Hi Andrew,
----- Original Message -----
From: "Andrew Gilmore" <agilmore2(a)gmail.com>
To: "SCAP Security Guide" <scap-security-guide(a)lists.fedorahosted.org>
Sent: Thursday, October 16, 2014 12:50:08 AM
Subject: Re: [Bug 1066390] Include scap-security-guide in Red Hat Enterprise Linux 6
Woohoo! Can we confirm whether remediation scripts are included, or scanning
tools and content?
Both the checks & remediation scripts are included. Maybe this is right
opportunity to shed more light how Red Hat Enterprise Linux system scan works.
There are three major components required:
* the [CLI] scanner (shipped within openscap-utils package),
* the content (system checks + remediations, shipped within scap-security-guide package),
* [optional] GUI tool to ease the task of checking particular system (shipped within
scap-workbench package, which is for now available via EPEL-6 repository:
[1]
http://dl.fedoraproject.org/pub/epel/6/SRPMS/repoview/scap-workbench.html
[2]
https://fedorahosted.org/scap-workbench/
)
Given the assumption these three packages are installed, the scan can be then
performed via:
* oscap CLI as follows:
oscap xccdf eval --profile selected_profile_here --report
place_where_to_store_the_HTML_report_of_the_system_scan \
path_to_rhel6_xccdf_file
See oscap(8) or scap-security-guide(8) manual page for further details.
* via scap-workbench tool:
Once run, provide path to RHEL6 XCCDF benchmark file (either in XML
form: /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml or in datastream form:
/usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml) in the "Open Source Datastream or
XCCDF file"
dialog. Once selected, select particular profile yet (in the "Profile" select
box) & see
how the list of rules is refreshed. Then click the "Scan" button, see the
progress & wait
for the tool to finish. Once done, it's possible to see the HTML report (click the
"Report"
button) or save the generated artifacts for further inspection later (see
"Save" select-button
options).
Refer to scap-workbench manual (in HTML form) for further information:
https://fedorahosted.org/scap-workbench/raw-attachment/wiki/UserManual/us...
To perform also remediation (IOW corrections for those rules, that failed) use:
* also --remediate option with the 'oscap xccdf eval ...' command above. E.g.
something like:
oscap xccdf eval --remediate --profile selected_profile_here --report html_path \
path_to_ssg_rhel6_benchmark
* when using scap-workbench tool, after loading a selected content, selecting a profile
& *before* clicking the "Scan" button ensure the "Online
remediation" checkbox is selected
too. Then click "Scan" as normal. The difference with the previous case being
that in this
scenario scap-workbench besides scanning / checking the system it will also attempt
remediation /
corrections for cases, where the particular requirement failed (results like
'fixed' should
be visible in the main scap-workbench dialog).
Here again, people are encouraged to have a look at scap-workbench's user manual:
https://fedorahosted.org/scap-workbench/raw-attachment/wiki/UserManual/us...
which provides additional information (& covers this use case / scenario & many
more).
To keep the reply relatively short, there's one more interesting feature of
scap-workbench
available yet - and that's being support for remote (via SSH) system scans. See
section:
https://fedorahosted.org/scap-workbench/raw-attachment/wiki/UserManual/us...
for further details. Here it's necessary to pinpoint that only content / benchmark
provided in datastream
(*-ds.xml) format can be used for remote system scans.
Hope the above clarifies things a bit more. Should you have further questions,
check oscap(8), scap-security-guide(8), scap-workbench(8) manual pages and / or
the aforementioned scap-workbench HTML manual.
Of course should you find some unclear bit yet (not properly covered in the manuals)
or just not obvious enough at first sight, feel free to bring it here.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
Just had to manually download and install openscap tools to a new VM this
week, and was hoping this was coming soon.
Congratulations to all!
On Wed, Oct 15, 2014 at 4:16 PM, Greg Elin < gregelin(a)gitmachines.com >
wrote:
Awesome!
Greg Elin
P: 917-304-3488
E: gregelin(a)gitmachines.com
Sent from my iPhone
On Oct 15, 2014, at 4:54 PM, Shawn Wells < shawn(a)redhat.com > wrote:
You guys.
As of yesterday, SSG is now shipping natively in RHEL 6.6! A sampling of
included profiles:
- RHEL6 STIG (DoD baseline)
- CS2 (Ft Meade baseline)
- C2S (CIA commercial cloud baseline)
- Red Hat CCP (for RHEL cloud images, e.g. Amazon AMIs)
- CSCF (MLS baseline used at NRO)
The inclusion of SSG is also being picked up by the press, including
international sites/magazines:
-
http://www.zdnet.com/red-hat-enterprise-linux-6-6-arrives-7000034675/
-
http://news.softpedia.com/news/Red-Hat-Enterprise-Linux-6-6-Arrives-with-...
-
http://www.admin-magazin.de/News/Red-Hat-Enterprise-Linux-6.6-verfuegbar
-
http://soft.mail.ru/pressrl_page.php?id=56721
This inclusion reflects almost 3 years of work by the community, and brings
RHEL to a point where tooling+content is natively included for STIG
compliance. This is exceptionally badass. It's been an amazing ride to get
us here -- thank you for everyone who has participated!!
For those in the Northern VA/DC/Maryland area, an SSG happy hour is in order.
First round on me. Say next Thursday (23-OCT), DuClaws at Arundel Mills?
-------- Original Message --------
Subject: [Bug 1066390] Include scap-security-guide in Red Hat Enterprise
Linux 6
Date: Tue, 14 Oct 2014 06:42:15 +0000
From: bugzilla(a)redhat.com
To: swells(a)redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1066390 errata-xmlrpc
<errata-xmlrpc(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|VERIFIED |CLOSED
Resolution|--- |ERRATA
Last Closed| |2014-10-14 02:42:15
--- Comment #42 from errata-xmlrpc <errata-xmlrpc(a)redhat.com> ---
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
http://rhn.redhat.com/errata/RHEA-2014-1471.html --
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=9Q6ih4rslS&a=cc_unsubscribe
--
Shawn Wells
Director, Innovation Programs shawn(a)redhat.com | 443.534.0130 @shawndwells
--
SCAP Security Guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/
--
SCAP Security Guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/
--
SCAP Security Guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/