On 25/02/17 16:43, Lee Wilson wrote:
Hi Everyone,
Hi Lee, sorry for delayed response.
I've recently come across OpenSCAP after wasting my time with
openVAS as a means of improving the way my company does vulnerability
and configuration management of our network devices (e.g. Cisco,
Juniper, Palo Alto, etc).
From an initial review though, it seems in it's current state to very
server focused. Would that be a fair assessment?
I wouldn't say so but I guess you can, OpenSCAP was designed with
machines in mind. And recent efforts have been directed to container and
container image.
Back in January 2016 someone posted a similar query on this list where
it was suggested to use jovalcm but that is a propriatary product and
they have ceased all development on the open source variant.
https://www.redhat.com/archives/open-scap-list/2016-January/msg0.html
I'm think it is still true, we don't have support for Cisco.
As far as I can tell there is nothing in the underlying architecture
that prevents this from working, the main issue being that it is
required for the various scripts to be copied to the device being
scanned. This is required even when using the remote SSH scanning
option according to the documentation:
http://martin.preisler.me/2015/05/scanning-remote-machines-with-openscap/
I think that by script you mean the SCAP contents, or policies. Yes,
even when using remote scanning the contents are copied into remote machine.
And the remote machine also needs to have oscap-scanner installed.
I came across a presentation which pretty much covers what I'm trying
to do:
https://scap.nist.gov/events/2011/itsac/presentations/day3/Nunez%20-%20SCAP%20for%20Inter-networking%20Devices.pdf
The use of the Script Check Engine intriges me but I believe I'll
still be restricted as those scripts still need to be copied to the
server but it does mention that environment variables can be passed to
the script so that remote checks can be run and then the output saved
as check result files as documented:
https://www.open-scap.org/features/other-standards/sce/
I'm not much familiar with SCE, but I'll try to explain.
What happens is that oscap will copy the SCAP contents to remote
machine, along with checking scripts.
And where defined in this content, that instead of an OVAL check, the
checking script should be used,
oscap will pass the checking script and environment variables defined in
the content to SCE (Script Check Engine).
Then SCE, with scripts and environment variables will perform the check.
In essence the steps would be:
1) Specify profile to run and the target(s) to run on
2) Pass target hostname/ip along with (perhaps) login credentials
(e.g. username/password or SNMP community) to the script
3) Script runs on the same device as the SCAP workbench, logging into
the device via the appropriate method (SSH or SNMP)
4) Results are saved as check-result files to be picked up by the
oscap tool forprocessing
The checking script doesn't need to know any credentials. Oscap will
receive the credentials, login to the target machine and copy content
and scripts.
If performing remote scan with SCAP workbench no content or script scan
is performed in local machine.
The only concern I have the moment with this approach is that it would
require multiple SSH logins (one for each script run) but I'm sure
improvements could be made in the future to batch them during a single
login session.
AFAIK It requires one SSH login per device/machine scanned.
Alternatively would it be possible for all the above steps to be run
in advance and then just have the oscap tool look as the resulting
check-result files, in effect doing something similar to an offline
config audit? This would be considered a local scan I guess, no
different to a customer handing me a raw cisco cli output/config and
saying here audit this.
Whether performing local or remote scan, OpenSCAP can generate XCCDF
results and HTML reports for someone to audit.
I'd be interested in trying to get something like this working but if
anyone has got any experience and can tell me if I'm wasting my time
or not, it would be appreciated.
I think the major blocker here is that OpenSCAP needs an agent in the
target machine being scanned, and we don't have such for Cisco.
I don't know what Cisco runs underneath nor the difficulty on making it
run on it.
Thanks in advance
Hope to have clarified your vision on what OpenSCAP is capable.
Lee
___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list
--
Watson Sato
Security Technologies | Red Hat, Inc
___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list
