I might be more concerned that the "non-rh_packages" Rule would drive
developers to /not/ package software into RPMs at all.
But of course, I have very little context with regard to when/how this
CCP profile would be exercised. It's certainly possible to add these
sorts of things to the project in a manner that makes explicit their
specialized scenario.
On Wed, Nov 6, 2013 at 10:33 AM, Haynes, Dan <dhaynes(a)mitre.org> wrote:
Hi Matt,
A few quick comments inline.
Thanks,
Danny
From: scap-security-guide-bounces(a)lists.fedorahosted.org
[mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of
Matthew Mariani
Sent: Tuesday, November 05, 2013 11:07 AM
To: scap-security-guide(a)lists.fedorahosted.org
Subject: Fwd: Additional Checks for RH Cloud Provider Profile (rht-ccp)
Hi SSG Team,
I'm making some progress here with code to check for non-RH progress (Huge
thanks to Danny Hynes). Two questions:
1. The XCCDF rule (Rule id="non-rh_packages") is evaluating to True if
there are non-RH packages. My understanding is a 'True' results in a Pass
of the rule - is that correct? However, I want True to result in a fail.
How to make that happen?
The SCAP specifications provide a table that maps OVAL results to XCCDF
results (
http://scap.nist.gov/revision/index.html). In the SCAP 1.2
specification, specifically Section 4.5.2, it says:
*definitions with class=”compliance” or class=”inventory”
-“true” maps to “Pass”
-“false” maps to “Fail”
*definitions with class=”vulnerability” or class=”patch”
-“false” maps to “Pass”
-“true” maps to “Fail”
You may also want to consider joining the XCCDF and OVAL mailing lists as
these are good places to ask questions about the specifications.
http://scap.nist.gov/specifications/xccdf/
http://oval.mitre.org/community/registration.html
2. In order to get past this non-RH package check, the openscap* and scap*
packages need to be ignored. I tried adding filter exclusion statements on
the rpminfo_object; hoewever, can't get past an error so I must have
something wrong. Suggestions?
......
<linux:rpminfo_object id="oval:ssg:obj:10101" version="1"
comment="Collect all rpms and exclude those signed by Red Hat and exclude
those from scap and openscap.">
<linux:name operation="pattern match">.*</linux:name>
<filter action="exclude">oval:ssg:ste:10101</filter>
<!-->Matt: Adding these exclude statements causes the OpenSCAP error
below<-->
<filter action="exclude">oval:ssg:ste:10102</filter>
<filter action="exclude">oval:ssg:ste:10103</filter>
</linux:rpminfo_object>
.....
[root@rhel6client ~]# ./run_rht_scap_new
Title Ensure /tmp Located On Separate Partition
Rule partition_for_tmp
Ident CCE-26435-8
Result fail
Title All packages should be RH signed package
Rule non-rh_packages
Ident (null)
Result unknown
OpenSCAP Error: No definition with ID: oval:ssg:def:10101 in result model.
[oval_agent.c:180]
Unfortunately, I am not sure about this error. It sounds like when it tries
to output the results, it is looking for oval:ssg:def:10101, but, can’t find
it. It sounds like this might be a good question for the OpenSCAP list.
Also, I found this
(
http://blog-shawndwells.rhcloud.com/wp-content/uploads/2012/07/2013-03-25...),
if you haven’t seen it. It may help you with the content development.
Attached is a shortened version to show the relevant code additions in the
ssg XCCDF and OVAL files.
Thanks in advance for any help.
-Matt
________________________________
From: "Matthew Mariani" <mmariani(a)redhat.com>
To: scap-security-guide(a)lists.fedorahosted.org
Cc: "Karl Stevens" <kstevens(a)redhat.com>
Sent: Thursday, October 31, 2013 10:32:29 AM
Subject: Re: Additional Checks for RH Cloud Provider Profile (rht-ccp)
+ the attachment for #2
________________________________
From: "Matthew Mariani" <mmariani(a)redhat.com>
To: scap-security-guide(a)lists.fedorahosted.org
Cc: "Karl Stevens" <kstevens(a)redhat.com>
Sent: Thursday, October 31, 2013 10:30:37 AM
Subject: Additional Checks for RH Cloud Provider Profile (rht-ccp)
Hi SSG team,
For the CCP profile recently added, I would like to add new RHEL6 checks for
the bullets below.
1. Cloud image disk checks - do these checks exist already?
a.) Minimum Disk - 6GB
b.) Available Disk - 4GB or more
2. Non-RH packages installed on the RHEL system - ** For this one, on
the open-scap-list, Danny Hynes provided the attached OVAL definition, but
I'm not sure how to build that into the rht-ccp profile. Does anyone have
an example?
Any guidance on how to proceed is appreciated.
Thanks,
-Matt
________________________________
From: "Matthew Mariani" <mmariani(a)redhat.com>
To: scap-security-guide(a)lists.fedorahosted.org
Sent: Tuesday, October 15, 2013 2:22:25 PM
Subject: Fwd: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF
example.
As recommended, moving this thread to the SSG mailing list.
Background: We are working on developing an SSG profile definition for RH
certified cloud providers. In addition to these XCCDF-based checks, I need
to also detect any non-RedHat packages installed on the system. The
question to the group is: are there any recommendations or examples on how
this may have been done previously. As example, suppose a cloud image has a
monitoring package or hypervisor para-virt rpms install, I want to be made
aware and have those reported by the check. An OVAL path was suggested
below.
Does anyone have additional guidance on how/if I can do this with
SCAP-related tools?
Thanks,
-Matt
Matthew Mariani
Partner Solution Architect
M: +1-717-756-6834
mmariani(a)redhat.com
________________________________
From: "Shawn Wells" <shawn(a)redhat.com>
To: open-scap-list(a)redhat.com
Sent: Sunday, October 13, 2013 11:30:26 PM
Subject: Re: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF
example.
On 10/10/13 4:44 PM, Matthew Mariani wrote:
Danny,
Thanks, very helpful.
-Matt
________________________________
From: "Dan Haynes" <dhaynes(a)mitre.org>
To: "Matthew Mariani" <mmariani(a)redhat.com>, open-scap-list(a)redhat.com
Sent: Wednesday, October 9, 2013 2:45:35 PM
Subject: RE: SCAP Newbie Questions for simple RHEL6 XCCDF example.
Hi Matthew,
Comments inline below. Hope this helps.
Thanks,
Danny
From: open-scap-list-bounces(a)redhat.com
[mailto:open-scap-list-bounces@redhat.com] On Behalf Of Matthew Mariani
Sent: Wednesday, October 09, 2013 1:11 PM
To: open-scap-list(a)redhat.com
Subject: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
Hi list,
'SCAP newbie here. I'm working with the attached XCCDF profile definition
to be used with a RHEL6 system. The end goal is to define a standard RHEL
cloud image security profile. I have two questions:
1. I believe I need additional XML syntax in the file to have valid XCCDF
content. When I try both testing with the 'info' function and running an
'eval', I get an Unknown document type error.
[root@rhel6client ~]# oscap info rht-ccp.xml
OpenSCAP Error: Unknown document type: 'rht-ccp.xml' [oscapxml.c:554]
[root@rhel6client ~]# oscap xccdf eval --profile rht-ccp --results
/root/rht-ccp.results.xml --report /root/rht-ccp.report.html rht-ccp.xml
Profile "rht-ccp" was not found.
Looking at some of the xccdf examples referenced here
http://www.open-scap.org/page/Documentation, I'm thinking I need a
<Benchmark> wrapper around my profile. Am I on the right track, and if so
is there a basic <Benchmark> syntax example available? I'm finding it
difficult to id what's required and what's not in examples referenced on the
Documentation page.
[Danny]: Yes, you will need to include the <Benchmark> component. You may
want to look at the RHEL6 STIG SCAP content being developed in the
scap-security-guide project (
https://fedorahosted.org/scap-security-guide/).
It should serve as a good example and you may be able to reuse some of the
content. They also have some tools that you could leverage to help generate
the content.
Matt pinged me offline re: the Red Hat CCP profile. I've now merged it into
SSG:
https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=3633...
You should now be able to clone the source and run a scan:
https://fedorahosted.org/scap-security-guide/wiki/downloads
aka
$ sudo yum install git openscap-utils python-lxml
$ cd /tmp ; git clone
git://git.fedorahosted.org/git/scap-security-guide.git
; cd scap-security-guide/RHEL6
$ make content
$ sudo oscap xccdf eval --profile rht-ccp \
--results /root/ssg-results-`date`.xml \
--report /root/ssg-results-`date`.html \
--cpe output/ssg-rhel6-cpe-dictionary.xml \
output/ssg-rhel6-xccdf.xml
2. Looking forward, in addition to these XCCDF checks, I have the need to
detect non-RedHat signed packaged installed on the system. Does anyone have
guidance on how/if I can do that with SCAP tools. As example, suppose a
cloud image has a monitoring package or hypervisor para-virt rpms install, I
want to be made aware and have those reported by the check.
[Danny]: Yes, you should be able to check for any non-Red Hat signed
packages using OVAL which is an language for checking the state of an
endpoint. There is the linux-def:rpminfo_test
(
http://oval.mitre.org/language/version5.10.1/ovaldefinition/complete/linu...)
which you can use to check various metadata about the packages installed on
the system including the signature key ID. With that in mind, you should be
able to collect all RPMs on the system and filter out any RPMs that are
signed by Red Hat leaving only those that haven’t been signed by Red Hat. I
have attached an OVAL definition which shows how you might do this. Of
course, you may need to modify it to include the appropriate signature key
IDs.
Any help is appreciated. Thanks,
-Matt
Since this is largely content related, feel free to kick over the
conversation to the SSG mailing list:
https://fedorahosted.org/scap-security-guide/
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Our friends and allies within the OpenSCAP tooling community let us content
guys play here, but content questions (for SSG) should be kicked over to the
SSG community list :)
_______________________________________________
Open-scap-list mailing list
Open-scap-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide