As recommended, moving this thread to the SSG mailing list. Background: We are working on developing an SSG profile definition for RH certified cloud providers. In addition to these XCCDF-based checks, I need to also detect any non-RedHat packages installed on the system. The question to the group is: are there any recommendations or examples on how this may have been done previously. As example, suppose a cloud image has a monitoring package or hypervisor para-virt rpms install, I want to be made aware and have those reported by the check. An OVAL path was suggested below.
Does anyone have additional guidance on how/if I can do this with SCAP-related tools? Thanks, -Matt Matthew Mariani Partner Solution Architect M: +1-717-756-6834 [email protected] ----- Original Message ----- From: "Shawn Wells" <[email protected]> To: [email protected] Sent: Sunday, October 13, 2013 11:30:26 PM Subject: Re: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example. On 10/10/13 4:44 PM, Matthew Mariani wrote: Danny, Thanks, very helpful. -Matt ----- Original Message ----- From: "Dan Haynes" <[email protected]> To: "Matthew Mariani" <[email protected]> , [email protected] Sent: Wednesday, October 9, 2013 2:45:35 PM Subject: RE: SCAP Newbie Questions for simple RHEL6 XCCDF example. Hi Matthew, Comments inline below. Hope this helps. Thanks, Danny From: [email protected] [ mailto:[email protected] ] On Behalf Of Matthew Mariani Sent: Wednesday, October 09, 2013 1:11 PM To: [email protected] Subject: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example. Hi list, 'SCAP newbie here. I'm working with the attached XCCDF profile definition to be used with a RHEL6 system. The end goal is to define a standard RHEL cloud image security profile. I have two questions: 1. I believe I need additional XML syntax in the file to have valid XCCDF content. When I try both testing with the 'info' function and running an 'eval', I get an Unknown document type error. [root@rhel6client ~]# oscap info rht-ccp.xml OpenSCAP Error: Unknown document type: 'rht-ccp.xml' [oscapxml.c:554] [root@rhel6client ~]# oscap xccdf eval --profile rht-ccp --results /root/rht-ccp.results.xml --report /root/rht-ccp.report.html rht-ccp.xml Profile "rht-ccp" was not found. Looking at some of the xccdf examples referenced here http://www.open-scap.org/page/Documentation , I'm thinking I need a <Benchmark> wrapper around my profile. Am I on the right track, and if so is there a basic <Benchmark> syntax example available? I'm finding it difficult to id what's required and what's not in examples referenced on the Documentation page. [Danny]: Yes, you will need to include the <Benchmark> component. You may want to look at the RHEL6 STIG SCAP content being developed in the scap-security-guide project ( https://fedorahosted.org/scap-security-guide/ ). It should serve as a good example and you may be able to reuse some of the content. They also have some tools that you could leverage to help generate the content. Matt pinged me offline re: the Red Hat CCP profile. I've now merged it into SSG: https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=363324350a1c4efe4dceefa3e309865fc54913b6 You should now be able to clone the source and run a scan: https://fedorahosted.org/scap-security-guide/wiki/downloads aka $ sudo yum install git openscap-utils python-lxml $ cd /tmp ; git clone git://git.fedorahosted.org/git/scap-security-guide.git ; cd scap-security-guide/RHEL6 $ make content $ sudo oscap xccdf eval --profile rht-ccp \ --results /root/ssg-results-`date`.xml \ --report /root/ssg-results-`date`.html \ --cpe output/ssg-rhel6-cpe-dictionary.xml \ output/ssg-rhel6-xccdf.xml <blockquote> 2. Looking forward, in addition to these XCCDF checks, I have the need to detect non-RedHat signed packaged installed on the system. Does anyone have guidance on how/if I can do that with SCAP tools. As example, suppose a cloud image has a monitoring package or hypervisor para-virt rpms install, I want to be made aware and have those reported by the check. [Danny]: Yes, you should be able to check for any non-Red Hat signed packages using OVAL which is an language for checking the state of an endpoint. There is the linux-def:rpminfo_test ( http://oval.mitre.org/language/version5.10.1/ovaldefinition/complete/linux-definitions-schema.xsd ) which you can use to check various metadata about the packages installed on the system including the signature key ID. With that in mind, you should be able to collect all RPMs on the system and filter out any RPMs that are signed by Red Hat leaving only those that haven’t been signed by Red Hat. I have attached an OVAL definition which shows how you might do this. Of course, you may need to modify it to include the appropriate signature key IDs. Any help is appreciated. Thanks, -Matt </blockquote> Since this is largely content related, feel free to kick over the conversation to the SSG mailing list: https://fedorahosted.org/scap-security-guide/ https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide Our friends and allies within the OpenSCAP tooling community let us content guys play here, but content questions (for SSG) should be kicked over to the SSG community list :) _______________________________________________ Open-scap-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/open-scap-list
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
