OK! I downloaded the latest scap-security-guide source from Git and built it for Ubuntu 1604. It compiles and runs!
Next challenge, during the compile it had trouble scanning the Oval file for controls it was to evaluate, and it marked all of those it didn’t find as “not applicable”. So I got a score of 100%, but none of the challenging controls were evaluated. (I used an oval file I found in the source tree but I guess it was not complete.) Apparently I need more or better benchmark files for Ubuntu in the OpenSCAP “/usr/share/openscap” and “/usr/share/openscap/cpe” directories (openscap-cpe-dictionary.xml, openscap-cpe-oval.xml, openscap-ubuntu1604-cpe-dictionary.xml and openscap-ubuntu1604-cpe-oval.xml in the openscap/cpe directory and scap-ubuntu1604-oval.xml, scap-ubuntu1604-ocil.xml and scap-ubuntu-1604-ds.xml in the openscap directory). These files do not appear to be in the source from Git and they were not installed with the libopenscap8 package. Google is not helping me with this challenge. Can you guys direct me to where I can find these files so I can build and run a complete scan of my system(s)? Thank you! --Bill William B. Boucher, BSEE Embedded Systems Software Engineer Information Systems Security Manager MZA Associates Corporation 4900 Lang Ave. NE, Suite 100 Albuquerque, NM 87109-9708 Phone: 505.245.9970 x166 Fax: 505.245.9971 Cell: 505.459.7620 william.bouc...@mza.com<mailto:william.bouc...@mza.com> From: Boucher, William Sent: Monday, January 21, 2019 3:56 PM To: 'Watson Sato' <ws...@redhat.com> Cc: Newman, Stuart J. (GSFC-491.0)[KBRwyle] <stuart.j.new...@nasa.gov>; open-scap-list@redhat.com Subject: RE: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS Stuart and Watson, I found the packages for Ubuntu 18.04 (“cosmic”) but not for Ubuntu 16.04 (“xenial”). The DISA STIG is written specifically for Ubuntu 16.04 (“U_Canonical_16-04_LTS_V1R1_STIG.zip”). Am I not looking in the right place for the SSG? I found the ssg packages for Ubuntu 18.04 at https://packages.ubuntu.com/search?suite=cosmic&searchon=names&keywords=ssg, but they are not in the 16.04 package listing at https://packages.ubuntu.com/search?suite=xenial&searchon=names&keywords=ssg. Could they be in another repository for 16.04? (Note I am using the latest xenial, 16.04.5, which has the same Linux kernel as the latest cosmic release, 4.15.) Thank you for your help and patience, --Bill William B. Boucher, BSEE Embedded Systems Software Engineer Information Systems Security Manager MZA Associates Corporation 4900 Lang Ave. NE, Suite 100 Albuquerque, NM 87109-9708 Phone: 505.245.9970 x166 Fax: 505.245.9971 Cell: 505.459.7620 william.bouc...@mza.com<mailto:william.bouc...@mza.com> From: Watson Sato [mailto:ws...@redhat.com] Sent: Monday, January 7, 2019 7:58 AM To: Boucher, William <william.bouc...@mza.com<mailto:william.bouc...@mza.com>> Cc: Newman, Stuart J. (GSFC-491.0)[KBRwyle] <stuart.j.new...@nasa.gov<mailto:stuart.j.new...@nasa.gov>>; open-scap-list@redhat.com<mailto:open-scap-list@redhat.com> Subject: Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS Hello, On Wed, Nov 28, 2018 at 5:39 PM Boucher, William <william.bouc...@mza.com<mailto:william.bouc...@mza.com>> wrote: Stuart, How do I get the current/latest scap security guide? Latest pre-built content can be grabbed at https://github.com/ComplianceAsCode/content/releases, just download the zip file. 1) I went to https://www.open-scap.org/security-policies/scap-security-guide/ and clicked on the Ubuntu symbol to get directions for installing it, but that gave message “The SCAP Security Guide package is not available on the Ubuntu distribution yet. Check for update.” The website needs to updated, there are SCAP Security Guide packages for Ubuntu and Debian. 2) “apt-get install scap-security-guide” produced the error “Unable to locate package scap-security-guide.” It seems that the packages are named slightly different in Ubuntu, see: https://packages.ubuntu.com/source/disco/scap-security-guide I did successfully install libopenscap8 (“apt-get install libopenscap8”). All help is appreciated. William B. Boucher, BSEE Embedded Systems Software Engineer Information Systems Security Manager MZA Associates Corporation 2021 Girard Blvd., SE, Suite 150 Albuquerque, New Mexico 87106 Phone: 505.245.9970 x166 Fax: 505.245.9971 Cell: 505.459.7620 william.bouc...@mza.com<mailto:william.bouc...@mza.com> From: Newman, Stuart J. (GSFC-491.0)[KBRwyle] [mailto:stuart.j.new...@nasa.gov<mailto:stuart.j.new...@nasa.gov>] Sent: Wednesday, November 28, 2018 4:19 AM To: Boucher, William <william.bouc...@mza.com<mailto:william.bouc...@mza.com>>; open-scap-list@redhat.com<mailto:open-scap-list@redhat.com> Subject: RE: Benchmark for Canonical Ubuntu 16.04 LTS The current (0.1.41) version of the scap security guide has Ubuntu benchmarks. Stuart J Newman [cid:image001.png@01D4B2F0.3EB2D6F0] Engineer 4; Systems NASA/Goddard Space Flight Center, Building 14 Room 252 | Greenbelt, Maryland 20771 | USA Office: +1 301. 286.5145 | Mobile: +1443.878.6146 | stuart.j.new...@nasa.gov<mailto:stuart.j.new...@nasa.gov> ________________________________ This e-mail, including any attached files, may contain confidential and privileged information for the sole use of the intended recipient. Any review, use, distribution, or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive information for the intended recipient), please contact the sender by reply e-mail and delete all copies of this message. From: open-scap-list-boun...@redhat.com<mailto:open-scap-list-boun...@redhat.com> <open-scap-list-boun...@redhat.com<mailto:open-scap-list-boun...@redhat.com>> On Behalf Of Boucher, William Sent: November 27, 2018 18:23 To: open-scap-list@redhat.com<mailto:open-scap-list@redhat.com> Subject: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS Hi folks, I am currently hardening an Ubuntu embedded system for delivery to a customer. I have downloaded the “Canonical Ubuntu 16.04 LTS STIG Ver 1, Rel 1” from DISA, and I have obtained a copy of the SCAP Compliance checker tool “SCC 5.0.2 Ubuntu 16 AMD64”. What I am missing is an SCAP Benchmark file for Ubuntu 16.04. Does one exist? I would like to use OpenSCAP to harden then scan this IS. The Open-SCAP BASE page says that Ubuntu is supported, so I can get the tools installed. But without a benchmark how would I proceed from there? Thank you, --Bill William B. Boucher, BSEE Embedded Systems Software Engineer Information Systems Security Manager MZA Associates Corporation 2021 Girard Blvd., SE, Suite 150 Albuquerque, New Mexico 87106 Phone: 505.245.9970 x166 Fax: 505.245.9971 Cell: 505.459.7620 william.bouc...@mza.com<mailto:william.bouc...@mza.com> _______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com<mailto:Open-scap-list@redhat.com> https://www.redhat.com/mailman/listinfo/open-scap-list -- Watson Sato Security Technologies | Red Hat, Inc
_______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list