Has anyone tried to install openSCAP on OS-X?
Is there an open source SCAP scanner for OS-X?
Greg Elin personal cell: 917-304-3488 personal email: greg@fotonotes.net email: gregelin@gitmachines.com
On 5/21/14, 6:07 PM, Greg Elin wrote:
Has anyone tried to install openSCAP on OS-X?
Is there an open source SCAP scanner for OS-X?
I've played with jOVAL for OSX. Worked great.
Agreed.
Thanks!
Greg
On Wed, May 21, 2014 at 6:42 PM, Kachigian, Christopher R < christopher.r.kachigian@lmco.com> wrote:
Agreed.
-- Chris
On 5/21/14, 6:18 PM, "Shawn Wells" shawn@redhat.com wrote:
On 5/21/14, 6:07 PM, Greg Elin wrote:
Has anyone tried to install openSCAP on OS-X?
Is there an open source SCAP scanner for OS-X?
I've played with jOVAL for OSX. Worked great.
http://joval.org/features/apple-macos-x/ _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Hello,
On Wed, 21 May 2014 18:07:27 -0400 Greg Elin gregelin@gitmachines.com wrote:
Has anyone tried to install openSCAP on OS-X?
Openscap is portable to other platforms in that the gnu autotools is the foundation of the build system. The libraries it uses are portable. There is support for everything required of SCAP 1.2 except OCIL.
That said, there are some deficiencies. Openscap is designed to be modular. To add a new test, you write an OVAL probe which is really simple. You fill in a structure and exit. Each probe is essentially a process spun-up on demand as the content is evaluated.
What is needed is someone that cares about a platform to contribute probes. The openscap developers have done the bulk of the work. It should be a couple hours/days of someone's time if they wanted to help the SCAP community by sending some code for porting to other platforms. We would welcome code enabling Windows, Android, OSX, or any other platform.
-Steve
Thanks for you notes, Steve.
Here is the use case driving my question for OpenSCAP on OS X. I'm not really trying to lock down the entire Mac, it's more that I am trying to just recognize the developer is on a Mac. Suggestions appreciated!
*Use case background: * I'm working on GovReady, a toolkit to make security assessments for FISMA purposes easier. My target audience or IT shops understaffed in security and always have a backlog. The idea is to create leverage openSCAP and SSG to create a more automated and user-friendly process to gain shared awareness of the certification-worthiness of a system.
*Use case:* Bob is a FISMA-naive needs to be more aware of the security of the app/system they are building. Janice is a IT administrator who needs to check how secure an open source Bob's app is but doesn't have a lot of time. Bob and Janice go to GovReady.org and download the toolkit, installing it in the app in question. Kind of like adding jQuery. They just download GovReady and unzip it into a directory. Next they type a simple line command, `govready install` and everything gets installed. Then they type `govready assess` (or `govready scan`) and some canned-tests (e.g. profiles) are run and beautiful reports generated. GovReady provides a kind of beginner wrapper around the underlying tools.
If Bob and Janice are CentOS/RHEL (or using a Vagrant VM running Linux), this is pretty easy. But many FISMA-naive developers in DC these days are on OS X or even Windows. So I'm trying to understand how I can create a simple install process that works cross-platform. The cross-platform install at BEST would install the appropriate open source scanning tool for the platform. If that is too hard right now, then at least the install process should fail gracefully and encourage the individual to use virtual machines.
Greg Elin personal cell: 917-304-3488 personal email: greg@fotonotes.net email: gregelin@gitmachines.com
On Thu, May 22, 2014 at 11:25 AM, Steve Grubb sgrubb@redhat.com wrote:
Hello,
On Wed, 21 May 2014 18:07:27 -0400 Greg Elin gregelin@gitmachines.com wrote:
Has anyone tried to install openSCAP on OS-X?
Openscap is portable to other platforms in that the gnu autotools is the foundation of the build system. The libraries it uses are portable. There is support for everything required of SCAP 1.2 except OCIL.
That said, there are some deficiencies. Openscap is designed to be modular. To add a new test, you write an OVAL probe which is really simple. You fill in a structure and exit. Each probe is essentially a process spun-up on demand as the content is evaluated.
What is needed is someone that cares about a platform to contribute probes. The openscap developers have done the bulk of the work. It should be a couple hours/days of someone's time if they wanted to help the SCAP community by sending some code for porting to other platforms. We would welcome code enabling Windows, Android, OSX, or any other platform.
-Steve
You could give a try to CIS-CAT http://benchmarks.cisecurity.org/downloads/audit-tools/
2014-05-22 19:45 GMT+04:00 Greg Elin gregelin@gitmachines.com:
Thanks for you notes, Steve.
Here is the use case driving my question for OpenSCAP on OS X. I'm not really trying to lock down the entire Mac, it's more that I am trying to just recognize the developer is on a Mac. Suggestions appreciated!
Use case background: I'm working on GovReady, a toolkit to make security assessments for FISMA purposes easier. My target audience or IT shops understaffed in security and always have a backlog. The idea is to create leverage openSCAP and SSG to create a more automated and user-friendly process to gain shared awareness of the certification-worthiness of a system.
Use case: Bob is a FISMA-naive needs to be more aware of the security of the app/system they are building. Janice is a IT administrator who needs to check how secure an open source Bob's app is but doesn't have a lot of time. Bob and Janice go to GovReady.org and download the toolkit, installing it in the app in question. Kind of like adding jQuery. They just download GovReady and unzip it into a directory. Next they type a simple line command, `govready install` and everything gets installed. Then they type `govready assess` (or `govready scan`) and some canned-tests (e.g. profiles) are run and beautiful reports generated. GovReady provides a kind of beginner wrapper around the underlying tools.
If Bob and Janice are CentOS/RHEL (or using a Vagrant VM running Linux), this is pretty easy. But many FISMA-naive developers in DC these days are on OS X or even Windows. So I'm trying to understand how I can create a simple install process that works cross-platform. The cross-platform install at BEST would install the appropriate open source scanning tool for the platform. If that is too hard right now, then at least the install process should fail gracefully and encourage the individual to use virtual machines.
Greg Elin personal cell: 917-304-3488 personal email: greg@fotonotes.net email: gregelin@gitmachines.com
On Thu, May 22, 2014 at 11:25 AM, Steve Grubb sgrubb@redhat.com wrote:
Hello,
On Wed, 21 May 2014 18:07:27 -0400 Greg Elin gregelin@gitmachines.com wrote:
Has anyone tried to install openSCAP on OS-X?
Openscap is portable to other platforms in that the gnu autotools is the foundation of the build system. The libraries it uses are portable. There is support for everything required of SCAP 1.2 except OCIL.
That said, there are some deficiencies. Openscap is designed to be modular. To add a new test, you write an OVAL probe which is really simple. You fill in a structure and exit. Each probe is essentially a process spun-up on demand as the content is evaluated.
What is needed is someone that cares about a platform to contribute probes. The openscap developers have done the bulk of the work. It should be a couple hours/days of someone's time if they wanted to help the SCAP community by sending some code for porting to other platforms. We would welcome code enabling Windows, Android, OSX, or any other platform.
-Steve
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
On 05/22/2014 12:07 AM, Greg Elin wrote:
Has anyone tried to install openSCAP on OS-X?
If I had a OS-X, I would try OpenSCAP.
Perhaps there were people who already tried. None of them has returned to the community with a patch or bug report. Hence, so far I can assume OpenSCAP works well on OS-X.
Best regards,
Simon,
Do you happy to know how they installed OpenSCAP on OA X?
Build from source? Mac ports?
Greg Elin P: 917-304-3488 E: gregelin@gitmachines.com
Sent from my iPhone
On May 23, 2014, at 2:56 AM, Simon Lukasik isimluk@fedoraproject.org wrote:
On 05/22/2014 12:07 AM, Greg Elin wrote: Has anyone tried to install openSCAP on OS-X?
If I had a OS-X, I would try OpenSCAP.
Perhaps there were people who already tried. None of them has returned to the community with a patch or bug report. Hence, so far I can assume OpenSCAP works well on OS-X.
Best regards,
-- Simon Lukasik Security Technologies _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
On Friday, May 23, 2014 01:32:44 PM Greg Elin wrote:
Do you happy to know how they installed OpenSCAP on OA X?
I think he was saying that theoretically there could be people that have installed it on OSX.
Build from source? Mac ports?
Build from sources would be most likely way. There are some signs that people have been looking into it:
https://www.redhat.com/archives/open-scap-list/2011-October/msg00007.html
Google gives other hits, too. While all of the upper layers should be fine, there are no OSX specific probes. Anything in the unix schema _ought_ to work assuming libraries are ported.
-Steve
scap-security-guide@lists.fedorahosted.org
-
Greg Elin -
Jerome Athias -
Kachigian, Christopher R -
Shawn Wells -
Steve Grubb -
Šimon Lukašík