Gary, Is anybody looking at this on the development side (determining why so many rules end up nonapplicable and if the passes and fails are the result of an accurate evaluation)?
Thanks, --Bill William B. Boucher, BSEE Embedded Systems Software Engineer Information Systems Security Manager MZA Associates Corporation 4900 Lang Ave. NE, Suite 100 Albuquerque, NM 87109-9708 Phone: 505.245.9970 x166 Fax: 505.245.9971 Cell: 505.459.7620 william.bouc...@mza.com<mailto:william.bouc...@mza.com> From: open-scap-list-boun...@redhat.com [mailto:open-scap-list-boun...@redhat.com] On Behalf Of Boucher, William Sent: Monday, February 4, 2019 9:04 AM To: Gary Gapinski <gapin...@nasa.gov> Cc: open-scap-list@redhat.com Subject: Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS Gary, Similar results with Ububtu 16.04. Not all results were notapplicable, score was given as 25%. After building openscap and ComplianceAsCode/content I ran: sudo oscap xccdf eval –profile standard –results ./xccdf-results.xml –cpe /usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-cpe-dictionary.xml /usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml sudo oscap oval eval –results ./oval-results.xml /usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-oval.xml sudo oscap xccdf generate report –oval-template ./oval-results.xml ./xccdf-results.xml > ./report-xccdf-oval.html 15 rules passed, 6 inconclusive (unknown) and all the rest (24) notapplicable. Running: sudo oscap xccdf eval –profile standard –results-arf ./results-arf.xml –report ./report-ds.html –results ./results-ds.xml /usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml produced the same numbers in the ds-generated report. I see the value in using the data stream. But the “notapplicable” items are largely applicable and should be evaluated. --Bill William B. Boucher, BSEE Embedded Systems Software Engineer Information Systems Security Manager MZA Associates Corporation 4900 Lang Ave. NE, Suite 100 Albuquerque, NM 87109-9708 Phone: 505.245.9970 x166 Fax: 505.245.9971 Cell: 505.459.7620 william.bouc...@mza.com<mailto:william.bouc...@mza.com> From: Gary Gapinski [mailto:gapin...@nasa.gov] Sent: Friday, January 25, 2019 9:50 AM To: Boucher, William <william.bouc...@mza.com<mailto:william.bouc...@mza.com>> Cc: open-scap-list@redhat.com<mailto:open-scap-list@redhat.com> Subject: Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS On 1/25/19 10:33 AM, Boucher, William wrote: Thank you, Gary! I will attempt next to duplicate your process with Ubuntu 1604. I may as well but cannot guarantee timeliness. If I am building OpenSCAP over my previous install of the libopenscap8 package, do I need to remove libopenscap8 first or can I just make-install over it? I place the OpenSCAP install in /usr/local and ensure it is used separately and preferentially (via $PATH) rather than the one from the distro (or just not install from the distro). I use cmake-gui ../ from within the openscap/build directory and change CMAKE_INSTALL_PREFIX to /usr/local (cmake-gui, tweak, configure, generate; make; sudo make install). Installing on top of the distro version will likely cause undesirable results. I do not typically install ComplianceAsCode but simply access the content from the cloned (and built) repo, but if you install it I think it best to choose the same installation target (e.g., /usr/local) as that of OpenSCAP. A functional (and available) install of OpenSCAP is a pre-requisite for building ComplianceAsCode. Regards, Gary -- Gary Gapinski — DB Consulting Group NASA Glenn Research Center ℡ +1 216 433 3959<tel:+1%20216%20433%203959> — office ℡ +1 216 820 1849<tel:+1%20216%20820%201849> — mobile gapin...@nasa.gov<mailto:gapin...@nasa.gov>
_______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list