Hello David, ----- Original Message ----- > From: "david oliva" <[email protected]> > To: [email protected] > Sent: Tuesday, September 27, 2016 3:09:35 AM > Subject: [Open-scap] Really nice tool > > > > Dear Red Hat /OpenSCAP team: > > > > > Today 26 Sep 2016 Ihad the opportunity to run OpenSCAP on RHEL 7 for the > first time, andI am very pleased.
Nice to hear that! > > Installing OpenSCAP,and the SCAP Workbench was very straight forward with the > yum installcommand. > > > > - The content thatcame with the package was easy to run. I used the Workbench > to run the XCCDF content, created an XML report and looked at the report in > another browser. You can also generate a nice HTML report using "Show report" button. > > > > > - It was very niceto see a good use of the CCE specification. The first > questioncoming to mind is, do you maintain a CCE dictionary that you can > makeavailable? A second question is, if a user wants to identify > aconfigurable parameter and no CCE is available, can the user (verylikely a > developer) request a CCE number? We don't maintain a CCE dictionary, the CCE numbers have been requested from NIST. > > > > - Analyzing theoutput XML reveals that the findings are mapped to the > securitycontrols of SP 800-53 Rev 4. What a nice feature!. > > > > > - One of the videoson your site ( > https://www.open-scap.org/security-policies/scap-security-guide/#documentation > )indicates that you are engaging a remediation mechanism and not > justdiscovering vulnerabilities. Are you using a remediation protocolor > specification in particular? Remediation is done by remediation scripts. The scripts are written in Bash. Those scripts are included in the SCAP content. The remediation can be run directly while scanning from SCAP Workbench or oscap command line tool. Currently we are working on adding remediation in a from of Ansible playbooks. See https://blog-zbynek.rhcloud.com/2016/09/12/ssg-openscap-and-ansible/ > > > > > - The output XMLshows a very nice use of the CPE specification. > > > > - The use of XCCDFis also very good. Can you please, point me to a Red Hat > XCCDFrepository? Are you planning your content in the > NationalVulnerabilities Database? I suppose you mean that XCCDF that SCAP Workbench used for scanning your RHEL machine. That XCCDF comes from the SCAP Security Guide project. SCAP Security guide is an open-source set of security policies written in SCAP format. The source code is available at Github: https://github.com/OpenSCAP/scap-security-guide Latest release is here: https://github.com/OpenSCAP/scap-security-guide/releases/download/v0.1.30/scap-security-guide-0.1.30.zip We plan to submit the USGCB profile of SCAP Security Guide to NVD. > > > > > - I am interested inrunning a vulnerability scan (I would like to see how > OpenSCAP usesCVEs and CVSS) Yes, it is possible, and it's one of the most common use-cases of OpenSCAP. Red Hat provides a CVE streams for all the CVEs discovered in RHEL as a part of Red Hat Security Advisories. See https://www.open-scap.org/resources/documentation/perform-vulnerability-scan-of-rhel-6-machine/ (It's for RHEL6, but in RHEL7 it's very similar) > > > > > > > > - I did not see anyindication of using the Asset Identification (AI) > specification. OpenSCAP doesn't support this. > > > > > - I did not see anyindication of using the Asset Reporting Format (ARF) > specification. We fully support the ARF format, both in SCAP Workbench and oscap tool. In SCAP Workbench, it's possible to save results as ARF using Save results button. Actually we recommend ARF as a best format for reporting :-) > > - I did not see anyindication of using the Common Configuration Scoring > System (CCSS)specification. > - I did not see anyindication of using the TMSAD specification. > - I did not see anyindication of using the Open Checklist Interactive > Language (OCIL)specification. I am interested in your use of this > specificationbecause many security functions are not “automatable” (can not > bechecked with security automation tools). We don't support these three specifications. > > > > - Are you planningto implement the Software Identification (SWID) > specification of SCAP1.3? SWID is on our radar, but I can't promise anything now. > > > > _______________________________________________ > Open-scap-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/open-scap-list I hope I have answered your questions. If you have any other questions or need more information, we'll be excited to help you. Best regards Jan Černý Security Technologies | Red Hat, Inc. _______________________________________________ Open-scap-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/open-scap-list
