Hi Everyone,
I've recently come across OpenSCAP after wasting my time with openVAS as a means of improving the way my company does vulnerability and configuration management of our network devices (e.g. Cisco, Juniper, Palo Alto, etc). >From an initial review though, it seems in it's current state to very server >focused. Would that be a fair assessment? Back in January 2016 someone posted a similar query on this list where it was suggested to use jovalcm but that is a propriatary product and they have ceased all development on the open source variant. https://www.redhat.com/archives/open-scap-list/2016-January/msg00000.html As far as I can tell there is nothing in the underlying architecture that prevents this from working, the main issue being that it is required for the various scripts to be copied to the device being scanned. This is required even when using the remote SSH scanning option according to the documentation: http://martin.preisler.me/2015/05/scanning-remote-machines-with-openscap/ I came across a presentation which pretty much covers what I'm trying to do: https://scap.nist.gov/events/2011/itsac/presentations/day3/Nunez%20-%20SCAP%20for%20Inter-networking%20Devices.pdf The use of the Script Check Engine intriges me but I believe I'll still be restricted as those scripts still need to be copied to the server but it does mention that environment variables can be passed to the script so that remote checks can be run and then the output saved as check result files as documented: https://www.open-scap.org/features/other-standards/sce/ In essence the steps would be: 1) Specify profile to run and the target(s) to run on 2) Pass target hostname/ip along with (perhaps) login credentials (e.g. username/password or SNMP community) to the script 3) Script runs on the same device as the SCAP workbench, logging into the device via the appropriate method (SSH or SNMP) 4) Results are saved as check-result files to be picked up by the oscap tool forprocessing The only concern I have the moment with this approach is that it would require multiple SSH logins (one for each script run) but I'm sure improvements could be made in the future to batch them during a single login session. Alternatively would it be possible for all the above steps to be run in advance and then just have the oscap tool look as the resulting check-result files, in effect doing something similar to an offline config audit? This would be considered a local scan I guess, no different to a customer handing me a raw cisco cli output/config and saying here audit this. I'd be interested in trying to get something like this working but if anyone has got any experience and can tell me if I'm wasting my time or not, it would be appreciated. Thanks in advance Lee
_______________________________________________ Open-scap-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/open-scap-list
