Gary,
Is anybody looking at this on the development side (determining why so many
rules end up nonapplicable and if the passes and fails are the result of an
accurate evaluation)?
Thanks,
--Bill
William B. Boucher, BSEE
Embedded Systems Software Engineer
Information Systems Security Manager
MZA Associates Corporation
4900 Lang Ave. NE, Suite 100
Albuquerque, NM 87109-9708
Phone: 505.245.9970 x166
Fax: 505.245.9971
Cell: 505.459.7620
[email protected]<mailto:[email protected]>
From: [email protected]
[mailto:[email protected]] On Behalf Of Boucher, William
Sent: Monday, February 4, 2019 9:04 AM
To: Gary Gapinski <[email protected]>
Cc: [email protected]
Subject: Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS
Gary,
Similar results with Ububtu 16.04. Not all results were notapplicable, score
was given as 25%.
After building openscap and ComplianceAsCode/content I ran:
sudo oscap xccdf eval –profile standard –results ./xccdf-results.xml –cpe
/usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-cpe-dictionary.xml
/usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml
sudo oscap oval eval –results ./oval-results.xml
/usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-oval.xml
sudo oscap xccdf generate report –oval-template ./oval-results.xml
./xccdf-results.xml > ./report-xccdf-oval.html
15 rules passed, 6 inconclusive (unknown) and all the rest (24) notapplicable.
Running:
sudo oscap xccdf eval –profile standard –results-arf ./results-arf.xml –report
./report-ds.html –results ./results-ds.xml
/usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml
produced the same numbers in the ds-generated report.
I see the value in using the data stream. But the “notapplicable” items are
largely applicable and should be evaluated.
--Bill
William B. Boucher, BSEE
Embedded Systems Software Engineer
Information Systems Security Manager
MZA Associates Corporation
4900 Lang Ave. NE, Suite 100
Albuquerque, NM 87109-9708
Phone: 505.245.9970 x166
Fax: 505.245.9971
Cell: 505.459.7620
[email protected]<mailto:[email protected]>
From: Gary Gapinski [mailto:[email protected]]
Sent: Friday, January 25, 2019 9:50 AM
To: Boucher, William <[email protected]<mailto:[email protected]>>
Cc: [email protected]<mailto:[email protected]>
Subject: Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS
On 1/25/19 10:33 AM, Boucher, William wrote:
Thank you, Gary! I will attempt next to duplicate your process with Ubuntu 1604.
I may as well but cannot guarantee timeliness.
If I am building OpenSCAP over my previous install of the libopenscap8 package,
do I need to remove libopenscap8 first or can I just make-install over it?
I place the OpenSCAP install in /usr/local and ensure it is used separately and
preferentially (via $PATH) rather than the one from the distro (or just not
install from the distro). I use cmake-gui ../ from within the openscap/build
directory and change CMAKE_INSTALL_PREFIX to /usr/local (cmake-gui, tweak,
configure, generate; make; sudo make install). Installing on top of the distro
version will likely cause undesirable results.
I do not typically install ComplianceAsCode but simply access the content from
the cloned (and built) repo, but if you install it I think it best to choose
the same installation target (e.g., /usr/local) as that of OpenSCAP.
A functional (and available) install of OpenSCAP is a pre-requisite for
building ComplianceAsCode.
Regards,
Gary
--
Gary Gapinski — DB Consulting Group
NASA Glenn Research Center
℡ +1 216 433 3959<tel:+1%20216%20433%203959> — office
℡ +1 216 820 1849<tel:+1%20216%20820%201849> — mobile
[email protected]<mailto:[email protected]>
_______________________________________________
Open-scap-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/open-scap-list
