1:22 p.m.
As recommended, moving this thread to the SSG mailing list.
Background: We are working on developing an SSG profile definition for RH certified cloud
providers. In addition to these XCCDF-based checks, I need to also detect any non-RedHat
packages installed on the system. The question to the group is: are there any
recommendations or examples on how this may have been done previously. As example, suppose
a cloud image has a monitoring package or hypervisor para-virt rpms install, I want to be
made aware and have those reported by the check. An OVAL path was suggested below.
Does anyone have additional guidance on how/if I can do this with SCAP-related tools?
Thanks,
-Matt
Matthew Mariani
Partner Solution Architect
M: +1-717-756-6834
mmariani(a)redhat.com
----- Original Message -----
From: "Shawn Wells" <shawn(a)redhat.com>
To: open-scap-list(a)redhat.com
Sent: Sunday, October 13, 2013 11:30:26 PM
Subject: Re: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
On 10/10/13 4:44 PM, Matthew Mariani wrote:
Danny,
Thanks, very helpful.
-Matt
----- Original Message -----
From: "Dan Haynes" <dhaynes(a)mitre.org>
To: "Matthew Mariani" <mmariani(a)redhat.com> , open-scap-list(a)redhat.com
Sent: Wednesday, October 9, 2013 2:45:35 PM
Subject: RE: SCAP Newbie Questions for simple RHEL6 XCCDF example.
Hi Matthew,
Comments inline below. Hope this helps.
Thanks,
Danny
From: open-scap-list-bounces(a)redhat.com [ mailto:open-scap-list-bounces@redhat.com ] On
Behalf Of Matthew Mariani
Sent: Wednesday, October 09, 2013 1:11 PM
To: open-scap-list(a)redhat.com
Subject: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
Hi list,
'SCAP newbie here. I'm working with the attached XCCDF profile definition to be
used with a RHEL6 system. The end goal is to define a standard RHEL cloud image security
profile. I have two questions:
1. I believe I need additional XML syntax in the file to have valid XCCDF content. When I
try both testing with the 'info' function and running an 'eval', I get an
Unknown document type error.
[root@rhel6client ~]# oscap info rht-ccp.xml
OpenSCAP Error: Unknown document type: 'rht-ccp.xml' [oscapxml.c:554]
[root@rhel6client ~]# oscap xccdf eval --profile rht-ccp --results
/root/rht-ccp.results.xml --report /root/rht-ccp.report.html rht-ccp.xml
Profile "rht-ccp" was not found.
Looking at some of the xccdf examples referenced here
http://www.open-scap.org/page/Documentation , I'm thinking I need a <Benchmark>
wrapper around my profile. Am I on the right track, and if so is there a basic
<Benchmark> syntax example available? I'm finding it difficult to id what's
required and what's not in examples referenced on the Documentation page.
[Danny]: Yes, you will need to include the <Benchmark> component. You may want to
look at the RHEL6 STIG SCAP content being developed in the scap-security-guide project (
https://fedorahosted.org/scap-security-guide/ ). It should serve as a good example and you
may be able to reuse some of the content. They also have some tools that you could
leverage to help generate the content.
Matt pinged me offline re: the Red Hat CCP profile. I've now merged it into SSG:
https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=3633...
You should now be able to clone the source and run a scan:
https://fedorahosted.org/scap-security-guide/wiki/downloads
aka
$ sudo yum install git openscap-utils python-lxml
$ cd /tmp ; git clone git://git.fedorahosted.org/git/scap-security-guide.git ; cd
scap-security-guide/RHEL6
$ make content
$ sudo oscap xccdf eval --profile rht-ccp \
--results /root/ssg-results-`date`.xml \
--report /root/ssg-results-`date`.html \
--cpe output/ssg-rhel6-cpe-dictionary.xml \
output/ssg-rhel6-xccdf.xml
<blockquote>
2. Looking forward, in addition to these XCCDF checks, I have the need to detect
non-RedHat signed packaged installed on the system. Does anyone have guidance on how/if I
can do that with SCAP tools. As example, suppose a cloud image has a monitoring package or
hypervisor para-virt rpms install, I want to be made aware and have those reported by the
check.
[Danny]: Yes, you should be able to check for any non-Red Hat signed packages using OVAL
which is an language for checking the state of an endpoint. There is the
linux-def:rpminfo_test (
http://oval.mitre.org/language/version5.10.1/ovaldefinition/complete/linu...
) which you can use to check various metadata about the packages installed on the system
including the signature key ID. With that in mind, you should be able to collect all RPMs
on the system and filter out any RPMs that are signed by Red Hat leaving only those that
haven’t been signed by Red Hat. I have attached an OVAL definition which shows how you
might do this. Of course, you may need to modify it to include the appropriate signature
key IDs.
Any help is appreciated. Thanks,
-Matt
</blockquote>
Since this is largely content related, feel free to kick over the conversation to the SSG
mailing list:
https://fedorahosted.org/scap-security-guide/
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Our friends and allies within the OpenSCAP tooling community let us content guys play
here, but content questions (for SSG) should be kicked over to the SSG community list :)
_______________________________________________
Open-scap-list mailing list
Open-scap-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list
9:30 a.m.
New subject: Additional Checks for RH Cloud Provider Profile (rht-ccp)
Hi SSG team,
For the CCP profile recently added, I would like to add new RHEL6 checks for the bullets
below.
1. Cloud image disk checks - do these checks exist already?
a.) Minimum Disk - 6GB
b.) Available Disk - 4GB or more
2. Non-RH packages installed on the RHEL system - ** For this one, on the open-scap-list,
Danny Hynes provided the attached OVAL definition, but I'm not sure how to build that
into the rht-ccp profile. Does anyone have an example?
Any guidance on how to proceed is appreciated.
Thanks,
-Matt
----- Original Message -----
From: "Matthew Mariani" <mmariani(a)redhat.com>
To: scap-security-guide(a)lists.fedorahosted.org
Sent: Tuesday, October 15, 2013 2:22:25 PM
Subject: Fwd: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
As recommended, moving this thread to the SSG mailing list.
Background: We are working on developing an SSG profile definition for RH certified cloud
providers. In addition to these XCCDF-based checks, I need to also detect any non-RedHat
packages installed on the system. The question to the group is: are there any
recommendations or examples on how this may have been done previously. As example, suppose
a cloud image has a monitoring package or hypervisor para-virt rpms install, I want to be
made aware and have those reported by the check. An OVAL path was suggested below.
Does anyone have additional guidance on how/if I can do this with SCAP-related tools?
Thanks,
-Matt
Matthew Mariani
Partner Solution Architect
M: +1-717-756-6834
mmariani(a)redhat.com
----- Original Message -----
From: "Shawn Wells" <shawn(a)redhat.com>
To: open-scap-list(a)redhat.com
Sent: Sunday, October 13, 2013 11:30:26 PM
Subject: Re: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
On 10/10/13 4:44 PM, Matthew Mariani wrote:
Danny,
Thanks, very helpful.
-Matt
----- Original Message -----
From: "Dan Haynes" <dhaynes(a)mitre.org>
To: "Matthew Mariani" <mmariani(a)redhat.com> , open-scap-list(a)redhat.com
Sent: Wednesday, October 9, 2013 2:45:35 PM
Subject: RE: SCAP Newbie Questions for simple RHEL6 XCCDF example.
Hi Matthew,
Comments inline below. Hope this helps.
Thanks,
Danny
From: open-scap-list-bounces(a)redhat.com [ mailto:open-scap-list-bounces@redhat.com ] On
Behalf Of Matthew Mariani
Sent: Wednesday, October 09, 2013 1:11 PM
To: open-scap-list(a)redhat.com
Subject: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
Hi list,
'SCAP newbie here. I'm working with the attached XCCDF profile definition to be
used with a RHEL6 system. The end goal is to define a standard RHEL cloud image security
profile. I have two questions:
1. I believe I need additional XML syntax in the file to have valid XCCDF content. When I
try both testing with the 'info' function and running an 'eval', I get an
Unknown document type error.
[root@rhel6client ~]# oscap info rht-ccp.xml
OpenSCAP Error: Unknown document type: 'rht-ccp.xml' [oscapxml.c:554]
[root@rhel6client ~]# oscap xccdf eval --profile rht-ccp --results
/root/rht-ccp.results.xml --report /root/rht-ccp.report.html rht-ccp.xml
Profile "rht-ccp" was not found.
Looking at some of the xccdf examples referenced here
http://www.open-scap.org/page/Documentation , I'm thinking I need a <Benchmark>
wrapper around my profile. Am I on the right track, and if so is there a basic
<Benchmark> syntax example available? I'm finding it difficult to id what's
required and what's not in examples referenced on the Documentation page.
[Danny]: Yes, you will need to include the <Benchmark> component. You may want to
look at the RHEL6 STIG SCAP content being developed in the scap-security-guide project (
https://fedorahosted.org/scap-security-guide/ ). It should serve as a good example and you
may be able to reuse some of the content. They also have some tools that you could
leverage to help generate the content.
Matt pinged me offline re: the Red Hat CCP profile. I've now merged it into SSG:
https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=3633...
You should now be able to clone the source and run a scan:
https://fedorahosted.org/scap-security-guide/wiki/downloads
aka
$ sudo yum install git openscap-utils python-lxml
$ cd /tmp ; git clone git://git.fedorahosted.org/git/scap-security-guide.git ; cd
scap-security-guide/RHEL6
$ make content
$ sudo oscap xccdf eval --profile rht-ccp \
--results /root/ssg-results-`date`.xml \
--report /root/ssg-results-`date`.html \
--cpe output/ssg-rhel6-cpe-dictionary.xml \
output/ssg-rhel6-xccdf.xml
<blockquote>
2. Looking forward, in addition to these XCCDF checks, I have the need to detect
non-RedHat signed packaged installed on the system. Does anyone have guidance on how/if I
can do that with SCAP tools. As example, suppose a cloud image has a monitoring package or
hypervisor para-virt rpms install, I want to be made aware and have those reported by the
check.
[Danny]: Yes, you should be able to check for any non-Red Hat signed packages using OVAL
which is an language for checking the state of an endpoint. There is the
linux-def:rpminfo_test (
http://oval.mitre.org/language/version5.10.1/ovaldefinition/complete/linu...
) which you can use to check various metadata about the packages installed on the system
including the signature key ID. With that in mind, you should be able to collect all RPMs
on the system and filter out any RPMs that are signed by Red Hat leaving only those that
haven’t been signed by Red Hat. I have attached an OVAL definition which shows how you
might do this. Of course, you may need to modify it to include the appropriate signature
key IDs.
Any help is appreciated. Thanks,
-Matt
</blockquote>
Since this is largely content related, feel free to kick over the conversation to the SSG
mailing list:
https://fedorahosted.org/scap-security-guide/
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Our friends and allies within the OpenSCAP tooling community let us content guys play
here, but content questions (for SSG) should be kicked over to the SSG community list :)
_______________________________________________
Open-scap-list mailing list
Open-scap-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list
9:32 a.m.
New subject: Additional Checks for RH Cloud Provider Profile (rht-ccp)
+ the attachment for #2
----- Original Message -----
From: "Matthew Mariani" <mmariani(a)redhat.com>
To: scap-security-guide(a)lists.fedorahosted.org
Cc: "Karl Stevens" <kstevens(a)redhat.com>
Sent: Thursday, October 31, 2013 10:30:37 AM
Subject: Additional Checks for RH Cloud Provider Profile (rht-ccp)
Hi SSG team,
For the CCP profile recently added, I would like to add new RHEL6 checks for the bullets
below.
1. Cloud image disk checks - do these checks exist already?
a.) Minimum Disk - 6GB
b.) Available Disk - 4GB or more
2. Non-RH packages installed on the RHEL system - ** For this one, on the open-scap-list,
Danny Hynes provided the attached OVAL definition, but I'm not sure how to build that
into the rht-ccp profile. Does anyone have an example?
Any guidance on how to proceed is appreciated.
Thanks,
-Matt
----- Original Message -----
From: "Matthew Mariani" <mmariani(a)redhat.com>
To: scap-security-guide(a)lists.fedorahosted.org
Sent: Tuesday, October 15, 2013 2:22:25 PM
Subject: Fwd: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
As recommended, moving this thread to the SSG mailing list.
Background: We are working on developing an SSG profile definition for RH certified cloud
providers. In addition to these XCCDF-based checks, I need to also detect any non-RedHat
packages installed on the system. The question to the group is: are there any
recommendations or examples on how this may have been done previously. As example, suppose
a cloud image has a monitoring package or hypervisor para-virt rpms install, I want to be
made aware and have those reported by the check. An OVAL path was suggested below.
Does anyone have additional guidance on how/if I can do this with SCAP-related tools?
Thanks,
-Matt
Matthew Mariani
Partner Solution Architect
M: +1-717-756-6834
mmariani(a)redhat.com
----- Original Message -----
From: "Shawn Wells" <shawn(a)redhat.com>
To: open-scap-list(a)redhat.com
Sent: Sunday, October 13, 2013 11:30:26 PM
Subject: Re: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
On 10/10/13 4:44 PM, Matthew Mariani wrote:
Danny,
Thanks, very helpful.
-Matt
----- Original Message -----
From: "Dan Haynes" <dhaynes(a)mitre.org>
To: "Matthew Mariani" <mmariani(a)redhat.com> , open-scap-list(a)redhat.com
Sent: Wednesday, October 9, 2013 2:45:35 PM
Subject: RE: SCAP Newbie Questions for simple RHEL6 XCCDF example.
Hi Matthew,
Comments inline below. Hope this helps.
Thanks,
Danny
From: open-scap-list-bounces(a)redhat.com [ mailto:open-scap-list-bounces@redhat.com ] On
Behalf Of Matthew Mariani
Sent: Wednesday, October 09, 2013 1:11 PM
To: open-scap-list(a)redhat.com
Subject: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
Hi list,
'SCAP newbie here. I'm working with the attached XCCDF profile definition to be
used with a RHEL6 system. The end goal is to define a standard RHEL cloud image security
profile. I have two questions:
1. I believe I need additional XML syntax in the file to have valid XCCDF content. When I
try both testing with the 'info' function and running an 'eval', I get an
Unknown document type error.
[root@rhel6client ~]# oscap info rht-ccp.xml
OpenSCAP Error: Unknown document type: 'rht-ccp.xml' [oscapxml.c:554]
[root@rhel6client ~]# oscap xccdf eval --profile rht-ccp --results
/root/rht-ccp.results.xml --report /root/rht-ccp.report.html rht-ccp.xml
Profile "rht-ccp" was not found.
Looking at some of the xccdf examples referenced here
http://www.open-scap.org/page/Documentation , I'm thinking I need a <Benchmark>
wrapper around my profile. Am I on the right track, and if so is there a basic
<Benchmark> syntax example available? I'm finding it difficult to id what's
required and what's not in examples referenced on the Documentation page.
[Danny]: Yes, you will need to include the <Benchmark> component. You may want to
look at the RHEL6 STIG SCAP content being developed in the scap-security-guide project (
https://fedorahosted.org/scap-security-guide/ ). It should serve as a good example and you
may be able to reuse some of the content. They also have some tools that you could
leverage to help generate the content.
Matt pinged me offline re: the Red Hat CCP profile. I've now merged it into SSG:
https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=3633...
You should now be able to clone the source and run a scan:
https://fedorahosted.org/scap-security-guide/wiki/downloads
aka
$ sudo yum install git openscap-utils python-lxml
$ cd /tmp ; git clone git://git.fedorahosted.org/git/scap-security-guide.git ; cd
scap-security-guide/RHEL6
$ make content
$ sudo oscap xccdf eval --profile rht-ccp \
--results /root/ssg-results-`date`.xml \
--report /root/ssg-results-`date`.html \
--cpe output/ssg-rhel6-cpe-dictionary.xml \
output/ssg-rhel6-xccdf.xml
<blockquote>
2. Looking forward, in addition to these XCCDF checks, I have the need to detect
non-RedHat signed packaged installed on the system. Does anyone have guidance on how/if I
can do that with SCAP tools. As example, suppose a cloud image has a monitoring package or
hypervisor para-virt rpms install, I want to be made aware and have those reported by the
check.
[Danny]: Yes, you should be able to check for any non-Red Hat signed packages using OVAL
which is an language for checking the state of an endpoint. There is the
linux-def:rpminfo_test (
http://oval.mitre.org/language/version5.10.1/ovaldefinition/complete/linu...
) which you can use to check various metadata about the packages installed on the system
including the signature key ID. With that in mind, you should be able to collect all RPMs
on the system and filter out any RPMs that are signed by Red Hat leaving only those that
haven’t been signed by Red Hat. I have attached an OVAL definition which shows how you
might do this. Of course, you may need to modify it to include the appropriate signature
key IDs.
Any help is appreciated. Thanks,
-Matt
</blockquote>
Since this is largely content related, feel free to kick over the conversation to the SSG
mailing list:
https://fedorahosted.org/scap-security-guide/
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Our friends and allies within the OpenSCAP tooling community let us content guys play
here, but content questions (for SSG) should be kicked over to the SSG community list :)
_______________________________________________
Open-scap-list mailing list
Open-scap-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list
12:17 a.m.
New subject: Additional Checks for RH Cloud Provider Profile (rht-ccp)
On 10/31/13, 10:32 AM, Matthew Mariani wrote:
+ the attachment for #2
------------------------------------------------------------------------
*From: *"Matthew Mariani" <mmariani(a)redhat.com>
*To: *scap-security-guide(a)lists.fedorahosted.org
*Cc: *"Karl Stevens" <kstevens(a)redhat.com>
*Sent: *Thursday, October 31, 2013 10:30:37 AM
*Subject: *Additional Checks for RH Cloud Provider Profile (rht-ccp)
Hi SSG team,
For the CCP profile recently added, I would like to add new RHEL6
checks for the bullets below.
1. Cloud image disk checks - do these checks exist already?
a.) Minimum Disk - 6GB
b.) Available Disk - 4GB or more
2. Non-RH packages installed on the RHEL system - ** For this one,
on the open-scap-list, Danny Hynes provided the attached OVAL
definition, but I'm not sure how to build that into the rht-ccp
profile. Does anyone have an example?
Any guidance on how to proceed is appreciated.
Content creation docs are... limited. To start, check out Section 5 of
the workbook:
http://blog-shawndwells.rhcloud.com/wp-content/uploads/2013/07/SCAP-Works...
It will step you through a *very* basic rule creation, generating both
the XCCDF and OVAL, and should help you understand the linkage between
the two components.
As for disk space, do a find on "partition_item" here:
http://oval.mitre.org/language/version5.10.1/ovalsc/documentation/linux-s...
Notice the two extend options:
- space_used
- space_left
We should be able to create your #1 based off these.
As for non-RH packages, your attached OVAL is on par here. Do a search
for "rpm_info" on the URL above to get an idea of capabilities....
specifically the signature_keyid check!
So then, start with the workbook, and when your build fails, check the
spelling of "rational" vs rationale ;) Check back here when done & we'll
work out the OVAL checks.
9:36 a.m.
New subject: Additional Checks for RH Cloud Provider Profile (rht-ccp)
Hi SSG Team,
I'm making some progress here with code to check for non-RH progress (Huge thanks to
Danny Hynes). Two questions:
1. The XCCDF rule (Rule id="non-rh_packages") is evaluating to True if there are
non-RH packages. My understanding is a 'True' results in a Pass of the rule - is
that correct? However, I want True to result in a fail. How to make that happen?
2. In order to get past this non-RH package check, the openscap* and scap* packages need
to be ignored. I tried adding filter exclusion statements on the rpminfo_object; hoewever,
can't get past an error so I must have something wrong. Suggestions?
......
<linux:rpminfo_object id="oval:ssg:obj:10101" version="1"
comment="Collect all rpms and exclude those signed by Red Hat and exclude those from
scap and openscap.">
<linux:name operation="pattern match">.*</linux:name>
<filter action="exclude">oval:ssg:ste:10101</filter>
<!-->Matt: Adding these exclude statements causes the OpenSCAP error below<-->
<filter action="exclude">oval:ssg:ste:10102</filter>
<filter action="exclude">oval:ssg:ste:10103</filter>
</linux:rpminfo_object>
.....
[root@rhel6client ~]# ./run_rht_scap_new
Title Ensure /tmp Located On Separate Partition
Rule partition_for_tmp
Ident CCE-26435-8
Result fail
Title All packages should be RH signed package
Rule non-rh_packages
Ident (null)
Result unknown
OpenSCAP Error: No definition with ID: oval:ssg:def:10101 in result model.
[oval_agent.c:180]
Attached are the full xccdf and oval I'm running, based on the RHEL6 ssg content, and
a shortened version to show the relevant code additions I've added.
oscap xccdf eval --profile rht-ccp --cpe
/usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml --results
/root/rht-ccp-results.new.xml --report
/root/rht-ccp-report.new.html
/usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.new_ccp.xml
Thanks in advance for any help.
-Matt
----- Original Message -----
From: "Matthew Mariani" <mmariani(a)redhat.com>
To: scap-security-guide(a)lists.fedorahosted.org
Cc: "Karl Stevens" <kstevens(a)redhat.com>
Sent: Thursday, October 31, 2013 10:32:29 AM
Subject: Re: Additional Checks for RH Cloud Provider Profile (rht-ccp)
+ the attachment for #2
----- Original Message -----
From: "Matthew Mariani" <mmariani(a)redhat.com>
To: scap-security-guide(a)lists.fedorahosted.org
Cc: "Karl Stevens" <kstevens(a)redhat.com>
Sent: Thursday, October 31, 2013 10:30:37 AM
Subject: Additional Checks for RH Cloud Provider Profile (rht-ccp)
Hi SSG team,
For the CCP profile recently added, I would like to add new RHEL6 checks for the bullets
below.
1. Cloud image disk checks - do these checks exist already?
a.) Minimum Disk - 6GB
b.) Available Disk - 4GB or more
2. Non-RH packages installed on the RHEL system - ** For this one, on the open-scap-list,
Danny Hynes provided the attached OVAL definition, but I'm not sure how to build that
into the rht-ccp profile. Does anyone have an example?
Any guidance on how to proceed is appreciated.
Thanks,
-Matt
----- Original Message -----
From: "Matthew Mariani" <mmariani(a)redhat.com>
To: scap-security-guide(a)lists.fedorahosted.org
Sent: Tuesday, October 15, 2013 2:22:25 PM
Subject: Fwd: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
As recommended, moving this thread to the SSG mailing list.
Background: We are working on developing an SSG profile definition for RH certified cloud
providers. In addition to these XCCDF-based checks, I need to also detect any non-RedHat
packages installed on the system. The question to the group is: are there any
recommendations or examples on how this may have been done previously. As example, suppose
a cloud image has a monitoring package or hypervisor para-virt rpms install, I want to be
made aware and have those reported by the check. An OVAL path was suggested below.
Does anyone have additional guidance on how/if I can do this with SCAP-related tools?
Thanks,
-Matt
Matthew Mariani
Partner Solution Architect
M: +1-717-756-6834
mmariani(a)redhat.com
----- Original Message -----
From: "Shawn Wells" <shawn(a)redhat.com>
To: open-scap-list(a)redhat.com
Sent: Sunday, October 13, 2013 11:30:26 PM
Subject: Re: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
On 10/10/13 4:44 PM, Matthew Mariani wrote:
Danny,
Thanks, very helpful.
-Matt
----- Original Message -----
From: "Dan Haynes" <dhaynes(a)mitre.org>
To: "Matthew Mariani" <mmariani(a)redhat.com> , open-scap-list(a)redhat.com
Sent: Wednesday, October 9, 2013 2:45:35 PM
Subject: RE: SCAP Newbie Questions for simple RHEL6 XCCDF example.
Hi Matthew,
Comments inline below. Hope this helps.
Thanks,
Danny
From: open-scap-list-bounces(a)redhat.com [ mailto:open-scap-list-bounces@redhat.com ] On
Behalf Of Matthew Mariani
Sent: Wednesday, October 09, 2013 1:11 PM
To: open-scap-list(a)redhat.com
Subject: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
Hi list,
'SCAP newbie here. I'm working with the attached XCCDF profile definition to be
used with a RHEL6 system. The end goal is to define a standard RHEL cloud image security
profile. I have two questions:
1. I believe I need additional XML syntax in the file to have valid XCCDF content. When I
try both testing with the 'info' function and running an 'eval', I get an
Unknown document type error.
[root@rhel6client ~]# oscap info rht-ccp.xml
OpenSCAP Error: Unknown document type: 'rht-ccp.xml' [oscapxml.c:554]
[root@rhel6client ~]# oscap xccdf eval --profile rht-ccp --results
/root/rht-ccp.results.xml --report /root/rht-ccp.report.html rht-ccp.xml
Profile "rht-ccp" was not found.
Looking at some of the xccdf examples referenced here
http://www.open-scap.org/page/Documentation , I'm thinking I need a <Benchmark>
wrapper around my profile. Am I on the right track, and if so is there a basic
<Benchmark> syntax example available? I'm finding it difficult to id what's
required and what's not in examples referenced on the Documentation page.
[Danny]: Yes, you will need to include the <Benchmark> component. You may want to
look at the RHEL6 STIG SCAP content being developed in the scap-security-guide project (
https://fedorahosted.org/scap-security-guide/ ). It should serve as a good example and you
may be able to reuse some of the content. They also have some tools that you could
leverage to help generate the content.
Matt pinged me offline re: the Red Hat CCP profile. I've now merged it into SSG:
https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=3633...
You should now be able to clone the source and run a scan:
https://fedorahosted.org/scap-security-guide/wiki/downloads
aka
$ sudo yum install git openscap-utils python-lxml
$ cd /tmp ; git clone git://git.fedorahosted.org/git/scap-security-guide.git ; cd
scap-security-guide/RHEL6
$ make content
$ sudo oscap xccdf eval --profile rht-ccp \
--results /root/ssg-results-`date`.xml \
--report /root/ssg-results-`date`.html \
--cpe output/ssg-rhel6-cpe-dictionary.xml \
output/ssg-rhel6-xccdf.xml
<blockquote>
2. Looking forward, in addition to these XCCDF checks, I have the need to detect
non-RedHat signed packaged installed on the system. Does anyone have guidance on how/if I
can do that with SCAP tools. As example, suppose a cloud image has a monitoring package or
hypervisor para-virt rpms install, I want to be made aware and have those reported by the
check.
[Danny]: Yes, you should be able to check for any non-Red Hat signed packages using OVAL
which is an language for checking the state of an endpoint. There is the
linux-def:rpminfo_test (
http://oval.mitre.org/language/version5.10.1/ovaldefinition/complete/linu...
) which you can use to check various metadata about the packages installed on the system
including the signature key ID. With that in mind, you should be able to collect all RPMs
on the system and filter out any RPMs that are signed by Red Hat leaving only those that
haven’t been signed by Red Hat. I have attached an OVAL definition which shows how you
might do this. Of course, you may need to modify it to include the appropriate signature
key IDs.
Any help is appreciated. Thanks,
-Matt
</blockquote>
Since this is largely content related, feel free to kick over the conversation to the SSG
mailing list:
https://fedorahosted.org/scap-security-guide/
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Our friends and allies within the OpenSCAP tooling community let us content guys play
here, but content questions (for SSG) should be kicked over to the SSG community list :)
_______________________________________________
Open-scap-list mailing list
Open-scap-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
10:06 a.m.
New subject: Fwd: Additional Checks for RH Cloud Provider Profile (rht-ccp)
Hi SSG Team,
I'm making some progress here with code to check for non-RH progress (Huge thanks to
Danny Hynes). Two questions:
1. The XCCDF rule (Rule id="non-rh_packages") is evaluating to True if there are
non-RH packages. My understanding is a 'True' results in a Pass of the rule - is
that correct? However, I want True to result in a fail. How to make that happen?
2. In order to get past this non-RH package check, the openscap* and scap* packages need
to be ignored. I tried adding filter exclusion statements on the rpminfo_object; hoewever,
can't get past an error so I must have something wrong. Suggestions?
......
<linux:rpminfo_object id="oval:ssg:obj:10101" version="1"
comment="Collect all rpms and exclude those signed by Red Hat and exclude those from
scap and openscap.">
<linux:name operation="pattern match">.*</linux:name>
<filter action="exclude">oval:ssg:ste:10101</filter>
<!-->Matt: Adding these exclude statements causes the OpenSCAP error below<-->
<filter action="exclude">oval:ssg:ste:10102</filter>
<filter action="exclude">oval:ssg:ste:10103</filter>
</linux:rpminfo_object>
.....
[root@rhel6client ~]# ./run_rht_scap_new
Title Ensure /tmp Located On Separate Partition
Rule partition_for_tmp
Ident CCE-26435-8
Result fail
Title All packages should be RH signed package
Rule non-rh_packages
Ident (null)
Result unknown
OpenSCAP Error: No definition with ID: oval:ssg:def:10101 in result model.
[oval_agent.c:180]
Attached is a shortened version to show the relevant code additions in the ssg XCCDF and
OVAL files.
Thanks in advance for any help.
-Matt
----- Original Message -----
From: "Matthew Mariani" <mmariani(a)redhat.com>
To: scap-security-guide(a)lists.fedorahosted.org
Cc: "Karl Stevens" <kstevens(a)redhat.com>
Sent: Thursday, October 31, 2013 10:32:29 AM
Subject: Re: Additional Checks for RH Cloud Provider Profile (rht-ccp)
+ the attachment for #2
----- Original Message -----
From: "Matthew Mariani" <mmariani(a)redhat.com>
To: scap-security-guide(a)lists.fedorahosted.org
Cc: "Karl Stevens" <kstevens(a)redhat.com>
Sent: Thursday, October 31, 2013 10:30:37 AM
Subject: Additional Checks for RH Cloud Provider Profile (rht-ccp)
Hi SSG team,
For the CCP profile recently added, I would like to add new RHEL6 checks for the bullets
below.
1. Cloud image disk checks - do these checks exist already?
a.) Minimum Disk - 6GB
b.) Available Disk - 4GB or more
2. Non-RH packages installed on the RHEL system - ** For this one, on the open-scap-list,
Danny Hynes provided the attached OVAL definition, but I'm not sure how to build that
into the rht-ccp profile. Does anyone have an example?
Any guidance on how to proceed is appreciated.
Thanks,
-Matt
----- Original Message -----
From: "Matthew Mariani" <mmariani(a)redhat.com>
To: scap-security-guide(a)lists.fedorahosted.org
Sent: Tuesday, October 15, 2013 2:22:25 PM
Subject: Fwd: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
As recommended, moving this thread to the SSG mailing list.
Background: We are working on developing an SSG profile definition for RH certified cloud
providers. In addition to these XCCDF-based checks, I need to also detect any non-RedHat
packages installed on the system. The question to the group is: are there any
recommendations or examples on how this may have been done previously. As example, suppose
a cloud image has a monitoring package or hypervisor para-virt rpms install, I want to be
made aware and have those reported by the check. An OVAL path was suggested below.
Does anyone have additional guidance on how/if I can do this with SCAP-related tools?
Thanks,
-Matt
Matthew Mariani
Partner Solution Architect
M: +1-717-756-6834
mmariani(a)redhat.com
----- Original Message -----
From: "Shawn Wells" <shawn(a)redhat.com>
To: open-scap-list(a)redhat.com
Sent: Sunday, October 13, 2013 11:30:26 PM
Subject: Re: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
On 10/10/13 4:44 PM, Matthew Mariani wrote:
Danny,
Thanks, very helpful.
-Matt
----- Original Message -----
From: "Dan Haynes" <dhaynes(a)mitre.org>
To: "Matthew Mariani" <mmariani(a)redhat.com> , open-scap-list(a)redhat.com
Sent: Wednesday, October 9, 2013 2:45:35 PM
Subject: RE: SCAP Newbie Questions for simple RHEL6 XCCDF example.
Hi Matthew,
Comments inline below. Hope this helps.
Thanks,
Danny
From: open-scap-list-bounces(a)redhat.com [ mailto:open-scap-list-bounces@redhat.com ] On
Behalf Of Matthew Mariani
Sent: Wednesday, October 09, 2013 1:11 PM
To: open-scap-list(a)redhat.com
Subject: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
Hi list,
'SCAP newbie here. I'm working with the attached XCCDF profile definition to be
used with a RHEL6 system. The end goal is to define a standard RHEL cloud image security
profile. I have two questions:
1. I believe I need additional XML syntax in the file to have valid XCCDF content. When I
try both testing with the 'info' function and running an 'eval', I get an
Unknown document type error.
[root@rhel6client ~]# oscap info rht-ccp.xml
OpenSCAP Error: Unknown document type: 'rht-ccp.xml' [oscapxml.c:554]
[root@rhel6client ~]# oscap xccdf eval --profile rht-ccp --results
/root/rht-ccp.results.xml --report /root/rht-ccp.report.html rht-ccp.xml
Profile "rht-ccp" was not found.
Looking at some of the xccdf examples referenced here
http://www.open-scap.org/page/Documentation , I'm thinking I need a <Benchmark>
wrapper around my profile. Am I on the right track, and if so is there a basic
<Benchmark> syntax example available? I'm finding it difficult to id what's
required and what's not in examples referenced on the Documentation page.
[Danny]: Yes, you will need to include the <Benchmark> component. You may want to
look at the RHEL6 STIG SCAP content being developed in the scap-security-guide project (
https://fedorahosted.org/scap-security-guide/ ). It should serve as a good example and you
may be able to reuse some of the content. They also have some tools that you could
leverage to help generate the content.
Matt pinged me offline re: the Red Hat CCP profile. I've now merged it into SSG:
https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=3633...
You should now be able to clone the source and run a scan:
https://fedorahosted.org/scap-security-guide/wiki/downloads
aka
$ sudo yum install git openscap-utils python-lxml
$ cd /tmp ; git clone git://git.fedorahosted.org/git/scap-security-guide.git ; cd
scap-security-guide/RHEL6
$ make content
$ sudo oscap xccdf eval --profile rht-ccp \
--results /root/ssg-results-`date`.xml \
--report /root/ssg-results-`date`.html \
--cpe output/ssg-rhel6-cpe-dictionary.xml \
output/ssg-rhel6-xccdf.xml
<blockquote>
2. Looking forward, in addition to these XCCDF checks, I have the need to detect
non-RedHat signed packaged installed on the system. Does anyone have guidance on how/if I
can do that with SCAP tools. As example, suppose a cloud image has a monitoring package or
hypervisor para-virt rpms install, I want to be made aware and have those reported by the
check.
[Danny]: Yes, you should be able to check for any non-Red Hat signed packages using OVAL
which is an language for checking the state of an endpoint. There is the
linux-def:rpminfo_test (
http://oval.mitre.org/language/version5.10.1/ovaldefinition/complete/linu...
) which you can use to check various metadata about the packages installed on the system
including the signature key ID. With that in mind, you should be able to collect all RPMs
on the system and filter out any RPMs that are signed by Red Hat leaving only those that
haven’t been signed by Red Hat. I have attached an OVAL definition which shows how you
might do this. Of course, you may need to modify it to include the appropriate signature
key IDs.
Any help is appreciated. Thanks,
-Matt
</blockquote>
Since this is largely content related, feel free to kick over the conversation to the SSG
mailing list:
https://fedorahosted.org/scap-security-guide/
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Our friends and allies within the OpenSCAP tooling community let us content guys play
here, but content questions (for SSG) should be kicked over to the SSG community list :)
_______________________________________________
Open-scap-list mailing list
Open-scap-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
9:33 a.m.
New subject: Additional Checks for RH Cloud Provider Profile (rht-ccp)
Hi Matt,
A few quick comments inline.
Thanks,
Danny
From: scap-security-guide-bounces(a)lists.fedorahosted.org
[mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of Matthew Mariani
Sent: Tuesday, November 05, 2013 11:07 AM
To: scap-security-guide(a)lists.fedorahosted.org
Subject: Fwd: Additional Checks for RH Cloud Provider Profile (rht-ccp)
Hi SSG Team,
I'm making some progress here with code to check for non-RH progress (Huge thanks to
Danny Hynes). Two questions:
1. The XCCDF rule (Rule id="non-rh_packages") is evaluating to True if there
are non-RH packages. My understanding is a 'True' results in a Pass of the rule -
is that correct? However, I want True to result in a fail. How to make that happen?
The SCAP specifications provide a table that maps OVAL results to XCCDF results
(http://scap.nist.gov/revision/index.html). In the SCAP 1.2 specification, specifically
Section 4.5.2, it says:
*definitions with class=”compliance” or class=”inventory”
-“true” maps to “Pass”
-“false” maps to “Fail”
*definitions with class=”vulnerability” or class=”patch”
-“false” maps to “Pass”
-“true” maps to “Fail”
You may also want to consider joining the XCCDF and OVAL mailing lists as these are good
places to ask questions about the specifications.
http://scap.nist.gov/specifications/xccdf/
http://oval.mitre.org/community/registration.html
2. In order to get past this non-RH package check, the openscap* and scap* packages need
to be ignored. I tried adding filter exclusion statements on the rpminfo_object;
hoewever, can't get past an error so I must have something wrong. Suggestions?
......
<linux:rpminfo_object id="oval:ssg:obj:10101" version="1"
comment="Collect all rpms and exclude those signed by Red Hat and exclude those from
scap and openscap.">
<linux:name operation="pattern match">.*</linux:name>
<filter action="exclude">oval:ssg:ste:10101</filter>
<!-->Matt: Adding these exclude statements causes the OpenSCAP error
below<-->
<filter action="exclude">oval:ssg:ste:10102</filter>
<filter action="exclude">oval:ssg:ste:10103</filter>
</linux:rpminfo_object>
.....
[root@rhel6client ~]# ./run_rht_scap_new
Title Ensure /tmp Located On Separate Partition
Rule partition_for_tmp
Ident CCE-26435-8
Result fail
Title All packages should be RH signed package
Rule non-rh_packages
Ident (null)
Result unknown
OpenSCAP Error: No definition with ID: oval:ssg:def:10101 in result model.
[oval_agent.c:180]
Unfortunately, I am not sure about this error. It sounds like when it tries to output the
results, it is looking for oval:ssg:def:10101, but, can’t find it. It sounds like this
might be a good question for the OpenSCAP list.
Also, I found this
(http://blog-shawndwells.rhcloud.com/wp-content/uploads/2012/07/2013-03-25...),
if you haven’t seen it. It may help you with the content development.
Attached is a shortened version to show the relevant code additions in the ssg XCCDF and
OVAL files.
Thanks in advance for any help.
-Matt
________________________________
From: "Matthew Mariani"
<mmariani@redhat.com<mailto:mmariani@redhat.com>>
To:
scap-security-guide@lists.fedorahosted.org<mailto:scap-security-guide@lists.fedorahosted.org>
Cc: "Karl Stevens"
<kstevens@redhat.com<mailto:kstevens@redhat.com>>
Sent: Thursday, October 31, 2013 10:32:29 AM
Subject: Re: Additional Checks for RH Cloud Provider Profile (rht-ccp)
+ the attachment for #2
________________________________
From: "Matthew Mariani"
<mmariani@redhat.com<mailto:mmariani@redhat.com>>
To:
scap-security-guide@lists.fedorahosted.org<mailto:scap-security-guide@lists.fedorahosted.org>
Cc: "Karl Stevens"
<kstevens@redhat.com<mailto:kstevens@redhat.com>>
Sent: Thursday, October 31, 2013 10:30:37 AM
Subject: Additional Checks for RH Cloud Provider Profile (rht-ccp)
Hi SSG team,
For the CCP profile recently added, I would like to add new RHEL6 checks for the bullets
below.
1. Cloud image disk checks - do these checks exist already?
a.) Minimum Disk - 6GB
b.) Available Disk - 4GB or more
2. Non-RH packages installed on the RHEL system - ** For this one, on the
open-scap-list, Danny Hynes provided the attached OVAL definition, but I'm not sure
how to build that into the rht-ccp profile. Does anyone have an example?
Any guidance on how to proceed is appreciated.
Thanks,
-Matt
________________________________
From: "Matthew Mariani"
<mmariani@redhat.com<mailto:mmariani@redhat.com>>
To:
scap-security-guide@lists.fedorahosted.org<mailto:scap-security-guide@lists.fedorahosted.org>
Sent: Tuesday, October 15, 2013 2:22:25 PM
Subject: Fwd: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
As recommended, moving this thread to the SSG mailing list.
Background: We are working on developing an SSG profile definition for RH certified cloud
providers. In addition to these XCCDF-based checks, I need to also detect any non-RedHat
packages installed on the system. The question to the group is: are there any
recommendations or examples on how this may have been done previously. As example,
suppose a cloud image has a monitoring package or hypervisor para-virt rpms install, I
want to be made aware and have those reported by the check. An OVAL path was suggested
below.
Does anyone have additional guidance on how/if I can do this with SCAP-related tools?
Thanks,
-Matt
Matthew Mariani
Partner Solution Architect
M: +1-717-756-6834
mmariani@redhat.com<mailto:mmariani@redhat.com>
________________________________
From: "Shawn Wells" <shawn@redhat.com<mailto:shawn@redhat.com>>
To: open-scap-list@redhat.com<mailto:open-scap-list@redhat.com>
Sent: Sunday, October 13, 2013 11:30:26 PM
Subject: Re: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
On 10/10/13 4:44 PM, Matthew Mariani wrote:
Danny,
Thanks, very helpful.
-Matt
________________________________
From: "Dan Haynes" <dhaynes@mitre.org><mailto:dhaynes@mitre.org>
To: "Matthew Mariani"
<mmariani@redhat.com><mailto:mmariani@redhat.com>,
open-scap-list@redhat.com<mailto:open-scap-list@redhat.com>
Sent: Wednesday, October 9, 2013 2:45:35 PM
Subject: RE: SCAP Newbie Questions for simple RHEL6 XCCDF example.
Hi Matthew,
Comments inline below. Hope this helps.
Thanks,
Danny
From: open-scap-list-bounces@redhat.com<mailto:open-scap-list-bounces@redhat.com>
[mailto:open-scap-list-bounces@redhat.com] On Behalf Of Matthew Mariani
Sent: Wednesday, October 09, 2013 1:11 PM
To: open-scap-list@redhat.com<mailto:open-scap-list@redhat.com>
Subject: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
Hi list,
'SCAP newbie here. I'm working with the attached XCCDF profile definition to be
used with a RHEL6 system. The end goal is to define a standard RHEL cloud image security
profile. I have two questions:
1. I believe I need additional XML syntax in the file to have valid XCCDF content. When
I try both testing with the 'info' function and running an 'eval', I get
an Unknown document type error.
[root@rhel6client ~]# oscap info rht-ccp.xml
OpenSCAP Error: Unknown document type: 'rht-ccp.xml' [oscapxml.c:554]
[root@rhel6client ~]# oscap xccdf eval --profile rht-ccp --results
/root/rht-ccp.results.xml --report /root/rht-ccp.report.html rht-ccp.xml
Profile "rht-ccp" was not found.
Looking at some of the xccdf examples referenced here
http://www.open-scap.org/page/Documentation, I'm thinking I need a <Benchmark>
wrapper around my profile. Am I on the right track, and if so is there a basic
<Benchmark> syntax example available? I'm finding it difficult to id what's
required and what's not in examples referenced on the Documentation page.
[Danny]: Yes, you will need to include the <Benchmark> component. You may want to
look at the RHEL6 STIG SCAP content being developed in the scap-security-guide project
(https://fedorahosted.org/scap-security-guide/). It should serve as a good example and
you may be able to reuse some of the content. They also have some tools that you could
leverage to help generate the content.
Matt pinged me offline re: the Red Hat CCP profile. I've now merged it into SSG:
https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=3633...
You should now be able to clone the source and run a scan:
https://fedorahosted.org/scap-security-guide/wiki/downloads
aka
$ sudo yum install git openscap-utils python-lxml
$ cd /tmp ; git clone git://git.fedorahosted.org/git/scap-security-guide.git ; cd
scap-security-guide/RHEL6
$ make content
$ sudo oscap xccdf eval --profile rht-ccp \
--results /root/ssg-results-`date`.xml \
--report /root/ssg-results-`date`.html \
--cpe output/ssg-rhel6-cpe-dictionary.xml \
output/ssg-rhel6-xccdf.xml
2. Looking forward, in addition to these XCCDF checks, I have the need to detect
non-RedHat signed packaged installed on the system. Does anyone have guidance on how/if I
can do that with SCAP tools. As example, suppose a cloud image has a monitoring package
or hypervisor para-virt rpms install, I want to be made aware and have those reported by
the check.
[Danny]: Yes, you should be able to check for any non-Red Hat signed packages using OVAL
which is an language for checking the state of an endpoint. There is the
linux-def:rpminfo_test
(http://oval.mitre.org/language/version5.10.1/ovaldefinition/complete/linu...)
which you can use to check various metadata about the packages installed on the system
including the signature key ID. With that in mind, you should be able to collect all RPMs
on the system and filter out any RPMs that are signed by Red Hat leaving only those that
haven’t been signed by Red Hat. I have attached an OVAL definition which shows how you
might do this. Of course, you may need to modify it to include the appropriate signature
key IDs.
Any help is appreciated. Thanks,
-Matt
Since this is largely content related, feel free to kick over the conversation to the SSG
mailing list:
https://fedorahosted.org/scap-security-guide/
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Our friends and allies within the OpenSCAP tooling community let us content guys play
here, but content questions (for SSG) should be kicked over to the SSG community list :)
_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com<mailto:Open-scap-list@redhat.com>
https://www.redhat.com/mailman/listinfo/open-scap-list
_______________________________________________
scap-security-guide mailing list
scap-security-guide@lists.fedorahosted.org<mailto:scap-security-guide@lists.fedorahosted.org>
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
10:37 p.m.
New subject: Additional Checks for RH Cloud Provider Profile (rht-ccp)
I might be more concerned that the "non-rh_packages" Rule would drive
developers to /not/ package software into RPMs at all.
But of course, I have very little context with regard to when/how this
CCP profile would be exercised. It's certainly possible to add these
sorts of things to the project in a manner that makes explicit their
specialized scenario.
On Wed, Nov 6, 2013 at 10:33 AM, Haynes, Dan <dhaynes(a)mitre.org> wrote:
Hi Matt,
A few quick comments inline.
Thanks,
Danny
From: scap-security-guide-bounces(a)lists.fedorahosted.org
[mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of
Matthew Mariani
Sent: Tuesday, November 05, 2013 11:07 AM
To: scap-security-guide(a)lists.fedorahosted.org
Subject: Fwd: Additional Checks for RH Cloud Provider Profile (rht-ccp)
Hi SSG Team,
I'm making some progress here with code to check for non-RH progress (Huge
thanks to Danny Hynes). Two questions:
1. The XCCDF rule (Rule id="non-rh_packages") is evaluating to True if
there are non-RH packages. My understanding is a 'True' results in a Pass
of the rule - is that correct? However, I want True to result in a fail.
How to make that happen?
The SCAP specifications provide a table that maps OVAL results to XCCDF
results (http://scap.nist.gov/revision/index.html). In the SCAP 1.2
specification, specifically Section 4.5.2, it says:
*definitions with class=”compliance” or class=”inventory”
-“true” maps to “Pass”
-“false” maps to “Fail”
*definitions with class=”vulnerability” or class=”patch”
-“false” maps to “Pass”
-“true” maps to “Fail”
You may also want to consider joining the XCCDF and OVAL mailing lists as
these are good places to ask questions about the specifications.
http://scap.nist.gov/specifications/xccdf/
http://oval.mitre.org/community/registration.html
2. In order to get past this non-RH package check, the openscap* and scap*
packages need to be ignored. I tried adding filter exclusion statements on
the rpminfo_object; hoewever, can't get past an error so I must have
something wrong. Suggestions?
......
<linux:rpminfo_object id="oval:ssg:obj:10101" version="1"
comment="Collect all rpms and exclude those signed by Red Hat and exclude
those from scap and openscap.">
<linux:name operation="pattern match">.*</linux:name>
<filter action="exclude">oval:ssg:ste:10101</filter>
<!-->Matt: Adding these exclude statements causes the OpenSCAP error
below<-->
<filter action="exclude">oval:ssg:ste:10102</filter>
<filter action="exclude">oval:ssg:ste:10103</filter>
</linux:rpminfo_object>
.....
[root@rhel6client ~]# ./run_rht_scap_new
Title Ensure /tmp Located On Separate Partition
Rule partition_for_tmp
Ident CCE-26435-8
Result fail
Title All packages should be RH signed package
Rule non-rh_packages
Ident (null)
Result unknown
OpenSCAP Error: No definition with ID: oval:ssg:def:10101 in result model.
[oval_agent.c:180]
Unfortunately, I am not sure about this error. It sounds like when it tries
to output the results, it is looking for oval:ssg:def:10101, but, can’t find
it. It sounds like this might be a good question for the OpenSCAP list.
Also, I found this
(http://blog-shawndwells.rhcloud.com/wp-content/uploads/2012/07/2013-03-25...),
if you haven’t seen it. It may help you with the content development.
Attached is a shortened version to show the relevant code additions in the
ssg XCCDF and OVAL files.
Thanks in advance for any help.
-Matt
________________________________
From: "Matthew Mariani" <mmariani(a)redhat.com>
To: scap-security-guide(a)lists.fedorahosted.org
Cc: "Karl Stevens" <kstevens(a)redhat.com>
Sent: Thursday, October 31, 2013 10:32:29 AM
Subject: Re: Additional Checks for RH Cloud Provider Profile (rht-ccp)
+ the attachment for #2
________________________________
From: "Matthew Mariani" <mmariani(a)redhat.com>
To: scap-security-guide(a)lists.fedorahosted.org
Cc: "Karl Stevens" <kstevens(a)redhat.com>
Sent: Thursday, October 31, 2013 10:30:37 AM
Subject: Additional Checks for RH Cloud Provider Profile (rht-ccp)
Hi SSG team,
For the CCP profile recently added, I would like to add new RHEL6 checks for
the bullets below.
1. Cloud image disk checks - do these checks exist already?
a.) Minimum Disk - 6GB
b.) Available Disk - 4GB or more
2. Non-RH packages installed on the RHEL system - ** For this one, on
the open-scap-list, Danny Hynes provided the attached OVAL definition, but
I'm not sure how to build that into the rht-ccp profile. Does anyone have
an example?
Any guidance on how to proceed is appreciated.
Thanks,
-Matt
________________________________
From: "Matthew Mariani" <mmariani(a)redhat.com>
To: scap-security-guide(a)lists.fedorahosted.org
Sent: Tuesday, October 15, 2013 2:22:25 PM
Subject: Fwd: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF
example.
As recommended, moving this thread to the SSG mailing list.
Background: We are working on developing an SSG profile definition for RH
certified cloud providers. In addition to these XCCDF-based checks, I need
to also detect any non-RedHat packages installed on the system. The
question to the group is: are there any recommendations or examples on how
this may have been done previously. As example, suppose a cloud image has a
monitoring package or hypervisor para-virt rpms install, I want to be made
aware and have those reported by the check. An OVAL path was suggested
below.
Does anyone have additional guidance on how/if I can do this with
SCAP-related tools?
Thanks,
-Matt
Matthew Mariani
Partner Solution Architect
M: +1-717-756-6834
mmariani(a)redhat.com
________________________________
From: "Shawn Wells" <shawn(a)redhat.com>
To: open-scap-list(a)redhat.com
Sent: Sunday, October 13, 2013 11:30:26 PM
Subject: Re: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF
example.
On 10/10/13 4:44 PM, Matthew Mariani wrote:
Danny,
Thanks, very helpful.
-Matt
________________________________
From: "Dan Haynes" <dhaynes(a)mitre.org>
To: "Matthew Mariani" <mmariani(a)redhat.com>, open-scap-list(a)redhat.com
Sent: Wednesday, October 9, 2013 2:45:35 PM
Subject: RE: SCAP Newbie Questions for simple RHEL6 XCCDF example.
Hi Matthew,
Comments inline below. Hope this helps.
Thanks,
Danny
From: open-scap-list-bounces(a)redhat.com
[mailto:open-scap-list-bounces@redhat.com] On Behalf Of Matthew Mariani
Sent: Wednesday, October 09, 2013 1:11 PM
To: open-scap-list(a)redhat.com
Subject: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
Hi list,
'SCAP newbie here. I'm working with the attached XCCDF profile definition
to be used with a RHEL6 system. The end goal is to define a standard RHEL
cloud image security profile. I have two questions:
1. I believe I need additional XML syntax in the file to have valid XCCDF
content. When I try both testing with the 'info' function and running an
'eval', I get an Unknown document type error.
[root@rhel6client ~]# oscap info rht-ccp.xml
OpenSCAP Error: Unknown document type: 'rht-ccp.xml' [oscapxml.c:554]
[root@rhel6client ~]# oscap xccdf eval --profile rht-ccp --results
/root/rht-ccp.results.xml --report /root/rht-ccp.report.html rht-ccp.xml
Profile "rht-ccp" was not found.
Looking at some of the xccdf examples referenced here
http://www.open-scap.org/page/Documentation, I'm thinking I need a
<Benchmark> wrapper around my profile. Am I on the right track, and if so
is there a basic <Benchmark> syntax example available? I'm finding it
difficult to id what's required and what's not in examples referenced on the
Documentation page.
[Danny]: Yes, you will need to include the <Benchmark> component. You may
want to look at the RHEL6 STIG SCAP content being developed in the
scap-security-guide project (https://fedorahosted.org/scap-security-guide/).
It should serve as a good example and you may be able to reuse some of the
content. They also have some tools that you could leverage to help generate
the content.
Matt pinged me offline re: the Red Hat CCP profile. I've now merged it into
SSG:
https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=3633...
You should now be able to clone the source and run a scan:
https://fedorahosted.org/scap-security-guide/wiki/downloads
aka
$ sudo yum install git openscap-utils python-lxml
$ cd /tmp ; git clone git://git.fedorahosted.org/git/scap-security-guide.git
; cd scap-security-guide/RHEL6
$ make content
$ sudo oscap xccdf eval --profile rht-ccp \
--results /root/ssg-results-`date`.xml \
--report /root/ssg-results-`date`.html \
--cpe output/ssg-rhel6-cpe-dictionary.xml \
output/ssg-rhel6-xccdf.xml
2. Looking forward, in addition to these XCCDF checks, I have the need to
detect non-RedHat signed packaged installed on the system. Does anyone have
guidance on how/if I can do that with SCAP tools. As example, suppose a
cloud image has a monitoring package or hypervisor para-virt rpms install, I
want to be made aware and have those reported by the check.
[Danny]: Yes, you should be able to check for any non-Red Hat signed
packages using OVAL which is an language for checking the state of an
endpoint. There is the linux-def:rpminfo_test
(http://oval.mitre.org/language/version5.10.1/ovaldefinition/complete/linu...)
which you can use to check various metadata about the packages installed on
the system including the signature key ID. With that in mind, you should be
able to collect all RPMs on the system and filter out any RPMs that are
signed by Red Hat leaving only those that haven’t been signed by Red Hat. I
have attached an OVAL definition which shows how you might do this. Of
course, you may need to modify it to include the appropriate signature key
IDs.
Any help is appreciated. Thanks,
-Matt
Since this is largely content related, feel free to kick over the
conversation to the SSG mailing list:
https://fedorahosted.org/scap-security-guide/
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Our friends and allies within the OpenSCAP tooling community let us content
guys play here, but content questions (for SSG) should be kicked over to the
SSG community list :)
_______________________________________________
Open-scap-list mailing list
Open-scap-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
7:33 p.m.
New subject: Additional Checks for RH Cloud Provider Profile (rht-ccp)
On 11/11/13, 11:37 PM, Jeffrey Blank wrote:
I might be more concerned that the "non-rh_packages" Rule
would drive
developers to/not/ package software into RPMs at all.
But of course, I have very little context with regard to when/how this
CCP profile would be exercised. It's certainly possible to add these
sorts of things to the project in a manner that makes explicit their
specialized scenario.
As part of Red Hat's larger certified cloud provider (CCP) program,
third party cloud providers must provide Red Hat evidence that their
RHEL AMIs/images meet certain standards imposed by Red Hat. Historically
these standards have been enforced with bash and python hackery. We're
trying to standardize things via SCAP.
The rht-ccp profile will scan the base image/AMI. Standards aren't as
stringent as, say, a STIG, but we want to ensure all CCPs enable things
like SSHv2, partitions for /tmp and /var/log/audit, SELinux is running,
etc. Once the image is certified between Red Hat and the CCP, the images
are released to the CCP end users.
CCP certification is largely done to ensure consistency of the
_/initial/_ RHEL experience to end-users between multiple cloud
providers. End users will be able to do whatever they please -- install
additional software, turn off the original security controls, etc.
It's unlikely other profiles will use non-rh_packages, however as you
noted, the flexibility to support per-profile specialized rules is a
great capability of the SSG project!
11:22 a.m.
New subject: Additional Checks for RH Cloud Provider Profile (rht-ccp)
the flexibility to support per-profile specialized rules is a great
capability of the SSG project!
Agreed here. It's expected that additional
profile(s) will be needed within the CCP context. For example, Manager Service Providers
(a type of CCP) are one use case where customization of RHEL images is expected. MSP's
often install their own monitoring/backup packages, etc that would be flagged by a non-RH
package check. We'll need to build a profile to account for such circumstances
(I'm working on that deliverable).
-Matt
Matthew Mariani
Cloud Solution Architect
M: +1-717-756-6834
mmariani(a)redhat.com
----- Original Message -----
From: "Shawn Wells" <shawn(a)redhat.com>
To: scap-security-guide(a)lists.fedorahosted.org
Sent: Tuesday, November 12, 2013 8:33:35 PM
Subject: Re: Additional Checks for RH Cloud Provider Profile (rht-ccp)
On 11/11/13, 11:37 PM, Jeffrey Blank wrote:
I might be more concerned that the "non-rh_packages" Rule would drive
developers to / not / package software into RPMs at all.
But of course, I have very little context with regard to when/how this
CCP profile would be exercised. It's certainly possible to add these
sorts of things to the project in a manner that makes explicit their
specialized scenario.
As part of Red Hat's larger certified cloud provider (CCP) program, third party cloud
providers must provide Red Hat evidence that their RHEL AMIs/images meet certain standards
imposed by Red Hat. Historically these standards have been enforced with bash and python
hackery. We're trying to standardize things via SCAP.
The rht-ccp profile will scan the base image/AMI. Standards aren't as stringent as,
say, a STIG, but we want to ensure all CCPs enable things like SSHv2, partitions for /tmp
and /var/log/audit, SELinux is running, etc. Once the image is certified between Red Hat
and the CCP, the images are released to the CCP end users.
CCP certification is largely done to ensure consistency of the initial RHEL experience to
end-users between multiple cloud providers. End users will be able to do whatever they
please -- install additional software, turn off the original security controls, etc.
It's unlikely other profiles will use non-rh_packages, however as you noted, the
flexibility to support per-profile specialized rules is a great capability of the SSG
project!
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
3815
days inactive
3844
days old
scap-security-guide@lists.fedorahosted.org
9 comments
4 participants
participants (4)
-
Haynes, Dan -
Jeffrey Blank -
Matthew Mariani -
Shawn Wells