Re: [Open-scap] timing rule evaluation times

On 8/7/19 2:58 PM, Greg Silverman wrote: Is there any way within oscap to record the time taken for each rule’s evaluation to complete? We sometimes see it taking over an hour to complete on RHEL7 and want to understand why. Could try verbose mode. Not sure if timestamps are generated.

Re: [Open-scap] Wish to disable check or remediation of STIG rules to remove X Windows and to use smart card

On 6/25/19 11:36 AM, Boucher, William wrote: I figured it out! That's great! To help others down the road who may have a similar issue, what was the fix? ___ Open-scap-list mailing list Open-scap-list@redhat.com

Re: [Open-scap] Help needed - to Quantify severity levels

On 6/18/19 3:45 PM, Trevor Vaughan wrote: At some point, these should probably be changed to correlate with the Vulnerability Severity Assessment Scale as outlined in the NIST 800-30 since it is well defined, a public standard at no cost, and 0-100 which lines up with most people's internal

Re: [Open-scap] Help needed - to Quantify severity levels

On 6/7/19 5:02 AM, harshad wadkar wrote: Respected Madam / Sir, I am referring the following url to know about open-scap and Ubuntu secure configuration. https://static.open-scap.org/ssg-guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html I have one query : 1. At present, the severities

Re: [Open-scap] Need help on openscap SSG question

Would need to understand where the content is coming from. Perhaps scap-security-guide in RHEL, and if so, what RHEL and SSG version? Note red hat doesn’t publish rhel6 content in the National Checklist Program since rhel6 is out of active maintenance:

[Open-scap] Atomic Scan still based off RHEL 7.6?

Pulling the latest atomic scan shows the container image is still based on RHEL 7.6 (vs 7.7) and contains very old scap-security-guide package. When will it be rebased? ___ Open-scap-list mailing list Open-scap-list@redhat.com

Re: [Open-scap] Phasing out the RHEL6 CI

On 2/26/19 12:07 PM, Boucher, William wrote: My only concern is that sometimes a government customer will mandate using some flavor of RHEL 6, for whatever reason they may have. For example, we have a government customer mandating we use 6.5 at the moment. And they are perfectly happy to

Re: [Open-scap] Open a ticket?

On 2/18/19 9:04 AM, Todd Williams wrote: I am trying to find out how to go about opening a ticket against openSCAP, can anyone point me in the right direction? Depends where you're consuming it. If using a commercial linux distro, would suggest opening a ticket with them directly. For

Re: [Open-scap] V-73159 - Question on requisite vs required in pam.d/system-auth

On 2/14/19 12:21 PM, Marek Haicman wrote: Hello, according to the v2r2, the check is supposed to be: ``` # cat /etc/pam.d/system-auth | grep pam_pwquality password required pam_pwquality.so retry=3 If the command does not return an uncommented line containing the value "pam_pwquality.so",

Re: [Open-scap] Using profiles not distributed in

On 2/8/19 2:34 PM, Greg Silverman wrote: Let me ask in a different way. DISA published xml files withhttps://iasecontent.disa.mil/stigs/zip/U_Red_Hat_Enterprise_Linux_7_V2R2_STIG_SCAP_1-2_Benchmark.zip. The zip's xml file contains a list of vulnerabilities for RHEL7, the Version 2 Release

Re: [Open-scap] When to expect OVAL probes for OpenShift?

On 2/4/19 2:27 PM, William Munyan wrote: Hey Shawn, I’ll add to Steve’s point that if there is not current OVAL support for the constructs you need, then the new OVAL tests/objects/states/items would need to be created in either a new OVAL schema or (more likely) as additions to the

Re: [Open-scap] When to expect OVAL probes for OpenShift?

On 2/4/19 6:08 PM, Steve Grubb wrote: On Mon, 4 Feb 2019 11:06:00 -0500 Shawn Wells wrote: When can OpenSCAP probes be expected for OpenShift? Are you talking about new OVAL tests? Probes so that OVAL tests could be created. Akin to the systemd probes

Re: [Open-scap] Hardening Redhawk 6.5

On 1/29/19 11:14 PM, Boucher, William wrote: Hi folks, I’ve been tasked with applying the RedHat 6 STIG to several RedHawk 6.5 systems. Running oscap should be relatively easy, to see where a base install sits initially (RedHawk is RedHat with modifications for embedded realtime use).

Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS

On 11/27/18 6:23 PM, Boucher, William wrote: Hi folks, I am currently hardening an Ubuntu embedded system for delivery to a customer. I have downloaded the “Canonical Ubuntu 16.04 LTS STIG Ver 1, Rel 1” from DISA, and I have obtained a copy of the SCAP Compliance checker tool “SCC 5.0.2

Re: [Open-scap] Disable STIG

On 10/22/18 7:22 AM, Gaurav Kamathe wrote: Hello All, I am a QA who needs to test some functionality when STIG is enabled on a server (RHEL) by the user. However the software does not provide any way to disable STIG (factory reset is the only option). Is there a workaround for this? Can i

Re: [Open-scap] OpenSCAP 1.3.0

On 10/10/18 5:01 AM, Jan Cerny wrote: Hi, OpenSCAP support for Windows hasn't been improved much since the 1.3.0_alpha1 releases. The only thing that we have done recently is that we added Windows CPEs to the inbuilt CPE dictionary. How far along is Windows support? Saw the mention of

Re: [Open-scap] OpenSCAP 1.3.0

On 10/9/18 7:38 AM, Jan Cerny wrote: Hello OpenSCAPers, We are thrilled to announce general availability of OpenSCAP 1.3.0 release. This is the first release from maint-1.3 maintenance branch. API/ABI is not compatible with 1.2.x releases. API/ABI is not compatible with 1.3.0_alpha

Re: [Open-scap] question on addon_fedora_oscap

On 10/4/18 3:05 AM, Jan Cerny wrote: Hi, Unfortunately, the "tailoring" feature is broken in Anaconda Addon. However, there is a workaround, suggested by Watson Yuuma Sato (adding him to this conversation). Let me copy-paste his idea: There is a tool that can combine the tailoring to the

Re: [Open-scap] Can we remove some service checks from the profile

On 9/5/18 6:20 AM, Dhanushka Parakrama wrote: Hi Team I  Wanted to remove the few service checks from the profile *xccdf_org.ssgproject.content_profile_anssi_np_nt28_high (Eg: Ensure /tmp Located On Separate Partition , *xccdf_org.ssgproject.content_rule_partition_for_tmp ) and build new

Re: [Open-scap] SCAP customizations and OS migrations

On 6/3/18 11:59 PM, Robert Sanders wrote: Marek, Thank you for your reply. While I understand how it can be difficult to compare between versions, I've found it very useful to do so. I've written a very rough hack (as in, one step better than a stone axe) that will compare multiple

Re: [Open-scap] [Suspected Spam] Re: OSCAP Scanner Binaries

On 4/27/18 1:18 AM, Mohanraj, Bharath wrote: Thanks Shawn for the clarification… One last thing I want to mention here is… some of the RHEL boxes in my environment are locked down from internet.. .so they will not have access to the repository to fetch oscap binaries, and that’s the

Re: [Open-scap] [Suspected Spam] Re: OSCAP Scanner Binaries

On 4/26/18 7:00 PM, Christopher Wiedmaier wrote: How can I be removed from this list?  I have completed the unsubscribe steps multiple times but I still end up receiving e-mails. https://www.redhat.com/mailman/listinfo/open-scap-list Under the "openscap-list subscribers" section (last

Re: [Open-scap] [Suspected Spam] Re: OSCAP Scanner Binaries

On 4/26/18 1:09 PM, Mohanraj, Bharath wrote: I tried to download only the oscap rpms by using the below command, *yum install --downloadonly --downloaddir=/opt/oscaprpm openscap-scanner*** ** And once the above command is triggered, it downloaded the below bunch of RPMs… My intention

Re: [Open-scap] First try at remote scanning

On 2/28/18 9:24 AM, Geoffry Roberts wrote: > All, > > I tried my first remote. scan and don't understand the result. > > I ran the following, which is almost a cut and past from the manual: > > oscap-ssh root@ xccdf eval --profile MAC-3_Sensitive --report > report.html >

Re: [Open-scap] openscap version support

On 2/5/18 2:10 PM, r hartikainen wrote: > Hello everyone > > I am trying to find answer how Openscap should be used when there is need to > run different minor versions of operating system, in my case its about rhel > 7.2 and the very latest 7.x. > I have piece of software that requires me to

Re: [Open-scap] oscap results stored in central database?

On 1/31/18 10:22 PM, Luke Salsich wrote: > Hey all, > > I've been using OpenSCAP for a while on our servers and really > appreciate what it does.  > > I've been looking around for a way to store scan results and then > query them and I can't seem to locate any plugins or apps which do > this

Re: [Open-scap] https://www.open-scap.org/ down?

Seems restored now (approx 11am US EST). > On Jan 20, 2018, at 5:21 AM, Šimon Lukašík wrote: > > > Can you guys please take a look? > > ~š. > > ___ > Open-scap-list mailing list > Open-scap-list@redhat.com >

Re: [Open-scap] [open-scap] scan percentage with respect to rules specified by STIG

On 9/6/17 9:58 AM, Wesley Ceraso Prudencio wrote: > Thanks Shawn, I didn't notice the extension from common profile. Of course. It's incredibly hard to keep tabs on what 3rd parties are putting into their baselines so while our rule counts may be close, there's little assurance that

Re: [Open-scap] [open-scap] scan percentage with respect to rules specified by STIG

On 9/5/17 4:38 AM, Wesley Ceraso Prudencio wrote: > I'm not an expert, but if I got it right, we currently cover approximately > 85% of STIG rules for RHEL7 and 23% for RHEL6. Something seems off In RHEL6, the STIG profile extends the common profile: > $ head -1

Re: [Open-scap] what profile to use in RHEL7

On 7/18/17 1:09 PM, Martin Preisler wrote: > On Mon, Jul 17, 2017 at 6:44 PM, Smith, Cathy wrote: >> Folks >> >> I’m trying to build a customized profile for RHEL7. I’m not sure about the >> list of profile names offered through the oscap command and the list shown >> in

Re: [Open-scap] Logos and other materials for SCAP projects

On 7/17/17 2:59 PM, Martin Preisler wrote: > Hi, > I have gathered all the logos and other graphics and put them into a > GitHub repository to make sure they don't get lost. Most of these (if > not all) have been created by Lenka Horakova. > > https://github.com/OpenSCAP/promo > > If you have

Re: [Open-scap] [Newbie] Way to search the archives?

On 6/13/17 9:42 AM, leam hall wrote: > Hey Mike, sorry if I'm dense. I looked at the URL and it seems to be > the initial welcome page. Messages go back as far as 2009, how do I > search what has already been answered? google for "centos site:https://www.redhat.com/archives/open-scap-list/;

Re: [Open-scap] results not being checked in disa stig

On 4/5/17 2:54 PM, Greg Hennessy wrote: > Bummer > > On Wed, Apr 5, 2017 at 1:53 PM, Shawn Wells <sh...@redhat.com > <mailto:sh...@redhat.com>> wrote: > > > > On 4/5/17 1:43 PM, Greg Hennessy wrote: >> I am exploring the use of open-scap to ver

Re: [Open-scap] results not being checked in disa stig

On 4/5/17 1:43 PM, Greg Hennessy wrote: > I am exploring the use of open-scap to verify my machines meet > the DISA stigs. If I run oscap against the > /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml file things seem to work > as expected. If I run oscap against the file from iase.disa.mil >

Re: [Open-scap] SCAP Security Guide 0.1.32

to get these resolved before uploading to NIST and before this release makes it into downstream releases (e.g. RHEL 7.4 rebase). What's the best way to start working these bugs? Is there a deadline for when these bugs must be resolved for inclusion downstream? On 3/30/17 9:07 AM, Shawn Wells wrote

Re: [Open-scap] SCAP Security Guide 0.1.32

Thank you! Looking forward to downloading the data stream and testing it. I can start the process to get the new release posted to Nist . Shawn Wells > On Mar 30, 2017, at 8:22 AM, Watson Yuuma Sato <ws...@redhat.com> wrote: > > Hello folks, > > We have the pleasure

Re: [Open-scap] tailoring file not working

LlOc0plYIVpTPuVVs=>" > xml:lang="en-US" override="true">This is a *draft* profile for PCI-DSS > v3 > > selected="false"/> > > idref="xccdf_org.ssgproject.content_group_smart_card_login" > selected=&q

Re: [Open-scap] SCAP Workbench 1.1.4

On 1/23/17 11:29 AM, Shawn Wells wrote: > > > On 1/17/17 11:54 AM, Watson Yuuma Sato wrote: >> >> I noticed your screenshot doesn't show the count of selected rules >> for each profile. >> >> And the concatenated profile title is something th

Re: [Open-scap] SCAP Workbench 1.1.4

On 1/13/17 12:00 PM, Watson Yuuma Sato wrote: > > Hi, > > A new release of SCAP Workbench is out! > > This release brings a lot of bug fixes and improvements, including > a lot of UX improvements and fixes for inappropriate error messages > (fetch remote resources and query capabilities). > >

Re: [Open-scap] Really nice tool

On 9/27/16 4:07 AM, Jan Cerny wrote: > Hello David, > > - Original Message - >> From: "david oliva" >> To: Open-scap-list@redhat.com >> Sent: Tuesday, September 27, 2016 3:09:35 AM >> Subject: [Open-scap] Really nice tool >> >> >> >> Dear Red Hat /OpenSCAP team:

Re: [Open-scap] New COPR repository for OpenSCAP projects

On 7/19/16 11:31 AM, Martin Preisler wrote: - Original Message - >From: "Jan Cerny" >To:open-scap-list@redhat.com >Sent: Tuesday, July 19, 2016 9:19:04 AM >Subject: [Open-scap] New COPR repository for OpenSCAP > >Hi all, > >We have created a new COPR repository that

Re: [Open-scap] SCAP editor

to compile that into proper SCAP 1.2 compliant file and run it. - Auto completion of OVAL definitions (ind:filepath, testcheck...) -- Shawn Wells Chief Security Strategist U.S. Public Sector sh...@redhat.com | 443.534.0130 ___ Open-scap-list mailing list