Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS

[Boucher, William]

OK! I downloaded the latest scap-security-guide source from Git and built it 
for Ubuntu 1604. It compiles and runs!

Next challenge, during the compile it had trouble scanning the Oval file for 
controls it was to evaluate, and it marked all of those it didn’t find as “not 
applicable”. So I got a score of 100%, but none of the challenging controls 
were evaluated. (I used an oval file I found in the source tree but I guess it 
was not complete.)

Apparently I need more or better benchmark files for Ubuntu in the OpenSCAP 
“/usr/share/openscap” and “/usr/share/openscap/cpe” directories 
(openscap-cpe-dictionary.xml,  openscap-cpe-oval.xml, 
openscap-ubuntu1604-cpe-dictionary.xml and  openscap-ubuntu1604-cpe-oval.xml in 
the openscap/cpe directory and scap-ubuntu1604-oval.xml, 
scap-ubuntu1604-ocil.xml and scap-ubuntu-1604-ds.xml in the openscap directory).

These files do not appear to be in the source from Git and they were not 
installed with the libopenscap8 package. Google is not helping me with this 
challenge. Can you guys direct me to where I can find these files so I can 
build and run a complete scan of my system(s)?

Thank you!

        --Bill

William B. Boucher, BSEE
Embedded Systems Software Engineer
Information Systems Security Manager
MZA Associates Corporation
4900 Lang Ave. NE, Suite 100
Albuquerque, NM 87109-9708
Phone: 505.245.9970 x166
Fax: 505.245.9971
Cell: 505.459.7620
william.bouc...@mza.com<mailto:william.bouc...@mza.com>

From: Boucher, William
Sent: Monday, January 21, 2019 3:56 PM
To: 'Watson Sato' <ws...@redhat.com>
Cc: Newman, Stuart J. (GSFC-491.0)[KBRwyle] <stuart.j.new...@nasa.gov>; 
open-scap-list@redhat.com
Subject: RE: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS

Stuart and Watson,

I found the packages for Ubuntu 18.04 (“cosmic”) but not for Ubuntu 16.04 
(“xenial”). The DISA STIG is written specifically for Ubuntu 16.04 
(“U_Canonical_16-04_LTS_V1R1_STIG.zip”). Am I not looking in the right place 
for the SSG?

I found the ssg packages for Ubuntu 18.04 at 
https://packages.ubuntu.com/search?suite=cosmic&searchon=names&keywords=ssg, 
but they are not in the 16.04 package listing at 
https://packages.ubuntu.com/search?suite=xenial&searchon=names&keywords=ssg.

Could they be in another repository for 16.04? (Note I am using the latest 
xenial, 16.04.5, which has the same Linux kernel as the latest cosmic release, 
4.15.)

Thank you for your help and patience,

                --Bill

William B. Boucher, BSEE
Embedded Systems Software Engineer
Information Systems Security Manager
MZA Associates Corporation
4900 Lang Ave. NE, Suite 100
Albuquerque, NM 87109-9708
Phone: 505.245.9970 x166
Fax: 505.245.9971
Cell: 505.459.7620
william.bouc...@mza.com<mailto:william.bouc...@mza.com>

From: Watson Sato [mailto:ws...@redhat.com]
Sent: Monday, January 7, 2019 7:58 AM
To: Boucher, William <william.bouc...@mza.com<mailto:william.bouc...@mza.com>>
Cc: Newman, Stuart J. (GSFC-491.0)[KBRwyle] 
<stuart.j.new...@nasa.gov<mailto:stuart.j.new...@nasa.gov>>; 
open-scap-list@redhat.com<mailto:open-scap-list@redhat.com>
Subject: Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS

Hello,


On Wed, Nov 28, 2018 at 5:39 PM Boucher, William 
<william.bouc...@mza.com<mailto:william.bouc...@mza.com>> wrote:
Stuart,

How do I get the current/latest scap security guide?

Latest pre-built content can be grabbed at 
https://github.com/ComplianceAsCode/content/releases, just download the zip 
file.

1)      I went to 
https://www.open-scap.org/security-policies/scap-security-guide/ and clicked on 
the Ubuntu symbol to get directions for installing it, but that gave message 
“The SCAP Security Guide package is not available on the Ubuntu distribution 
yet. Check for update.”
The website needs to updated, there are SCAP Security Guide packages for Ubuntu 
and Debian.

2)      “apt-get install scap-security-guide” produced the error “Unable to 
locate package scap-security-guide.”

It seems that the packages are named slightly different in Ubuntu, see: 
https://packages.ubuntu.com/source/disco/scap-security-guide

I did successfully install libopenscap8 (“apt-get install libopenscap8”).

All help is appreciated.

William B. Boucher, BSEE
Embedded Systems Software Engineer
Information Systems Security Manager
MZA Associates Corporation
2021 Girard Blvd., SE, Suite 150
Albuquerque, New Mexico 87106
Phone: 505.245.9970 x166
Fax: 505.245.9971
Cell: 505.459.7620
william.bouc...@mza.com<mailto:william.bouc...@mza.com>

From: Newman, Stuart J. (GSFC-491.0)[KBRwyle] 
[mailto:stuart.j.new...@nasa.gov<mailto:stuart.j.new...@nasa.gov>]
Sent: Wednesday, November 28, 2018 4:19 AM
To: Boucher, William <william.bouc...@mza.com<mailto:william.bouc...@mza.com>>; 
open-scap-list@redhat.com<mailto:open-scap-list@redhat.com>
Subject: RE: Benchmark for Canonical Ubuntu 16.04 LTS

The current (0.1.41) version of the scap security guide has Ubuntu benchmarks.

Stuart J Newman

[cid:image001.png@01D4B2F0.3EB2D6F0]

Engineer 4; Systems
NASA/Goddard Space Flight Center, Building 14 Room 252 |  Greenbelt, Maryland 
20771 |  USA
Office: +1 301. 286.5145 |  Mobile: +1443.878.6146  |  
stuart.j.new...@nasa.gov<mailto:stuart.j.new...@nasa.gov>


________________________________
This e-mail, including any attached files, may contain confidential and 
privileged information for the sole use of the intended recipient.  Any review, 
use, distribution, or disclosure by others is strictly prohibited.  If you are 
not the intended recipient (or authorized to receive information for the 
intended recipient), please contact the sender by reply e-mail and delete all 
copies of this message.

From: 
open-scap-list-boun...@redhat.com<mailto:open-scap-list-boun...@redhat.com> 
<open-scap-list-boun...@redhat.com<mailto:open-scap-list-boun...@redhat.com>> 
On Behalf Of Boucher, William
Sent: November 27, 2018 18:23
To: open-scap-list@redhat.com<mailto:open-scap-list@redhat.com>
Subject: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS


Hi folks,

I am currently hardening an Ubuntu embedded system for delivery to a customer.

I have downloaded the “Canonical Ubuntu 16.04 LTS STIG Ver 1, Rel 1” from DISA, 
and I have obtained a copy of the SCAP Compliance checker tool “SCC 5.0.2 
Ubuntu 16 AMD64”.

What I am missing is an SCAP Benchmark file for Ubuntu 16.04. Does one exist?

I would like to use OpenSCAP to harden then scan this IS. The Open-SCAP BASE 
page says that Ubuntu is supported, so I can get the tools installed. But 
without a benchmark how would I proceed from there?

Thank you,

        --Bill
William B. Boucher, BSEE
Embedded Systems Software Engineer
Information Systems Security Manager
MZA Associates Corporation
2021 Girard Blvd., SE, Suite 150
Albuquerque, New Mexico 87106
Phone: 505.245.9970 x166
Fax: 505.245.9971
Cell: 505.459.7620
william.bouc...@mza.com<mailto:william.bouc...@mza.com>

_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com<mailto:Open-scap-list@redhat.com>
https://www.redhat.com/mailman/listinfo/open-scap-list


--
Watson Sato
Security Technologies | Red Hat, Inc

_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list