On 9/27/16 4:07 AM, Jan Cerny wrote: > Hello David, > > ----- Original Message ----- >> From: "david oliva" <david.ol...@verizon.net> >> To: Open-scap-list@redhat.com >> Sent: Tuesday, September 27, 2016 3:09:35 AM >> Subject: [Open-scap] Really nice tool >> >> >> >> Dear Red Hat /OpenSCAP team: >> >> >> >> >> Today 26 Sep 2016 Ihad the opportunity to run OpenSCAP on RHEL 7 for the >> first time, andI am very pleased. > Nice to hear that! > >> Installing OpenSCAP,and the SCAP Workbench was very straight forward with the >> yum installcommand. >> >> >> >> - The content thatcame with the package was easy to run. I used the Workbench >> to run the XCCDF content, created an XML report and looked at the report in >> another browser. > You can also generate a nice HTML report using "Show report" button. > >> >> >> >> - It was very niceto see a good use of the CCE specification. The first >> questioncoming to mind is, do you maintain a CCE dictionary that you can >> makeavailable? A second question is, if a user wants to identify >> aconfigurable parameter and no CCE is available, can the user (verylikely a >> developer) request a CCE number? > We don't maintain a CCE dictionary, the CCE numbers have been requested from > NIST.
Tables which map CCEs to NIST 800-53 references exist. For example, the following is generated via 'make tables': http://people.redhat.com/swells/scap-security-guide/RHEL/7/output/table-rhel7-nistrefs-ospp.html Right now the tables are generated on a per-profile basis. That was largely driven by user request. There's no reason we couldn't generate a "master mapping table" if that'd be useful. As Jan mentioned, CCE numbers are given to technology vendors by NIST. For Red Hat technologies, we drop the CCEs into the shared/references/cce-rhel-avail.txt file. From there, community members can take an available CCE and assign them to a RedHat configuration rule (e.g. in RHEL6 or RHEL7) via a pull request. Alternatively, open a ticket requesting a mapping. Note that tickets on GitHub reflect community initiatives -- no SLAs, just community effort. Tickets directly against Red Hat (via customer support) carry SLAs. Both methods are valid, just depends on how you chose to engage with the OpenSCAP community :) >> - Analyzing theoutput XML reveals that the findings are mapped to the >> securitycontrols of SP 800-53 Rev 4. What a nice feature!. >> >> >> - One of the videoson your site ( >> https://www.open-scap.org/security-policies/scap-security-guide/#documentation >> )indicates that you are engaging a remediation mechanism and not >> justdiscovering vulnerabilities. Are you using a remediation protocolor >> specification in particular? > Remediation is done by remediation scripts. The scripts are written in Bash. > Those scripts are included in the SCAP content. > The remediation can be run directly while scanning from SCAP Workbench or > oscap command line tool. > > Currently we are working on adding remediation in a from of Ansible playbooks. > See https://blog-zbynek.rhcloud.com/2016/09/12/ssg-openscap-and-ansible/ > > >> - The output XMLshows a very nice use of the CPE specification. >> >> >> - The use of XCCDFis also very good. Can you please, point me to a Red Hat >> XCCDFrepository? Are you planning your content in the >> NationalVulnerabilities Database? > I suppose you mean that XCCDF that SCAP Workbench used for scanning your RHEL > machine. > That XCCDF comes from the SCAP Security Guide project. SCAP Security guide is > an open-source > set of security policies written in SCAP format. > The source code is available at Github: > https://github.com/OpenSCAP/scap-security-guide > Latest release is here: > https://github.com/OpenSCAP/scap-security-guide/releases/download/v0.1.30/scap-security-guide-0.1.30.zip > We plan to submit the USGCB profile of SCAP Security Guide to NVD. In regards to a "red hat repository," upstream would be the OpenSCAP/SCAP Security Guide. Downstream in RHEL, content ships via the "scap-security-guide" package. We've been trying to get RHEL6 and RHEL7 content into the NIST NVD for _*years*_. Seems an impossible task. >> - I am interested inrunning a vulnerability scan (I would like to see how >> OpenSCAP usesCVEs and CVSS) > Yes, it is possible, and it's one of the most common use-cases of OpenSCAP. > Red Hat provides a CVE streams for all the CVEs discovered in RHEL as a part > of Red Hat Security Advisories. > See > https://www.open-scap.org/resources/documentation/perform-vulnerability-scan-of-rhel-6-machine/ > (It's for RHEL6, but in RHEL7 it's very similar) > >> - I did not see anyindication of using the Asset Identification (AI) >> specification. > OpenSCAP doesn't support this. > >> - I did not see anyindication of using the Asset Reporting Format (ARF) >> specification. > We fully support the ARF format, both in SCAP Workbench and oscap tool. > In SCAP Workbench, it's possible to save results as ARF using Save results > button. > Actually we recommend ARF as a best format for reporting :-) > >> - I did not see anyindication of using the Common Configuration Scoring >> System (CCSS)specification. >> - I did not see anyindication of using the TMSAD specification. >> - I did not see anyindication of using the Open Checklist Interactive >> Language (OCIL)specification. I am interested in your use of this >> specificationbecause many security functions are not “automatable” (can not >> bechecked with security automation tools). > > We don't support these three specifications. There's no reason we couldn't though. Nobody has asked. >> - Are you planningto implement the Software Identification (SWID) >> specification of SCAP1.3? > SWID is on our radar, but I can't promise anything now. > >> >> >> _______________________________________________ >> Open-scap-list mailing list >> Open-scap-list@redhat.com >> https://www.redhat.com/mailman/listinfo/open-scap-list > I hope I have answered your questions. > > If you have any other questions or need more information, > we'll be excited to help you. > > Best regards > > Jan Černý > Security Technologies | Red Hat, Inc.
_______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
