Have requested public publication of the CKL schema. There is one, it's just not public for some reason.
On Fri, Nov 30, 2018 at 8:45 PM Trevor Vaughan <tvaug...@onyxpoint.com> wrote: > Yeah, the material could easily be OCIL. > > An XSLT layer could be added to convert from OCIL and OVAL Reports to the > CKL format. That would be a vast improvement over the 'just wing it' > approach that we have now. > > Trevor > > On Thu, Nov 29, 2018 at 9:22 PM Shawn Wells <sh...@redhat.com> wrote: > >> >> >> On 11/29/18 5:54 PM, Trevor Vaughan wrote: >> > The issue is less the automation (that's easy) and more that it isn't >> > actually a codified standard. >> >> Could these be expressed as OCIL? >> >> >> https://csrc.nist.gov/projects/security-content-automation-protocol/specifications/ocil >> >> For example, here's the codified OCIL for manual inspection to make sure >> /var/log/httpd is 0700 or less permissive : >> > <ns0:questionnaire >> > id="ocil:ssg-dir_perms_var_log_httpd_ocil:questionnaire:1"> >> > <ns0:title>Set Permissions on the /var/log/httpd/ >> > Directory</ns0:title> >> > <ns0:actions> >> > >> <ns0:test_action_ref>ocil:ssg-dir_perms_var_log_httpd_action:testaction:1</ns0:test_action_ref> >> > </ns0:actions> >> > </ns0:questionnaire> >> > ..... >> > <ns0:boolean_question_test_action >> > id="ocil:ssg-dir_perms_var_log_httpd_action:testaction:1" >> > question_ref="ocil:ssg-dir_perms_var_log_httpd_question:question:1"> >> > <ns0:when_true> >> > <ns0:result>PASS</ns0:result> >> > </ns0:when_true> >> > <ns0:when_false> >> > <ns0:result>FAIL</ns0:result> >> > </ns0:when_false> >> > </ns0:boolean_question_test_action> >> > .......... >> > <ns0:boolean_question >> > id="ocil:ssg-dir_perms_var_log_httpd_question:question:1"> >> > <ns0:question_text>Run the following command to check the >> > mode of the httpd log >> > directory: >> > $ ls -l /var/log/ | grep httpd >> > Log directory must be mode 0700 or less permissive. >> > Is it the case that it is more permissive? >> > </ns0:question_text> >> > </ns0:boolean_question> >> >> If these manual checks can be coded in OCIL they can be included in >> SCAP-based reports natively. >> >> Also means we could create an organizational answers file, such as "Do >> you do backups?" that Tom mentioned earlier in the thread. >> Organizational answers could automatically be incorporated into the >> results files. >> >> >> >> > >> > I'll hop onto the STIG feedback space on SoftwareForge and see if they >> > have a schema anywhere. The last time I asked, there wasn't one, but >> > that was quite some time ago. >> Thanks Trevor! >> _______________________________________________ >> scap-security-guide mailing list -- >> scap-security-guide@lists.fedorahosted.org >> To unsubscribe send an email to >> scap-security-guide-le...@lists.fedorahosted.org >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org >> > > > -- > Trevor Vaughan > Vice President, Onyx Point, Inc > (410) 541-6699 x788 > > -- This account not approved for unencrypted proprietary information -- > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 -- This account not approved for unencrypted proprietary information --
_______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org
