance, I host my packages via some shared Nexus,
then I have to add the Nexus GPG key to my trust list for the repo.
I fundamentally do *not* want to do this! I shouldn't be allowing my Nexus
maintainer to potentially install software on my system without my explicit
knowledge.
You should use TLS, and the repo should have a trusted certificate there
and that should be sufficient for the metadata until RPM can tell the
difference between these two certificates.
Please let me know if I've missed something, but I don't remember seeing
options to split out the two sets of certs.
Additionally, this is marked as 'high' severity and that seems to be
massive overkill considering that 1) the packages are still signed and
validated and 2) TLS is required.
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --
5 years, 5 months
Improve rule jboss_eap_vendor_supported
by Rich Lucente
This is a pretty newbie question on modifying the checks within SCAP. The
rule:
<Rule id="jboss_eap_vendor_supported" severity="high">
...
<oval id="jboss_eap_vendor_supported" value="var_jboss_profile" />
<ref srg="SRG-APP-000456-AS-000266" disa="2605" nist=""
stigid="JBOS-AS-000680"/>
</Rule>
checks if a "version.txt" file exists with a version matching a supported
release of Red Hat JBoss Enterprise Application Platform. This can be
found at scap-security-guide/jboss_eap6/xccdf/application/eap6.xml
I read the DISA STIG requirement to talk to use of unsupported community
JBoss releases such as JBoss AS and WildFly. Use of JBoss community
software would be a CAT I finding in the STIG. I created a bash script at
the following location to correctly find and identify JBoss community
releases:
https://github.com/RedHatGov/ansible-scan-jboss/blob/master/scan-communit...
This has been tested against 110 community JBoss AS/WildFly releases and 87
enterprise releases. The repository
https://github.com/RedHatGov/ansible-scan-jboss contains the script and a
test harness. A comprehensive dataset to test against is available at:
https://people.redhat.com/rlucente/test-distros.zip
The script looks for marker files that must be present in order to run the
community application server and then examines metadata within those files
to correctly identify them.
QUESTION: How can I incorporate this into the existing SCAP checks? I'm
finding the XML schemas a bit daunting to understand and I would also need
to use the script check engine for this.
I'll keep looking at the developer's guide on the website to sort this out
but if anyone is willing to collaborate, I'd greatly appreciate it.
Rich Lucente
Principal Solution Architect
Red Hat Public Sector
<https://www.redhat.com>
rlucente(a)redhat.com M: 240-994-0562
<https://red.ht/sig>
TRIED. TESTED. TRUSTED. <https://redhat.com/trusted>
6 years, 1 month
Tweet by Red Hat, Inc. on Twitter
by Shawn Wells
Red Hat, Inc. (@RedHatNews)
2/7/18, 10:55 PM
.@TechJournalist takes a look at the improved compliance capabilities of #RHEL 7.5 Beta bit.ly/2nr7VJa via @serverwatch #Linux
OpenSCAP and SSG getting some love in the press!
6 years, 1 month
Re: [Open-scap] oscap results stored in central database?
by Fen Labalme
Would love some XSLT files for parsing the XML files nicely (I've been
wanting this, but am not an XSLT sorta guy). If the transform included
name, CVE, perhaps RMF controls and result, well, that would be a great
start.
Had not seen wuzah - looks awesome. I don't need the PCI DSS but rather the
RMF low/mod controls, and I use Graylog instead of ELK, but these should be
straightforward issues to resolve. (And if resolved, can contribute the
patches - I love open source!)
=Fen
On Thu, Feb 1, 2018 at 4:01 PM, Luke Salsich <luke.salsich(a)gmail.com> wrote:
> ...
> All of this is to say maybe a first step would be to write some XSLT files
> for MariaDB and Postgre and then see where that goes? someone could use
> that to then start an API, etc.
>
> I also did want to mention the really great work the people at Wazuh have
> done in adding Open-Scap data to their OSSEC fork which then outputs data
> into elasticsearch / Kibana dashboards really nicely. I will continue to
> use their product gratefully, but as I say - I'm looking for data which I
> can query without having to master Lucene to get data out of Elasticsearch.
>
> http://wazuh.com
> https://documentation.wazuh.com/current/user-manual/capabilities/policy-
> monitoring/openscap/index.html
>
>
> On Thu, Feb 1, 2018 at 1:20 PM, Fen Labalme <fen.labalme(a)civicactions.com>
> wrote:
>
>> ...
>> I like https://osquery.io/ (open source at:
>> https://github.com/facebook/osquery)
>>
>> Also consider InSpec (https://github.com/chef/inspec) - though created
>> by/for Chef, it's entirely self-contained. OpenSCAP integrating with
>> either/both of these would be awesome.
>>
>
6 years, 1 month
Re: [Open-scap] oscap results stored in central database?
by Shawn Wells
On 2/1/18 1:21 PM, Luke Salsich wrote:
> Thanks for the comments guys. It helps me understand where things are
> and where they might be going.
>
> For me, I would write a (initial) user story much along the lines of:
>
> "I would like to be able to parse oscap results into a MySQL database
> so that I can compare specific aspects of these results to others from
> the same server or from other servers."
>
> I word it like this because I (personally) am not looking for a larger
> application framework (user interface, authentication, etc) that has
> to come along with the central database. I also like the idea of not
> being tied to one database engine and/or using a standardized API, but
> an API sounds like a few stories down the road.
>
> Anyway, I'm grateful for the thoughts. I was initially just checking
> to make sure that before I start working on converting the XML to SQL
> (probably with xslt and Python) that someone else hasn't already done
> that. I hate it when I build something only to find out later that
> someone in the community has already built it (and probably way better).
Imagine something like https://osquery.io/, except with enriched
compliance data.
6 years, 1 month
Re: [Open-scap] oscap results stored in central database?
by Shawn Wells
On 1/31/18 10:22 PM, Luke Salsich wrote:
> Hey all,
>
> I've been using OpenSCAP for a while on our servers and really
> appreciate what it does.
>
> I've been looking around for a way to store scan results and then
> query them and I can't seem to locate any plugins or apps which do
> this other than SCAPTimony.
>
> SCAPTimony sounds great, but I'm not sure it's currently maintained
> and I don't really want to dive into Foreman just to store Oscap results.
>
> What does the community use for this kind of scan / report storing and
> querying?
>
> We're currently using Ansible AWX to run scans and to manage
> remediation. Love to find a way to pull that XML into a central
> database.......
This week was DevConf in Brno [0] and this very topic came up multiple
times! The quick answer being broad agreement that "yes this must happen."
There are partner projects like Foreman (upstream) and Satellite
(downstream) which integrate scanning into their embedded databases. In
general there is a desire to unify SCAP with OpenControl for central
reporting though.
Many are in transit from Brno back home over the next few days, or
recovering locally from staying out all night for the past week :) Some
responses might be slightly delayed because of this.
If you could have database integration with SCAP.... what all would you
want it to do? Could you help the community form a few user stories?
[0] https://devconf.cz/cz/2018
6 years, 1 month