I can look but if your oxygen will run out before 48 hours you may wish to order out for extra.


On 2/4/19 11:05 AM, Boucher, William wrote:

Gary,

 

Is anybody looking at this on the development side (determining why so many rules end up nonapplicable and if the passes and fails are the result of an accurate evaluation)?

 

Thanks,

 

                --Bill

 

William B. Boucher, BSEE

Embedded Systems Software Engineer
Information Systems Security Manager

MZA Associates Corporation

4900 Lang Ave. NE, Suite 100

Albuquerque, NM 87109-9708

Phone: 505.245.9970 x166

Fax: 505.245.9971

Cell: 505.459.7620

william.bouc...@mza.com

 

From: open-scap-list-boun...@redhat.com [mailto:open-scap-list-boun...@redhat.com] On Behalf Of Boucher, William
Sent: Monday, February 4, 2019 9:04 AM
To: Gary Gapinski <gapin...@nasa.gov>
Cc: open-scap-list@redhat.com
Subject: Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS

 

Gary,

 

Similar results with Ububtu 16.04. Not all results were notapplicable, score was given as 25%.

 

After building openscap and ComplianceAsCode/content I ran:

 

sudo oscap xccdf eval –profile standard –results ./xccdf-results.xml –cpe /usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-cpe-dictionary.xml /usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml

 

sudo oscap oval eval –results ./oval-results.xml /usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-oval.xml

 

sudo oscap xccdf generate report –oval-template ./oval-results.xml ./xccdf-results.xml > ./report-xccdf-oval.html

 

15 rules passed, 6 inconclusive (unknown) and all the rest (24) notapplicable.

 

Running:

 

sudo oscap xccdf eval –profile standard –results-arf ./results-arf.xml –report ./report-ds.html –results ./results-ds.xml /usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml

 

produced the same numbers in the ds-generated report.

 

I see the value in using the data stream. But the “notapplicable” items are largely applicable and should be evaluated.

 

                --Bill

 

William B. Boucher, BSEE

Embedded Systems Software Engineer
Information Systems Security Manager

MZA Associates Corporation

4900 Lang Ave. NE, Suite 100

Albuquerque, NM 87109-9708

Phone: 505.245.9970 x166

Fax: 505.245.9971

Cell: 505.459.7620

william.bouc...@mza.com

 

From: Gary Gapinski [mailto:gapin...@nasa.gov]
Sent: Friday, January 25, 2019 9:50 AM
To: Boucher, William <william.bouc...@mza.com>
Cc: open-scap-list@redhat.com
Subject: Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS

 

On 1/25/19 10:33 AM, Boucher, William wrote:

Thank you, Gary! I will attempt next to duplicate your process with Ubuntu 1604.

I may as well but cannot guarantee timeliness.

If I am building OpenSCAP over my previous install of the libopenscap8 package, do I need to remove libopenscap8 first or can I just make-install over it?

I place the OpenSCAP install in /usr/local and ensure it is used separately and preferentially (via $PATH) rather than the one from the distro (or just not install from the distro). I use cmake-gui ../ from within the openscap/build directory and change CMAKE_INSTALL_PREFIX to /usr/local (cmake-gui, tweak, configure, generate; make; sudo make install). Installing on top of the distro version will likely cause undesirable results.

I do not typically install ComplianceAsCode but simply access the content from the cloned (and built) repo, but if you install it I think it best to choose the same installation target (e.g., /usr/local) as that of OpenSCAP.

A functional (and available) install of OpenSCAP is a pre-requisite for building ComplianceAsCode.

Regards,

Gary

--

Gary Gapinski — DB Consulting Group
NASA Glenn Research Center
+1 216 433 3959 — office
+1 216 820 1849 — mobile
gapin...@nasa.gov


--
Gary Gapinski — DB Consulting Group
NASA Glenn Research Center
+1 216 433 3959 — office
+1 216 820 1849 — mobile
gapin...@nasa.gov
_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Reply via email to