As recommended, moving this thread to the SSG mailing list.
Background: We are working on developing an SSG profile definition for RH certified cloud providers. In addition to these XCCDF-based checks, I need to also detect any non-RedHat packages installed on the system. The question to the group is: are there any recommendations or examples on how this may have been done previously. As example, suppose a cloud image has a monitoring package or hypervisor para-virt rpms install, I want to be made aware and have those reported by the check. An OVAL path was suggested below.
Does anyone have additional guidance on how/if I can do this with SCAP-related tools?
Thanks, -Matt
Matthew Mariani Partner Solution Architect M: +1-717-756-6834 mmariani@redhat.com
----- Original Message -----
From: "Shawn Wells" shawn@redhat.com To: open-scap-list@redhat.com Sent: Sunday, October 13, 2013 11:30:26 PM Subject: Re: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
On 10/10/13 4:44 PM, Matthew Mariani wrote:
Danny, Thanks, very helpful. -Matt
----- Original Message -----
From: "Dan Haynes" dhaynes@mitre.org To: "Matthew Mariani" mmariani@redhat.com , open-scap-list@redhat.com Sent: Wednesday, October 9, 2013 2:45:35 PM Subject: RE: SCAP Newbie Questions for simple RHEL6 XCCDF example.
Hi Matthew,
Comments inline below. Hope this helps.
Thanks,
Danny
From: open-scap-list-bounces@redhat.com [ mailto:open-scap-list-bounces@redhat.com ] On Behalf Of Matthew Mariani Sent: Wednesday, October 09, 2013 1:11 PM To: open-scap-list@redhat.com Subject: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
Hi list,
'SCAP newbie here. I'm working with the attached XCCDF profile definition to be used with a RHEL6 system. The end goal is to define a standard RHEL cloud image security profile. I have two questions:
1. I believe I need additional XML syntax in the file to have valid XCCDF content. When I try both testing with the 'info' function and running an 'eval', I get an Unknown document type error.
[root@rhel6client ~]# oscap info rht-ccp.xml OpenSCAP Error: Unknown document type: 'rht-ccp.xml' [oscapxml.c:554]
[root@rhel6client ~]# oscap xccdf eval --profile rht-ccp --results /root/rht-ccp.results.xml --report /root/rht-ccp.report.html rht-ccp.xml Profile "rht-ccp" was not found.
Looking at some of the xccdf examples referenced here http://www.open-scap.org/page/Documentation , I'm thinking I need a <Benchmark> wrapper around my profile. Am I on the right track, and if so is there a basic <Benchmark> syntax example available? I'm finding it difficult to id what's required and what's not in examples referenced on the Documentation page.
[Danny]: Yes, you will need to include the <Benchmark> component. You may want to look at the RHEL6 STIG SCAP content being developed in the scap-security-guide project ( https://fedorahosted.org/scap-security-guide/ ). It should serve as a good example and you may be able to reuse some of the content. They also have some tools that you could leverage to help generate the content.
Matt pinged me offline re: the Red Hat CCP profile. I've now merged it into SSG: https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=3633243...
You should now be able to clone the source and run a scan: https://fedorahosted.org/scap-security-guide/wiki/downloads
aka $ sudo yum install git openscap-utils python-lxml $ cd /tmp ; git clone git://git.fedorahosted.org/git/scap-security-guide.git ; cd scap-security-guide/RHEL6 $ make content $ sudo oscap xccdf eval --profile rht-ccp \ --results /root/ssg-results-`date`.xml \ --report /root/ssg-results-`date`.html \ --cpe output/ssg-rhel6-cpe-dictionary.xml \ output/ssg-rhel6-xccdf.xml
<blockquote>
2. Looking forward, in addition to these XCCDF checks, I have the need to detect non-RedHat signed packaged installed on the system. Does anyone have guidance on how/if I can do that with SCAP tools. As example, suppose a cloud image has a monitoring package or hypervisor para-virt rpms install, I want to be made aware and have those reported by the check.
[Danny]: Yes, you should be able to check for any non-Red Hat signed packages using OVAL which is an language for checking the state of an endpoint. There is the linux-def:rpminfo_test ( http://oval.mitre.org/language/version5.10.1/ovaldefinition/complete/linux-d... ) which you can use to check various metadata about the packages installed on the system including the signature key ID. With that in mind, you should be able to collect all RPMs on the system and filter out any RPMs that are signed by Red Hat leaving only those that haven’t been signed by Red Hat. I have attached an OVAL definition which shows how you might do this. Of course, you may need to modify it to include the appropriate signature key IDs.
Any help is appreciated. Thanks,
-Matt
</blockquote>
Since this is largely content related, feel free to kick over the conversation to the SSG mailing list: https://fedorahosted.org/scap-security-guide/ https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Our friends and allies within the OpenSCAP tooling community let us content guys play here, but content questions (for SSG) should be kicked over to the SSG community list :)
_______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
Hi SSG team,
For the CCP profile recently added, I would like to add new RHEL6 checks for the bullets below. 1. Cloud image disk checks - do these checks exist already? a.) Minimum Disk - 6GB b.) Available Disk - 4GB or more 2. Non-RH packages installed on the RHEL system - ** For this one, on the open-scap-list, Danny Hynes provided the attached OVAL definition, but I'm not sure how to build that into the rht-ccp profile. Does anyone have an example?
Any guidance on how to proceed is appreciated.
Thanks, -Matt
----- Original Message -----
From: "Matthew Mariani" mmariani@redhat.com To: scap-security-guide@lists.fedorahosted.org Sent: Tuesday, October 15, 2013 2:22:25 PM Subject: Fwd: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
As recommended, moving this thread to the SSG mailing list.
Background: We are working on developing an SSG profile definition for RH certified cloud providers. In addition to these XCCDF-based checks, I need to also detect any non-RedHat packages installed on the system. The question to the group is: are there any recommendations or examples on how this may have been done previously. As example, suppose a cloud image has a monitoring package or hypervisor para-virt rpms install, I want to be made aware and have those reported by the check. An OVAL path was suggested below.
Does anyone have additional guidance on how/if I can do this with SCAP-related tools?
Thanks, -Matt
Matthew Mariani Partner Solution Architect M: +1-717-756-6834 mmariani@redhat.com
----- Original Message -----
From: "Shawn Wells" shawn@redhat.com To: open-scap-list@redhat.com Sent: Sunday, October 13, 2013 11:30:26 PM Subject: Re: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
On 10/10/13 4:44 PM, Matthew Mariani wrote:
Danny, Thanks, very helpful. -Matt
----- Original Message -----
From: "Dan Haynes" dhaynes@mitre.org To: "Matthew Mariani" mmariani@redhat.com , open-scap-list@redhat.com Sent: Wednesday, October 9, 2013 2:45:35 PM Subject: RE: SCAP Newbie Questions for simple RHEL6 XCCDF example.
Hi Matthew,
Comments inline below. Hope this helps.
Thanks,
Danny
From: open-scap-list-bounces@redhat.com [ mailto:open-scap-list-bounces@redhat.com ] On Behalf Of Matthew Mariani Sent: Wednesday, October 09, 2013 1:11 PM To: open-scap-list@redhat.com Subject: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
Hi list,
'SCAP newbie here. I'm working with the attached XCCDF profile definition to be used with a RHEL6 system. The end goal is to define a standard RHEL cloud image security profile. I have two questions:
1. I believe I need additional XML syntax in the file to have valid XCCDF content. When I try both testing with the 'info' function and running an 'eval', I get an Unknown document type error.
[root@rhel6client ~]# oscap info rht-ccp.xml OpenSCAP Error: Unknown document type: 'rht-ccp.xml' [oscapxml.c:554]
[root@rhel6client ~]# oscap xccdf eval --profile rht-ccp --results /root/rht-ccp.results.xml --report /root/rht-ccp.report.html rht-ccp.xml Profile "rht-ccp" was not found.
Looking at some of the xccdf examples referenced here http://www.open-scap.org/page/Documentation , I'm thinking I need a <Benchmark> wrapper around my profile. Am I on the right track, and if so is there a basic <Benchmark> syntax example available? I'm finding it difficult to id what's required and what's not in examples referenced on the Documentation page.
[Danny]: Yes, you will need to include the <Benchmark> component. You may want to look at the RHEL6 STIG SCAP content being developed in the scap-security-guide project ( https://fedorahosted.org/scap-security-guide/ ). It should serve as a good example and you may be able to reuse some of the content. They also have some tools that you could leverage to help generate the content.
Matt pinged me offline re: the Red Hat CCP profile. I've now merged it into SSG: https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=3633243...
You should now be able to clone the source and run a scan: https://fedorahosted.org/scap-security-guide/wiki/downloads
aka $ sudo yum install git openscap-utils python-lxml $ cd /tmp ; git clone git://git.fedorahosted.org/git/scap-security-guide.git ; cd scap-security-guide/RHEL6 $ make content $ sudo oscap xccdf eval --profile rht-ccp \ --results /root/ssg-results-`date`.xml \ --report /root/ssg-results-`date`.html \ --cpe output/ssg-rhel6-cpe-dictionary.xml \ output/ssg-rhel6-xccdf.xml
<blockquote>
2. Looking forward, in addition to these XCCDF checks, I have the need to detect non-RedHat signed packaged installed on the system. Does anyone have guidance on how/if I can do that with SCAP tools. As example, suppose a cloud image has a monitoring package or hypervisor para-virt rpms install, I want to be made aware and have those reported by the check.
[Danny]: Yes, you should be able to check for any non-Red Hat signed packages using OVAL which is an language for checking the state of an endpoint. There is the linux-def:rpminfo_test ( http://oval.mitre.org/language/version5.10.1/ovaldefinition/complete/linux-d... ) which you can use to check various metadata about the packages installed on the system including the signature key ID. With that in mind, you should be able to collect all RPMs on the system and filter out any RPMs that are signed by Red Hat leaving only those that haven’t been signed by Red Hat. I have attached an OVAL definition which shows how you might do this. Of course, you may need to modify it to include the appropriate signature key IDs.
Any help is appreciated. Thanks,
-Matt
</blockquote>
Since this is largely content related, feel free to kick over the conversation to the SSG mailing list: https://fedorahosted.org/scap-security-guide/ https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Our friends and allies within the OpenSCAP tooling community let us content guys play here, but content questions (for SSG) should be kicked over to the SSG community list :)
_______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
+ the attachment for #2
----- Original Message -----
From: "Matthew Mariani" mmariani@redhat.com To: scap-security-guide@lists.fedorahosted.org Cc: "Karl Stevens" kstevens@redhat.com Sent: Thursday, October 31, 2013 10:30:37 AM Subject: Additional Checks for RH Cloud Provider Profile (rht-ccp)
Hi SSG team,
For the CCP profile recently added, I would like to add new RHEL6 checks for the bullets below. 1. Cloud image disk checks - do these checks exist already? a.) Minimum Disk - 6GB b.) Available Disk - 4GB or more 2. Non-RH packages installed on the RHEL system - ** For this one, on the open-scap-list, Danny Hynes provided the attached OVAL definition, but I'm not sure how to build that into the rht-ccp profile. Does anyone have an example?
Any guidance on how to proceed is appreciated.
Thanks, -Matt
----- Original Message -----
From: "Matthew Mariani" mmariani@redhat.com To: scap-security-guide@lists.fedorahosted.org Sent: Tuesday, October 15, 2013 2:22:25 PM Subject: Fwd: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
As recommended, moving this thread to the SSG mailing list.
Background: We are working on developing an SSG profile definition for RH certified cloud providers. In addition to these XCCDF-based checks, I need to also detect any non-RedHat packages installed on the system. The question to the group is: are there any recommendations or examples on how this may have been done previously. As example, suppose a cloud image has a monitoring package or hypervisor para-virt rpms install, I want to be made aware and have those reported by the check. An OVAL path was suggested below.
Does anyone have additional guidance on how/if I can do this with SCAP-related tools?
Thanks, -Matt
Matthew Mariani Partner Solution Architect M: +1-717-756-6834 mmariani@redhat.com
----- Original Message -----
From: "Shawn Wells" shawn@redhat.com To: open-scap-list@redhat.com Sent: Sunday, October 13, 2013 11:30:26 PM Subject: Re: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
On 10/10/13 4:44 PM, Matthew Mariani wrote:
Danny, Thanks, very helpful. -Matt
----- Original Message -----
From: "Dan Haynes" dhaynes@mitre.org To: "Matthew Mariani" mmariani@redhat.com , open-scap-list@redhat.com Sent: Wednesday, October 9, 2013 2:45:35 PM Subject: RE: SCAP Newbie Questions for simple RHEL6 XCCDF example.
Hi Matthew,
Comments inline below. Hope this helps.
Thanks,
Danny
From: open-scap-list-bounces@redhat.com [ mailto:open-scap-list-bounces@redhat.com ] On Behalf Of Matthew Mariani Sent: Wednesday, October 09, 2013 1:11 PM To: open-scap-list@redhat.com Subject: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
Hi list,
'SCAP newbie here. I'm working with the attached XCCDF profile definition to be used with a RHEL6 system. The end goal is to define a standard RHEL cloud image security profile. I have two questions:
1. I believe I need additional XML syntax in the file to have valid XCCDF content. When I try both testing with the 'info' function and running an 'eval', I get an Unknown document type error.
[root@rhel6client ~]# oscap info rht-ccp.xml OpenSCAP Error: Unknown document type: 'rht-ccp.xml' [oscapxml.c:554]
[root@rhel6client ~]# oscap xccdf eval --profile rht-ccp --results /root/rht-ccp.results.xml --report /root/rht-ccp.report.html rht-ccp.xml Profile "rht-ccp" was not found.
Looking at some of the xccdf examples referenced here http://www.open-scap.org/page/Documentation , I'm thinking I need a <Benchmark> wrapper around my profile. Am I on the right track, and if so is there a basic <Benchmark> syntax example available? I'm finding it difficult to id what's required and what's not in examples referenced on the Documentation page.
[Danny]: Yes, you will need to include the <Benchmark> component. You may want to look at the RHEL6 STIG SCAP content being developed in the scap-security-guide project ( https://fedorahosted.org/scap-security-guide/ ). It should serve as a good example and you may be able to reuse some of the content. They also have some tools that you could leverage to help generate the content.
Matt pinged me offline re: the Red Hat CCP profile. I've now merged it into SSG: https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=3633243...
You should now be able to clone the source and run a scan: https://fedorahosted.org/scap-security-guide/wiki/downloads
aka $ sudo yum install git openscap-utils python-lxml $ cd /tmp ; git clone git://git.fedorahosted.org/git/scap-security-guide.git ; cd scap-security-guide/RHEL6 $ make content $ sudo oscap xccdf eval --profile rht-ccp \ --results /root/ssg-results-`date`.xml \ --report /root/ssg-results-`date`.html \ --cpe output/ssg-rhel6-cpe-dictionary.xml \ output/ssg-rhel6-xccdf.xml
<blockquote>
2. Looking forward, in addition to these XCCDF checks, I have the need to detect non-RedHat signed packaged installed on the system. Does anyone have guidance on how/if I can do that with SCAP tools. As example, suppose a cloud image has a monitoring package or hypervisor para-virt rpms install, I want to be made aware and have those reported by the check.
[Danny]: Yes, you should be able to check for any non-Red Hat signed packages using OVAL which is an language for checking the state of an endpoint. There is the linux-def:rpminfo_test ( http://oval.mitre.org/language/version5.10.1/ovaldefinition/complete/linux-d... ) which you can use to check various metadata about the packages installed on the system including the signature key ID. With that in mind, you should be able to collect all RPMs on the system and filter out any RPMs that are signed by Red Hat leaving only those that haven’t been signed by Red Hat. I have attached an OVAL definition which shows how you might do this. Of course, you may need to modify it to include the appropriate signature key IDs.
Any help is appreciated. Thanks,
-Matt
</blockquote>
Since this is largely content related, feel free to kick over the conversation to the SSG mailing list: https://fedorahosted.org/scap-security-guide/ https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Our friends and allies within the OpenSCAP tooling community let us content guys play here, but content questions (for SSG) should be kicked over to the SSG community list :)
_______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
On 10/31/13, 10:32 AM, Matthew Mariani wrote:
- the attachment for #2
*From: *"Matthew Mariani" mmariani@redhat.com *To: *scap-security-guide@lists.fedorahosted.org *Cc: *"Karl Stevens" kstevens@redhat.com *Sent: *Thursday, October 31, 2013 10:30:37 AM *Subject: *Additional Checks for RH Cloud Provider Profile (rht-ccp)
Hi SSG team,
For the CCP profile recently added, I would like to add new RHEL6 checks for the bullets below. 1. Cloud image disk checks - do these checks exist already? a.) Minimum Disk - 6GB b.) Available Disk - 4GB or more 2. Non-RH packages installed on the RHEL system - ** For this one, on the open-scap-list, Danny Hynes provided the attached OVAL definition, but I'm not sure how to build that into the rht-ccp profile. Does anyone have an example?
Any guidance on how to proceed is appreciated.
Content creation docs are... limited. To start, check out Section 5 of the workbook: http://blog-shawndwells.rhcloud.com/wp-content/uploads/2013/07/SCAP-Workshop...
It will step you through a *very* basic rule creation, generating both the XCCDF and OVAL, and should help you understand the linkage between the two components.
As for disk space, do a find on "partition_item" here: http://oval.mitre.org/language/version5.10.1/ovalsc/documentation/linux-syst...
Notice the two extend options: - space_used - space_left
We should be able to create your #1 based off these.
As for non-RH packages, your attached OVAL is on par here. Do a search for "rpm_info" on the URL above to get an idea of capabilities.... specifically the signature_keyid check!
So then, start with the workbook, and when your build fails, check the spelling of "rational" vs rationale ;) Check back here when done & we'll work out the OVAL checks.
Hi SSG Team,
I'm making some progress here with code to check for non-RH progress (Huge thanks to Danny Hynes). Two questions:
1. The XCCDF rule (Rule id="non-rh_packages") is evaluating to True if there are non-RH packages. My understanding is a 'True' results in a Pass of the rule - is that correct? However, I want True to result in a fail. How to make that happen? 2. In order to get past this non-RH package check, the openscap* and scap* packages need to be ignored. I tried adding filter exclusion statements on the rpminfo_object; hoewever, can't get past an error so I must have something wrong. Suggestions?
...... <linux:rpminfo_object id="oval:ssg:obj:10101" version="1" comment="Collect all rpms and exclude those signed by Red Hat and exclude those from scap and openscap."> <linux:name operation="pattern match">.*</linux:name> <filter action="exclude">oval:ssg:ste:10101</filter> <!-->Matt: Adding these exclude statements causes the OpenSCAP error below<--> <filter action="exclude">oval:ssg:ste:10102</filter> <filter action="exclude">oval:ssg:ste:10103</filter> </linux:rpminfo_object> .....
[root@rhel6client ~]# ./run_rht_scap_new Title Ensure /tmp Located On Separate Partition Rule partition_for_tmp Ident CCE-26435-8 Result fail
Title All packages should be RH signed package Rule non-rh_packages Ident (null) Result unknown
OpenSCAP Error: No definition with ID: oval:ssg:def:10101 in result model. [oval_agent.c:180]
Attached are the full xccdf and oval I'm running, based on the RHEL6 ssg content, and a shortened version to show the relevant code additions I've added.
oscap xccdf eval --profile rht-ccp --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml --results /root/rht-ccp-results.new.xml --report
/root/rht-ccp-report.new.html /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.new_ccp.xml
Thanks in advance for any help. -Matt
----- Original Message -----
From: "Matthew Mariani" mmariani@redhat.com To: scap-security-guide@lists.fedorahosted.org Cc: "Karl Stevens" kstevens@redhat.com Sent: Thursday, October 31, 2013 10:32:29 AM Subject: Re: Additional Checks for RH Cloud Provider Profile (rht-ccp)
+ the attachment for #2
----- Original Message -----
From: "Matthew Mariani" mmariani@redhat.com To: scap-security-guide@lists.fedorahosted.org Cc: "Karl Stevens" kstevens@redhat.com Sent: Thursday, October 31, 2013 10:30:37 AM Subject: Additional Checks for RH Cloud Provider Profile (rht-ccp)
Hi SSG team,
For the CCP profile recently added, I would like to add new RHEL6 checks for the bullets below. 1. Cloud image disk checks - do these checks exist already? a.) Minimum Disk - 6GB b.) Available Disk - 4GB or more 2. Non-RH packages installed on the RHEL system - ** For this one, on the open-scap-list, Danny Hynes provided the attached OVAL definition, but I'm not sure how to build that into the rht-ccp profile. Does anyone have an example?
Any guidance on how to proceed is appreciated.
Thanks, -Matt
----- Original Message -----
From: "Matthew Mariani" mmariani@redhat.com To: scap-security-guide@lists.fedorahosted.org Sent: Tuesday, October 15, 2013 2:22:25 PM Subject: Fwd: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
As recommended, moving this thread to the SSG mailing list.
Background: We are working on developing an SSG profile definition for RH certified cloud providers. In addition to these XCCDF-based checks, I need to also detect any non-RedHat packages installed on the system. The question to the group is: are there any recommendations or examples on how this may have been done previously. As example, suppose a cloud image has a monitoring package or hypervisor para-virt rpms install, I want to be made aware and have those reported by the check. An OVAL path was suggested below.
Does anyone have additional guidance on how/if I can do this with SCAP-related tools?
Thanks, -Matt
Matthew Mariani Partner Solution Architect M: +1-717-756-6834 mmariani@redhat.com
----- Original Message -----
From: "Shawn Wells" shawn@redhat.com To: open-scap-list@redhat.com Sent: Sunday, October 13, 2013 11:30:26 PM Subject: Re: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
On 10/10/13 4:44 PM, Matthew Mariani wrote:
Danny, Thanks, very helpful. -Matt
----- Original Message -----
From: "Dan Haynes" dhaynes@mitre.org To: "Matthew Mariani" mmariani@redhat.com , open-scap-list@redhat.com Sent: Wednesday, October 9, 2013 2:45:35 PM Subject: RE: SCAP Newbie Questions for simple RHEL6 XCCDF example.
Hi Matthew,
Comments inline below. Hope this helps.
Thanks,
Danny
From: open-scap-list-bounces@redhat.com [ mailto:open-scap-list-bounces@redhat.com ] On Behalf Of Matthew Mariani Sent: Wednesday, October 09, 2013 1:11 PM To: open-scap-list@redhat.com Subject: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
Hi list,
'SCAP newbie here. I'm working with the attached XCCDF profile definition to be used with a RHEL6 system. The end goal is to define a standard RHEL cloud image security profile. I have two questions:
1. I believe I need additional XML syntax in the file to have valid XCCDF content. When I try both testing with the 'info' function and running an 'eval', I get an Unknown document type error.
[root@rhel6client ~]# oscap info rht-ccp.xml OpenSCAP Error: Unknown document type: 'rht-ccp.xml' [oscapxml.c:554]
[root@rhel6client ~]# oscap xccdf eval --profile rht-ccp --results /root/rht-ccp.results.xml --report /root/rht-ccp.report.html rht-ccp.xml Profile "rht-ccp" was not found.
Looking at some of the xccdf examples referenced here http://www.open-scap.org/page/Documentation , I'm thinking I need a <Benchmark> wrapper around my profile. Am I on the right track, and if so is there a basic <Benchmark> syntax example available? I'm finding it difficult to id what's required and what's not in examples referenced on the Documentation page.
[Danny]: Yes, you will need to include the <Benchmark> component. You may want to look at the RHEL6 STIG SCAP content being developed in the scap-security-guide project ( https://fedorahosted.org/scap-security-guide/ ). It should serve as a good example and you may be able to reuse some of the content. They also have some tools that you could leverage to help generate the content.
Matt pinged me offline re: the Red Hat CCP profile. I've now merged it into SSG: https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=3633243...
You should now be able to clone the source and run a scan: https://fedorahosted.org/scap-security-guide/wiki/downloads
aka $ sudo yum install git openscap-utils python-lxml $ cd /tmp ; git clone git://git.fedorahosted.org/git/scap-security-guide.git ; cd scap-security-guide/RHEL6 $ make content $ sudo oscap xccdf eval --profile rht-ccp \ --results /root/ssg-results-`date`.xml \ --report /root/ssg-results-`date`.html \ --cpe output/ssg-rhel6-cpe-dictionary.xml \ output/ssg-rhel6-xccdf.xml
<blockquote>
2. Looking forward, in addition to these XCCDF checks, I have the need to detect non-RedHat signed packaged installed on the system. Does anyone have guidance on how/if I can do that with SCAP tools. As example, suppose a cloud image has a monitoring package or hypervisor para-virt rpms install, I want to be made aware and have those reported by the check.
[Danny]: Yes, you should be able to check for any non-Red Hat signed packages using OVAL which is an language for checking the state of an endpoint. There is the linux-def:rpminfo_test ( http://oval.mitre.org/language/version5.10.1/ovaldefinition/complete/linux-d... ) which you can use to check various metadata about the packages installed on the system including the signature key ID. With that in mind, you should be able to collect all RPMs on the system and filter out any RPMs that are signed by Red Hat leaving only those that haven’t been signed by Red Hat. I have attached an OVAL definition which shows how you might do this. Of course, you may need to modify it to include the appropriate signature key IDs.
Any help is appreciated. Thanks,
-Matt
</blockquote>
Since this is largely content related, feel free to kick over the conversation to the SSG mailing list: https://fedorahosted.org/scap-security-guide/ https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Our friends and allies within the OpenSCAP tooling community let us content guys play here, but content questions (for SSG) should be kicked over to the SSG community list :)
_______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
_______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Hi SSG Team,
I'm making some progress here with code to check for non-RH progress (Huge thanks to Danny Hynes). Two questions:
1. The XCCDF rule (Rule id="non-rh_packages") is evaluating to True if there are non-RH packages. My understanding is a 'True' results in a Pass of the rule - is that correct? However, I want True to result in a fail. How to make that happen? 2. In order to get past this non-RH package check, the openscap* and scap* packages need to be ignored. I tried adding filter exclusion statements on the rpminfo_object; hoewever, can't get past an error so I must have something wrong. Suggestions?
...... <linux:rpminfo_object id="oval:ssg:obj:10101" version="1" comment="Collect all rpms and exclude those signed by Red Hat and exclude those from scap and openscap."> <linux:name operation="pattern match">.*</linux:name> <filter action="exclude">oval:ssg:ste:10101</filter> <!-->Matt: Adding these exclude statements causes the OpenSCAP error below<--> <filter action="exclude">oval:ssg:ste:10102</filter> <filter action="exclude">oval:ssg:ste:10103</filter> </linux:rpminfo_object> .....
[root@rhel6client ~]# ./run_rht_scap_new Title Ensure /tmp Located On Separate Partition Rule partition_for_tmp Ident CCE-26435-8 Result fail
Title All packages should be RH signed package Rule non-rh_packages Ident (null) Result unknown
OpenSCAP Error: No definition with ID: oval:ssg:def:10101 in result model. [oval_agent.c:180]
Attached is a shortened version to show the relevant code additions in the ssg XCCDF and OVAL files.
Thanks in advance for any help. -Matt
----- Original Message -----
From: "Matthew Mariani" mmariani@redhat.com To: scap-security-guide@lists.fedorahosted.org Cc: "Karl Stevens" kstevens@redhat.com Sent: Thursday, October 31, 2013 10:32:29 AM Subject: Re: Additional Checks for RH Cloud Provider Profile (rht-ccp)
+ the attachment for #2
----- Original Message -----
From: "Matthew Mariani" mmariani@redhat.com To: scap-security-guide@lists.fedorahosted.org Cc: "Karl Stevens" kstevens@redhat.com Sent: Thursday, October 31, 2013 10:30:37 AM Subject: Additional Checks for RH Cloud Provider Profile (rht-ccp)
Hi SSG team,
For the CCP profile recently added, I would like to add new RHEL6 checks for the bullets below. 1. Cloud image disk checks - do these checks exist already? a.) Minimum Disk - 6GB b.) Available Disk - 4GB or more 2. Non-RH packages installed on the RHEL system - ** For this one, on the open-scap-list, Danny Hynes provided the attached OVAL definition, but I'm not sure how to build that into the rht-ccp profile. Does anyone have an example?
Any guidance on how to proceed is appreciated.
Thanks, -Matt
----- Original Message -----
From: "Matthew Mariani" mmariani@redhat.com To: scap-security-guide@lists.fedorahosted.org Sent: Tuesday, October 15, 2013 2:22:25 PM Subject: Fwd: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
As recommended, moving this thread to the SSG mailing list.
Background: We are working on developing an SSG profile definition for RH certified cloud providers. In addition to these XCCDF-based checks, I need to also detect any non-RedHat packages installed on the system. The question to the group is: are there any recommendations or examples on how this may have been done previously. As example, suppose a cloud image has a monitoring package or hypervisor para-virt rpms install, I want to be made aware and have those reported by the check. An OVAL path was suggested below.
Does anyone have additional guidance on how/if I can do this with SCAP-related tools?
Thanks, -Matt
Matthew Mariani Partner Solution Architect M: +1-717-756-6834 mmariani@redhat.com
----- Original Message -----
From: "Shawn Wells" shawn@redhat.com To: open-scap-list@redhat.com Sent: Sunday, October 13, 2013 11:30:26 PM Subject: Re: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
On 10/10/13 4:44 PM, Matthew Mariani wrote:
Danny, Thanks, very helpful. -Matt
----- Original Message -----
From: "Dan Haynes" dhaynes@mitre.org To: "Matthew Mariani" mmariani@redhat.com , open-scap-list@redhat.com Sent: Wednesday, October 9, 2013 2:45:35 PM Subject: RE: SCAP Newbie Questions for simple RHEL6 XCCDF example.
Hi Matthew,
Comments inline below. Hope this helps.
Thanks,
Danny
From: open-scap-list-bounces@redhat.com [ mailto:open-scap-list-bounces@redhat.com ] On Behalf Of Matthew Mariani Sent: Wednesday, October 09, 2013 1:11 PM To: open-scap-list@redhat.com Subject: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
Hi list,
'SCAP newbie here. I'm working with the attached XCCDF profile definition to be used with a RHEL6 system. The end goal is to define a standard RHEL cloud image security profile. I have two questions:
1. I believe I need additional XML syntax in the file to have valid XCCDF content. When I try both testing with the 'info' function and running an 'eval', I get an Unknown document type error.
[root@rhel6client ~]# oscap info rht-ccp.xml OpenSCAP Error: Unknown document type: 'rht-ccp.xml' [oscapxml.c:554]
[root@rhel6client ~]# oscap xccdf eval --profile rht-ccp --results /root/rht-ccp.results.xml --report /root/rht-ccp.report.html rht-ccp.xml Profile "rht-ccp" was not found.
Looking at some of the xccdf examples referenced here http://www.open-scap.org/page/Documentation , I'm thinking I need a <Benchmark> wrapper around my profile. Am I on the right track, and if so is there a basic <Benchmark> syntax example available? I'm finding it difficult to id what's required and what's not in examples referenced on the Documentation page.
[Danny]: Yes, you will need to include the <Benchmark> component. You may want to look at the RHEL6 STIG SCAP content being developed in the scap-security-guide project ( https://fedorahosted.org/scap-security-guide/ ). It should serve as a good example and you may be able to reuse some of the content. They also have some tools that you could leverage to help generate the content.
Matt pinged me offline re: the Red Hat CCP profile. I've now merged it into SSG: https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=3633243...
You should now be able to clone the source and run a scan: https://fedorahosted.org/scap-security-guide/wiki/downloads
aka $ sudo yum install git openscap-utils python-lxml $ cd /tmp ; git clone git://git.fedorahosted.org/git/scap-security-guide.git ; cd scap-security-guide/RHEL6 $ make content $ sudo oscap xccdf eval --profile rht-ccp \ --results /root/ssg-results-`date`.xml \ --report /root/ssg-results-`date`.html \ --cpe output/ssg-rhel6-cpe-dictionary.xml \ output/ssg-rhel6-xccdf.xml
<blockquote>
2. Looking forward, in addition to these XCCDF checks, I have the need to detect non-RedHat signed packaged installed on the system. Does anyone have guidance on how/if I can do that with SCAP tools. As example, suppose a cloud image has a monitoring package or hypervisor para-virt rpms install, I want to be made aware and have those reported by the check.
[Danny]: Yes, you should be able to check for any non-Red Hat signed packages using OVAL which is an language for checking the state of an endpoint. There is the linux-def:rpminfo_test ( http://oval.mitre.org/language/version5.10.1/ovaldefinition/complete/linux-d... ) which you can use to check various metadata about the packages installed on the system including the signature key ID. With that in mind, you should be able to collect all RPMs on the system and filter out any RPMs that are signed by Red Hat leaving only those that haven’t been signed by Red Hat. I have attached an OVAL definition which shows how you might do this. Of course, you may need to modify it to include the appropriate signature key IDs.
Any help is appreciated. Thanks,
-Matt
</blockquote>
Since this is largely content related, feel free to kick over the conversation to the SSG mailing list: https://fedorahosted.org/scap-security-guide/ https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Our friends and allies within the OpenSCAP tooling community let us content guys play here, but content questions (for SSG) should be kicked over to the SSG community list :)
_______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
_______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Hi Matt,
A few quick comments inline.
Thanks,
Danny
From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of Matthew Mariani Sent: Tuesday, November 05, 2013 11:07 AM To: scap-security-guide@lists.fedorahosted.org Subject: Fwd: Additional Checks for RH Cloud Provider Profile (rht-ccp)
Hi SSG Team,
I'm making some progress here with code to check for non-RH progress (Huge thanks to Danny Hynes). Two questions:
1. The XCCDF rule (Rule id="non-rh_packages") is evaluating to True if there are non-RH packages. My understanding is a 'True' results in a Pass of the rule - is that correct? However, I want True to result in a fail. How to make that happen?
The SCAP specifications provide a table that maps OVAL results to XCCDF results (http://scap.nist.gov/revision/index.html). In the SCAP 1.2 specification, specifically Section 4.5.2, it says:
*definitions with class=”compliance” or class=”inventory” -“true” maps to “Pass” -“false” maps to “Fail”
*definitions with class=”vulnerability” or class=”patch” -“false” maps to “Pass” -“true” maps to “Fail”
You may also want to consider joining the XCCDF and OVAL mailing lists as these are good places to ask questions about the specifications.
http://scap.nist.gov/specifications/xccdf/
http://oval.mitre.org/community/registration.html
2. In order to get past this non-RH package check, the openscap* and scap* packages need to be ignored. I tried adding filter exclusion statements on the rpminfo_object; hoewever, can't get past an error so I must have something wrong. Suggestions?
...... <linux:rpminfo_object id="oval:ssg:obj:10101" version="1" comment="Collect all rpms and exclude those signed by Red Hat and exclude those from scap and openscap."> <linux:name operation="pattern match">.*</linux:name> <filter action="exclude">oval:ssg:ste:10101</filter> <!-->Matt: Adding these exclude statements causes the OpenSCAP error below<--> <filter action="exclude">oval:ssg:ste:10102</filter> <filter action="exclude">oval:ssg:ste:10103</filter> </linux:rpminfo_object> .....
[root@rhel6client ~]# ./run_rht_scap_new Title Ensure /tmp Located On Separate Partition Rule partition_for_tmp Ident CCE-26435-8 Result fail
Title All packages should be RH signed package Rule non-rh_packages Ident (null) Result unknown
OpenSCAP Error: No definition with ID: oval:ssg:def:10101 in result model. [oval_agent.c:180]
Unfortunately, I am not sure about this error. It sounds like when it tries to output the results, it is looking for oval:ssg:def:10101, but, can’t find it. It sounds like this might be a good question for the OpenSCAP list.
Also, I found this (http://blog-shawndwells.rhcloud.com/wp-content/uploads/2012/07/2013-03-25-SC...), if you haven’t seen it. It may help you with the content development.
Attached is a shortened version to show the relevant code additions in the ssg XCCDF and OVAL files.
Thanks in advance for any help. -Matt
________________________________ From: "Matthew Mariani" <mmariani@redhat.commailto:mmariani@redhat.com> To: scap-security-guide@lists.fedorahosted.orgmailto:scap-security-guide@lists.fedorahosted.org Cc: "Karl Stevens" <kstevens@redhat.commailto:kstevens@redhat.com> Sent: Thursday, October 31, 2013 10:32:29 AM Subject: Re: Additional Checks for RH Cloud Provider Profile (rht-ccp)
+ the attachment for #2
________________________________ From: "Matthew Mariani" <mmariani@redhat.commailto:mmariani@redhat.com> To: scap-security-guide@lists.fedorahosted.orgmailto:scap-security-guide@lists.fedorahosted.org Cc: "Karl Stevens" <kstevens@redhat.commailto:kstevens@redhat.com> Sent: Thursday, October 31, 2013 10:30:37 AM Subject: Additional Checks for RH Cloud Provider Profile (rht-ccp)
Hi SSG team,
For the CCP profile recently added, I would like to add new RHEL6 checks for the bullets below. 1. Cloud image disk checks - do these checks exist already? a.) Minimum Disk - 6GB b.) Available Disk - 4GB or more 2. Non-RH packages installed on the RHEL system - ** For this one, on the open-scap-list, Danny Hynes provided the attached OVAL definition, but I'm not sure how to build that into the rht-ccp profile. Does anyone have an example?
Any guidance on how to proceed is appreciated.
Thanks, -Matt
________________________________ From: "Matthew Mariani" <mmariani@redhat.commailto:mmariani@redhat.com> To: scap-security-guide@lists.fedorahosted.orgmailto:scap-security-guide@lists.fedorahosted.org Sent: Tuesday, October 15, 2013 2:22:25 PM Subject: Fwd: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
As recommended, moving this thread to the SSG mailing list.
Background: We are working on developing an SSG profile definition for RH certified cloud providers. In addition to these XCCDF-based checks, I need to also detect any non-RedHat packages installed on the system. The question to the group is: are there any recommendations or examples on how this may have been done previously. As example, suppose a cloud image has a monitoring package or hypervisor para-virt rpms install, I want to be made aware and have those reported by the check. An OVAL path was suggested below.
Does anyone have additional guidance on how/if I can do this with SCAP-related tools?
Thanks, -Matt
Matthew Mariani Partner Solution Architect M: +1-717-756-6834 mmariani@redhat.commailto:mmariani@redhat.com
________________________________ From: "Shawn Wells" <shawn@redhat.commailto:shawn@redhat.com> To: open-scap-list@redhat.commailto:open-scap-list@redhat.com Sent: Sunday, October 13, 2013 11:30:26 PM Subject: Re: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
On 10/10/13 4:44 PM, Matthew Mariani wrote: Danny, Thanks, very helpful. -Matt
________________________________ From: "Dan Haynes" dhaynes@mitre.orgmailto:dhaynes@mitre.org To: "Matthew Mariani" mmariani@redhat.commailto:mmariani@redhat.com, open-scap-list@redhat.commailto:open-scap-list@redhat.com Sent: Wednesday, October 9, 2013 2:45:35 PM Subject: RE: SCAP Newbie Questions for simple RHEL6 XCCDF example.
Hi Matthew,
Comments inline below. Hope this helps.
Thanks,
Danny
From: open-scap-list-bounces@redhat.commailto:open-scap-list-bounces@redhat.com [mailto:open-scap-list-bounces@redhat.com] On Behalf Of Matthew Mariani Sent: Wednesday, October 09, 2013 1:11 PM To: open-scap-list@redhat.commailto:open-scap-list@redhat.com Subject: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
Hi list, 'SCAP newbie here. I'm working with the attached XCCDF profile definition to be used with a RHEL6 system. The end goal is to define a standard RHEL cloud image security profile. I have two questions:
1. I believe I need additional XML syntax in the file to have valid XCCDF content. When I try both testing with the 'info' function and running an 'eval', I get an Unknown document type error. [root@rhel6client ~]# oscap info rht-ccp.xml OpenSCAP Error: Unknown document type: 'rht-ccp.xml' [oscapxml.c:554] [root@rhel6client ~]# oscap xccdf eval --profile rht-ccp --results /root/rht-ccp.results.xml --report /root/rht-ccp.report.html rht-ccp.xml Profile "rht-ccp" was not found.
Looking at some of the xccdf examples referenced here http://www.open-scap.org/page/Documentation, I'm thinking I need a <Benchmark> wrapper around my profile. Am I on the right track, and if so is there a basic <Benchmark> syntax example available? I'm finding it difficult to id what's required and what's not in examples referenced on the Documentation page. [Danny]: Yes, you will need to include the <Benchmark> component. You may want to look at the RHEL6 STIG SCAP content being developed in the scap-security-guide project (https://fedorahosted.org/scap-security-guide/). It should serve as a good example and you may be able to reuse some of the content. They also have some tools that you could leverage to help generate the content.
Matt pinged me offline re: the Red Hat CCP profile. I've now merged it into SSG: https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=3633243...
You should now be able to clone the source and run a scan: https://fedorahosted.org/scap-security-guide/wiki/downloads
aka $ sudo yum install git openscap-utils python-lxml $ cd /tmp ; git clone git://git.fedorahosted.org/git/scap-security-guide.git ; cd scap-security-guide/RHEL6 $ make content $ sudo oscap xccdf eval --profile rht-ccp \ --results /root/ssg-results-`date`.xml \ --report /root/ssg-results-`date`.html \ --cpe output/ssg-rhel6-cpe-dictionary.xml \ output/ssg-rhel6-xccdf.xml
2. Looking forward, in addition to these XCCDF checks, I have the need to detect non-RedHat signed packaged installed on the system. Does anyone have guidance on how/if I can do that with SCAP tools. As example, suppose a cloud image has a monitoring package or hypervisor para-virt rpms install, I want to be made aware and have those reported by the check.
[Danny]: Yes, you should be able to check for any non-Red Hat signed packages using OVAL which is an language for checking the state of an endpoint. There is the linux-def:rpminfo_test (http://oval.mitre.org/language/version5.10.1/ovaldefinition/complete/linux-d...) which you can use to check various metadata about the packages installed on the system including the signature key ID. With that in mind, you should be able to collect all RPMs on the system and filter out any RPMs that are signed by Red Hat leaving only those that haven’t been signed by Red Hat. I have attached an OVAL definition which shows how you might do this. Of course, you may need to modify it to include the appropriate signature key IDs.
Any help is appreciated. Thanks, -Matt
Since this is largely content related, feel free to kick over the conversation to the SSG mailing list: https://fedorahosted.org/scap-security-guide/ https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Our friends and allies within the OpenSCAP tooling community let us content guys play here, but content questions (for SSG) should be kicked over to the SSG community list :)
_______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.commailto:Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
_______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.orgmailto:scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
I might be more concerned that the "non-rh_packages" Rule would drive developers to /not/ package software into RPMs at all.
But of course, I have very little context with regard to when/how this CCP profile would be exercised. It's certainly possible to add these sorts of things to the project in a manner that makes explicit their specialized scenario.
On Wed, Nov 6, 2013 at 10:33 AM, Haynes, Dan dhaynes@mitre.org wrote:
Hi Matt,
A few quick comments inline.
Thanks,
Danny
From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of Matthew Mariani Sent: Tuesday, November 05, 2013 11:07 AM To: scap-security-guide@lists.fedorahosted.org Subject: Fwd: Additional Checks for RH Cloud Provider Profile (rht-ccp)
Hi SSG Team,
I'm making some progress here with code to check for non-RH progress (Huge thanks to Danny Hynes). Two questions:
- The XCCDF rule (Rule id="non-rh_packages") is evaluating to True if
there are non-RH packages. My understanding is a 'True' results in a Pass of the rule - is that correct? However, I want True to result in a fail. How to make that happen?
The SCAP specifications provide a table that maps OVAL results to XCCDF results (http://scap.nist.gov/revision/index.html). In the SCAP 1.2 specification, specifically Section 4.5.2, it says:
*definitions with class=”compliance” or class=”inventory”
-“true” maps to “Pass”
-“false” maps to “Fail”
*definitions with class=”vulnerability” or class=”patch”
-“false” maps to “Pass”
-“true” maps to “Fail”
You may also want to consider joining the XCCDF and OVAL mailing lists as these are good places to ask questions about the specifications.
http://scap.nist.gov/specifications/xccdf/
http://oval.mitre.org/community/registration.html
- In order to get past this non-RH package check, the openscap* and scap*
packages need to be ignored. I tried adding filter exclusion statements on the rpminfo_object; hoewever, can't get past an error so I must have something wrong. Suggestions?
......
<linux:rpminfo_object id="oval:ssg:obj:10101" version="1" comment="Collect all rpms and exclude those signed by Red Hat and exclude those from scap and openscap."> <linux:name operation="pattern match">.*</linux:name> <filter action="exclude">oval:ssg:ste:10101</filter> <!-->Matt: Adding these exclude statements causes the OpenSCAP error below<--> <filter action="exclude">oval:ssg:ste:10102</filter> <filter action="exclude">oval:ssg:ste:10103</filter> </linux:rpminfo_object>
.....
[root@rhel6client ~]# ./run_rht_scap_new Title Ensure /tmp Located On Separate Partition Rule partition_for_tmp Ident CCE-26435-8 Result fail
Title All packages should be RH signed package Rule non-rh_packages Ident (null) Result unknown
OpenSCAP Error: No definition with ID: oval:ssg:def:10101 in result model. [oval_agent.c:180]
Unfortunately, I am not sure about this error. It sounds like when it tries to output the results, it is looking for oval:ssg:def:10101, but, can’t find it. It sounds like this might be a good question for the OpenSCAP list.
Also, I found this (http://blog-shawndwells.rhcloud.com/wp-content/uploads/2012/07/2013-03-25-SC...), if you haven’t seen it. It may help you with the content development.
Attached is a shortened version to show the relevant code additions in the ssg XCCDF and OVAL files.
Thanks in advance for any help.
-Matt
From: "Matthew Mariani" mmariani@redhat.com To: scap-security-guide@lists.fedorahosted.org Cc: "Karl Stevens" kstevens@redhat.com Sent: Thursday, October 31, 2013 10:32:29 AM Subject: Re: Additional Checks for RH Cloud Provider Profile (rht-ccp)
- the attachment for #2
From: "Matthew Mariani" mmariani@redhat.com To: scap-security-guide@lists.fedorahosted.org Cc: "Karl Stevens" kstevens@redhat.com Sent: Thursday, October 31, 2013 10:30:37 AM Subject: Additional Checks for RH Cloud Provider Profile (rht-ccp)
Hi SSG team,
For the CCP profile recently added, I would like to add new RHEL6 checks for the bullets below.
1. Cloud image disk checks - do these checks exist already? a.) Minimum Disk - 6GB b.) Available Disk - 4GB or more 2. Non-RH packages installed on the RHEL system - ** For this one, onthe open-scap-list, Danny Hynes provided the attached OVAL definition, but I'm not sure how to build that into the rht-ccp profile. Does anyone have an example?
Any guidance on how to proceed is appreciated.
Thanks,
-Matt
From: "Matthew Mariani" mmariani@redhat.com To: scap-security-guide@lists.fedorahosted.org Sent: Tuesday, October 15, 2013 2:22:25 PM Subject: Fwd: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
As recommended, moving this thread to the SSG mailing list.
Background: We are working on developing an SSG profile definition for RH certified cloud providers. In addition to these XCCDF-based checks, I need to also detect any non-RedHat packages installed on the system. The question to the group is: are there any recommendations or examples on how this may have been done previously. As example, suppose a cloud image has a monitoring package or hypervisor para-virt rpms install, I want to be made aware and have those reported by the check. An OVAL path was suggested below.
Does anyone have additional guidance on how/if I can do this with SCAP-related tools?
Thanks,
-Matt
Matthew Mariani Partner Solution Architect M: +1-717-756-6834 mmariani@redhat.com
From: "Shawn Wells" shawn@redhat.com To: open-scap-list@redhat.com Sent: Sunday, October 13, 2013 11:30:26 PM Subject: Re: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
On 10/10/13 4:44 PM, Matthew Mariani wrote:
Danny,
Thanks, very helpful.
-Matt
From: "Dan Haynes" dhaynes@mitre.org To: "Matthew Mariani" mmariani@redhat.com, open-scap-list@redhat.com Sent: Wednesday, October 9, 2013 2:45:35 PM Subject: RE: SCAP Newbie Questions for simple RHEL6 XCCDF example.
Hi Matthew,
Comments inline below. Hope this helps.
Thanks,
Danny
From: open-scap-list-bounces@redhat.com [mailto:open-scap-list-bounces@redhat.com] On Behalf Of Matthew Mariani Sent: Wednesday, October 09, 2013 1:11 PM To: open-scap-list@redhat.com Subject: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
Hi list,
'SCAP newbie here. I'm working with the attached XCCDF profile definition to be used with a RHEL6 system. The end goal is to define a standard RHEL cloud image security profile. I have two questions:
- I believe I need additional XML syntax in the file to have valid XCCDF
content. When I try both testing with the 'info' function and running an 'eval', I get an Unknown document type error.
[root@rhel6client ~]# oscap info rht-ccp.xml OpenSCAP Error: Unknown document type: 'rht-ccp.xml' [oscapxml.c:554] [root@rhel6client ~]# oscap xccdf eval --profile rht-ccp --results/root/rht-ccp.results.xml --report /root/rht-ccp.report.html rht-ccp.xml Profile "rht-ccp" was not found.
Looking at some of the xccdf examples referenced here http://www.open-scap.org/page/Documentation, I'm thinking I need a <Benchmark> wrapper around my profile. Am I on the right track, and if so is there a basic <Benchmark> syntax example available? I'm finding it difficult to id what's required and what's not in examples referenced on the Documentation page.
[Danny]: Yes, you will need to include the <Benchmark> component. You may want to look at the RHEL6 STIG SCAP content being developed in the scap-security-guide project (https://fedorahosted.org/scap-security-guide/). It should serve as a good example and you may be able to reuse some of the content. They also have some tools that you could leverage to help generate the content.
Matt pinged me offline re: the Red Hat CCP profile. I've now merged it into SSG: https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=3633243...
You should now be able to clone the source and run a scan: https://fedorahosted.org/scap-security-guide/wiki/downloads
aka $ sudo yum install git openscap-utils python-lxml $ cd /tmp ; git clone git://git.fedorahosted.org/git/scap-security-guide.git ; cd scap-security-guide/RHEL6 $ make content $ sudo oscap xccdf eval --profile rht-ccp \ --results /root/ssg-results-`date`.xml \ --report /root/ssg-results-`date`.html \ --cpe output/ssg-rhel6-cpe-dictionary.xml \ output/ssg-rhel6-xccdf.xml
- Looking forward, in addition to these XCCDF checks, I have the need to
detect non-RedHat signed packaged installed on the system. Does anyone have guidance on how/if I can do that with SCAP tools. As example, suppose a cloud image has a monitoring package or hypervisor para-virt rpms install, I want to be made aware and have those reported by the check.
[Danny]: Yes, you should be able to check for any non-Red Hat signed packages using OVAL which is an language for checking the state of an endpoint. There is the linux-def:rpminfo_test (http://oval.mitre.org/language/version5.10.1/ovaldefinition/complete/linux-d...) which you can use to check various metadata about the packages installed on the system including the signature key ID. With that in mind, you should be able to collect all RPMs on the system and filter out any RPMs that are signed by Red Hat leaving only those that haven’t been signed by Red Hat. I have attached an OVAL definition which shows how you might do this. Of course, you may need to modify it to include the appropriate signature key IDs.
Any help is appreciated. Thanks,
-Matt
Since this is largely content related, feel free to kick over the conversation to the SSG mailing list: https://fedorahosted.org/scap-security-guide/ https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Our friends and allies within the OpenSCAP tooling community let us content guys play here, but content questions (for SSG) should be kicked over to the SSG community list :)
Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
On 11/11/13, 11:37 PM, Jeffrey Blank wrote:
I might be more concerned that the "non-rh_packages" Rule would drive developers to/not/ package software into RPMs at all.
But of course, I have very little context with regard to when/how this CCP profile would be exercised. It's certainly possible to add these sorts of things to the project in a manner that makes explicit their specialized scenario.
As part of Red Hat's larger certified cloud provider (CCP) program, third party cloud providers must provide Red Hat evidence that their RHEL AMIs/images meet certain standards imposed by Red Hat. Historically these standards have been enforced with bash and python hackery. We're trying to standardize things via SCAP.
The rht-ccp profile will scan the base image/AMI. Standards aren't as stringent as, say, a STIG, but we want to ensure all CCPs enable things like SSHv2, partitions for /tmp and /var/log/audit, SELinux is running, etc. Once the image is certified between Red Hat and the CCP, the images are released to the CCP end users.
CCP certification is largely done to ensure consistency of the _/initial/_ RHEL experience to end-users between multiple cloud providers. End users will be able to do whatever they please -- install additional software, turn off the original security controls, etc.
It's unlikely other profiles will use non-rh_packages, however as you noted, the flexibility to support per-profile specialized rules is a great capability of the SSG project!
the flexibility to support per-profile specialized rules is a great capability of the SSG project!
Agreed here. It's expected that additional profile(s) will be needed within the CCP context. For example, Manager Service Providers (a type of CCP) are one use case where customization of RHEL images is expected. MSP's often install their own monitoring/backup packages, etc that would be flagged by a non-RH package check. We'll need to build a profile to account for such circumstances (I'm working on that deliverable).
-Matt
Matthew Mariani Cloud Solution Architect M: +1-717-756-6834 mmariani@redhat.com
----- Original Message -----
From: "Shawn Wells" shawn@redhat.com To: scap-security-guide@lists.fedorahosted.org Sent: Tuesday, November 12, 2013 8:33:35 PM Subject: Re: Additional Checks for RH Cloud Provider Profile (rht-ccp)
On 11/11/13, 11:37 PM, Jeffrey Blank wrote:
I might be more concerned that the "non-rh_packages" Rule would drive developers to / not / package software into RPMs at all.
But of course, I have very little context with regard to when/how this CCP profile would be exercised. It's certainly possible to add these sorts of things to the project in a manner that makes explicit their specialized scenario.
As part of Red Hat's larger certified cloud provider (CCP) program, third party cloud providers must provide Red Hat evidence that their RHEL AMIs/images meet certain standards imposed by Red Hat. Historically these standards have been enforced with bash and python hackery. We're trying to standardize things via SCAP.
The rht-ccp profile will scan the base image/AMI. Standards aren't as stringent as, say, a STIG, but we want to ensure all CCPs enable things like SSHv2, partitions for /tmp and /var/log/audit, SELinux is running, etc. Once the image is certified between Red Hat and the CCP, the images are released to the CCP end users.
CCP certification is largely done to ensure consistency of the initial RHEL experience to end-users between multiple cloud providers. End users will be able to do whatever they please -- install additional software, turn off the original security controls, etc.
It's unlikely other profiles will use non-rh_packages, however as you noted, the flexibility to support per-profile specialized rules is a great capability of the SSG project!
_______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org
-
Haynes, Dan -
Jeffrey Blank -
Matthew Mariani -
Shawn Wells