Re: [Open-scap] OSCAP on Mac OS X

2017-03-23 Thread Martin Preisler 
On Thu, Mar 23, 2017 at 4:34 PM, Mohanraj, Bharath
 wrote:
> Thankyou for the clarification. So, other than Linux which other platforms 
> does oscap scanner support?

Linux and Solaris.

-- 
Martin Preisler

___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] OSCAP on Mac OS X

2017-03-23 Thread Mohanraj, Bharath 
Thankyou for the clarification. So, other than Linux which other platforms does 
oscap scanner support?

-Original Message-
From: Martin Preisler [mailto:mprei...@redhat.com] 
Sent: Friday, March 24, 2017 1:54 AM
To: Mohanraj, Bharath
Cc: open-scap-list@redhat.com
Subject: Re: [Open-scap] OSCAP on Mac OS X

On Thu, Mar 23, 2017 at 4:21 PM, Mohanraj, Bharath 
 wrote:
> Let me explain in detail on what I'm looking for, and please help me 
> understand if that can be achieved.
>
> I have installed open-scap scanner on a Linux machine. Using the command-line 
> options available in oscap scanner, I evaluate the Linux machine against a 
> xccdf security content and the result gets generated as a good looking HTML.
>
> Having said that it works fine on a Linux box, I'm now keen to try the same 
> on a Mac machine. So, can I install the open-scap scanner on a Mac box (just 
> like how I did it on a Linux with 'yum'), and once its installed can the same 
> commandline options of oscap used in Mac as well?

This is not supported. It would be (probably) simple to implement it but we 
haven't looked into this yet. Patches welcome!

--
Martin Preisler

___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] OSCAP on Mac OS X

2017-03-23 Thread Martin Preisler 
On Thu, Mar 23, 2017 at 4:21 PM, Mohanraj, Bharath
 wrote:
> Let me explain in detail on what I'm looking for, and please help me 
> understand if that can be achieved.
>
> I have installed open-scap scanner on a Linux machine. Using the command-line 
> options available in oscap scanner, I evaluate the Linux machine against a 
> xccdf security content and the result gets generated as a good looking HTML.
>
> Having said that it works fine on a Linux box, I'm now keen to try the same 
> on a Mac machine. So, can I install the open-scap scanner on a Mac box (just 
> like how I did it on a Linux with 'yum'), and once its installed can the same 
> commandline options of oscap used in Mac as well?

This is not supported. It would be (probably) simple to implement it
but we haven't looked into this yet. Patches welcome!

-- 
Martin Preisler

___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] OSCAP on Mac OS X

2017-03-23 Thread Mohanraj, Bharath 
Let me explain in detail on what I'm looking for, and please help me understand 
if that can be achieved.

I have installed open-scap scanner on a Linux machine. Using the command-line 
options available in oscap scanner, I evaluate the Linux machine against a 
xccdf security content and the result gets generated as a good looking HTML.

Having said that it works fine on a Linux box, I'm now keen to try the same on 
a Mac machine. So, can I install the open-scap scanner on a Mac box (just like 
how I did it on a Linux with 'yum'), and once its installed can the same 
commandline options of oscap used in Mac as well?

Please clarify.

-Original Message-
From: Martin Preisler [mailto:mprei...@redhat.com] 
Sent: Friday, March 24, 2017 12:07 AM
To: Mohanraj, Bharath
Cc: open-scap-list@redhat.com
Subject: Re: [Open-scap] OSCAP on Mac OS X

OpenSCAP itself can be compiled on and used on MacOS X in a special mode with 
"--disable-probes". In this mode it will be able to parse all the content but 
not evaluate OVAL on the target machine. We use this to build SCAP Workbench on 
MacOS X. Check out 
https://urldefense.proofpoint.com/v2/url?u=http-3A__static.open-2Dscap.org_scap-2Dworkbench-2D1.1_=CwIBaQ=UrUhmHsiTVT5qkaA4d_oSzcamb9hmamiCDMzBAEwC7E=AUaowh4kDgwmfFF8B9dpIGVcrfeOZDaHu6Di1CZTnp4=O82npwmqefw_8jk2NS5N_XGVV3zzb-Xy5RDKO-cRPvM=7RGJpnRJIiMJTHmelA2S2S04tSpw7Z50Ago1-pdSmSQ=
  for how to use SCAP Workbench. The remote scanning workflow works on MacOS X 
as well as Windows.

Adding basic support for OSX into OpenSCAP probably wouldn't be that difficult 
but it's something we haven't looked into (yet). Any help welcome in that area.

On Thu, Mar 23, 2017 at 12:31 PM, Mohanraj, Bharath 
 wrote:
> Hi There,
>
> Can someone help me understand how OSCAP scanner can be used on a Mac OS X.
>
> Any pointers or doc notes will really help.
>
> Regards,
> Bharath M
>
> ___
> Open-scap-list mailing list
> Open-scap-list@redhat.com
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.redhat.com_ma
> ilman_listinfo_open-2Dscap-2Dlist=CwIBaQ=UrUhmHsiTVT5qkaA4d_oSzcam
> b9hmamiCDMzBAEwC7E=AUaowh4kDgwmfFF8B9dpIGVcrfeOZDaHu6Di1CZTnp4=O82
> npwmqefw_8jk2NS5N_XGVV3zzb-Xy5RDKO-cRPvM=KZFuFYBmiFrXURM686-e2weNK0T
> jZHT1PR7OTiFHZ6Q=



--
Martin Preisler

___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

[Open-scap] OSCAP on Mac OS X

2017-03-23 Thread Mohanraj, Bharath 
Hi There,

Can someone help me understand how OSCAP scanner can be used on a Mac OS X.

Any pointers or doc notes will really help.

Regards,
Bharath M

___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] customizing generation of mediation scripts

2017-03-23 Thread Jan Cerny 
Hi,

The bash code is taken from the input SCAP content,
eg. from /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
there is no magic behind that, basically oscap simply extracts
snippets from XML.

If you want to amend the script that is generated by oscap, unfortunately
that is not possible, we don't have any option to customize the
"oscap xccdf generate fix" command. Only way is to edit the generated
script manually. 

The best thing that you could do is to share your bash code
with others, that means to propose a pull request on SCAP Security
Guide project. The source code repository can be found on
https://github.com/OpenSCAP/scap-security-guide
We can help you with that and we will be happy if you contribute.

I recommend exploring /shared/templates/static/bash
and /shared/templates directories in the SCAP Security Guide
source code repository.


Regards


Jan Černý
Security Technologies | Red Hat, Inc.

- Original Message -
> From: "Greg Silverman (CS)" 
> To: open-scap-list@redhat.com
> Cc: "DL-VTAS-AS-Team-Sangria" 
> Sent: Tuesday, March 21, 2017 7:17:36 PM
> Subject: [Open-scap] customizing generation of mediation scripts
> 
> 
> 
> I would like to modify the fixes that oscap will generate and add some
> automatic fixes. For example
> 
> 
> 
> 1. The firewall fix bash code does not add the ssh service to the drop zone.
> Which file can I modify so that the “add-services ssh” is included in the
> generated remediation script.
> 
> 2. Where can I add bash code to fix items that are not currently fixed? (I
> realize that some future release may replace changes I make now.)
> 
> 
> 
> 
> 
> Greg Silverman
> 
> Veritas Technologies
> 
> Mountain View, CA
> 
> ___
> Open-scap-list mailing list
> Open-scap-list@redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list

___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list