Re: [Open-scap] OSCAP on Mac OS X
On Thu, Mar 23, 2017 at 4:34 PM, Mohanraj, Bharath wrote: > Thankyou for the clarification. So, other than Linux which other platforms > does oscap scanner support? Linux and Solaris. -- Martin Preisler ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
Re: [Open-scap] OSCAP on Mac OS X
Thankyou for the clarification. So, other than Linux which other platforms does oscap scanner support? -Original Message- From: Martin Preisler [mailto:mprei...@redhat.com] Sent: Friday, March 24, 2017 1:54 AM To: Mohanraj, Bharath Cc: open-scap-list@redhat.com Subject: Re: [Open-scap] OSCAP on Mac OS X On Thu, Mar 23, 2017 at 4:21 PM, Mohanraj, Bharath wrote: > Let me explain in detail on what I'm looking for, and please help me > understand if that can be achieved. > > I have installed open-scap scanner on a Linux machine. Using the command-line > options available in oscap scanner, I evaluate the Linux machine against a > xccdf security content and the result gets generated as a good looking HTML. > > Having said that it works fine on a Linux box, I'm now keen to try the same > on a Mac machine. So, can I install the open-scap scanner on a Mac box (just > like how I did it on a Linux with 'yum'), and once its installed can the same > commandline options of oscap used in Mac as well? This is not supported. It would be (probably) simple to implement it but we haven't looked into this yet. Patches welcome! -- Martin Preisler ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
Re: [Open-scap] OSCAP on Mac OS X
On Thu, Mar 23, 2017 at 4:21 PM, Mohanraj, Bharath wrote: > Let me explain in detail on what I'm looking for, and please help me > understand if that can be achieved. > > I have installed open-scap scanner on a Linux machine. Using the command-line > options available in oscap scanner, I evaluate the Linux machine against a > xccdf security content and the result gets generated as a good looking HTML. > > Having said that it works fine on a Linux box, I'm now keen to try the same > on a Mac machine. So, can I install the open-scap scanner on a Mac box (just > like how I did it on a Linux with 'yum'), and once its installed can the same > commandline options of oscap used in Mac as well? This is not supported. It would be (probably) simple to implement it but we haven't looked into this yet. Patches welcome! -- Martin Preisler ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
Re: [Open-scap] OSCAP on Mac OS X
Let me explain in detail on what I'm looking for, and please help me understand if that can be achieved. I have installed open-scap scanner on a Linux machine. Using the command-line options available in oscap scanner, I evaluate the Linux machine against a xccdf security content and the result gets generated as a good looking HTML. Having said that it works fine on a Linux box, I'm now keen to try the same on a Mac machine. So, can I install the open-scap scanner on a Mac box (just like how I did it on a Linux with 'yum'), and once its installed can the same commandline options of oscap used in Mac as well? Please clarify. -Original Message- From: Martin Preisler [mailto:mprei...@redhat.com] Sent: Friday, March 24, 2017 12:07 AM To: Mohanraj, Bharath Cc: open-scap-list@redhat.com Subject: Re: [Open-scap] OSCAP on Mac OS X OpenSCAP itself can be compiled on and used on MacOS X in a special mode with "--disable-probes". In this mode it will be able to parse all the content but not evaluate OVAL on the target machine. We use this to build SCAP Workbench on MacOS X. Check out https://urldefense.proofpoint.com/v2/url?u=http-3A__static.open-2Dscap.org_scap-2Dworkbench-2D1.1_&d=CwIBaQ&c=UrUhmHsiTVT5qkaA4d_oSzcamb9hmamiCDMzBAEwC7E&r=AUaowh4kDgwmfFF8B9dpIGVcrfeOZDaHu6Di1CZTnp4&m=O82npwmqefw_8jk2NS5N_XGVV3zzb-Xy5RDKO-cRPvM&s=7RGJpnRJIiMJTHmelA2S2S04tSpw7Z50Ago1-pdSmSQ&e= for how to use SCAP Workbench. The remote scanning workflow works on MacOS X as well as Windows. Adding basic support for OSX into OpenSCAP probably wouldn't be that difficult but it's something we haven't looked into (yet). Any help welcome in that area. On Thu, Mar 23, 2017 at 12:31 PM, Mohanraj, Bharath wrote: > Hi There, > > Can someone help me understand how OSCAP scanner can be used on a Mac OS X. > > Any pointers or doc notes will really help. > > Regards, > Bharath M > > ___ > Open-scap-list mailing list > Open-scap-list@redhat.com > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.redhat.com_ma > ilman_listinfo_open-2Dscap-2Dlist&d=CwIBaQ&c=UrUhmHsiTVT5qkaA4d_oSzcam > b9hmamiCDMzBAEwC7E&r=AUaowh4kDgwmfFF8B9dpIGVcrfeOZDaHu6Di1CZTnp4&m=O82 > npwmqefw_8jk2NS5N_XGVV3zzb-Xy5RDKO-cRPvM&s=KZFuFYBmiFrXURM686-e2weNK0T > jZHT1PR7OTiFHZ6Q&e= -- Martin Preisler ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
Re: [Open-scap] OSCAP on Mac OS X
OpenSCAP itself can be compiled on and used on MacOS X in a special mode with "--disable-probes". In this mode it will be able to parse all the content but not evaluate OVAL on the target machine. We use this to build SCAP Workbench on MacOS X. Check out http://static.open-scap.org/scap-workbench-1.1/ for how to use SCAP Workbench. The remote scanning workflow works on MacOS X as well as Windows. Adding basic support for OSX into OpenSCAP probably wouldn't be that difficult but it's something we haven't looked into (yet). Any help welcome in that area. On Thu, Mar 23, 2017 at 12:31 PM, Mohanraj, Bharath wrote: > Hi There, > > Can someone help me understand how OSCAP scanner can be used on a Mac OS X. > > Any pointers or doc notes will really help. > > Regards, > Bharath M > > ___ > Open-scap-list mailing list > Open-scap-list@redhat.com > https://www.redhat.com/mailman/listinfo/open-scap-list -- Martin Preisler ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
[Open-scap] OSCAP on Mac OS X
Hi There, Can someone help me understand how OSCAP scanner can be used on a Mac OS X. Any pointers or doc notes will really help. Regards, Bharath M ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
Re: [Open-scap] customizing generation of mediation scripts
Hi, The bash code is taken from the input SCAP content, eg. from /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml there is no magic behind that, basically oscap simply extracts snippets from XML. If you want to amend the script that is generated by oscap, unfortunately that is not possible, we don't have any option to customize the "oscap xccdf generate fix" command. Only way is to edit the generated script manually. The best thing that you could do is to share your bash code with others, that means to propose a pull request on SCAP Security Guide project. The source code repository can be found on https://github.com/OpenSCAP/scap-security-guide We can help you with that and we will be happy if you contribute. I recommend exploring /shared/templates/static/bash and /shared/templates directories in the SCAP Security Guide source code repository. Regards Jan Černý Security Technologies | Red Hat, Inc. - Original Message - > From: "Greg Silverman (CS)" > To: open-scap-list@redhat.com > Cc: "DL-VTAS-AS-Team-Sangria" > Sent: Tuesday, March 21, 2017 7:17:36 PM > Subject: [Open-scap] customizing generation of mediation scripts > > > > I would like to modify the fixes that oscap will generate and add some > automatic fixes. For example > > > > 1. The firewall fix bash code does not add the ssh service to the drop zone. > Which file can I modify so that the “add-services ssh” is included in the > generated remediation script. > > 2. Where can I add bash code to fix items that are not currently fixed? (I > realize that some future release may replace changes I make now.) > > > > > > Greg Silverman > > Veritas Technologies > > Mountain View, CA > > ___ > Open-scap-list mailing list > Open-scap-list@redhat.com > https://www.redhat.com/mailman/listinfo/open-scap-list ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
