Thanks Gary! Got your other note. Will look into your comments there and will pursue going after RedHawk 6.5 (my other task) using RedHat 5.5 OpenScap and DISA xccdf, oval, etc. for that (as suggested by RedHawk folks), if I get stuck on Ubuntu, to validate the current oscap process and work out any other issues first. Not out of oxygen yet!
William B. Boucher, BSEE Embedded Systems Software Engineer Information Systems Security Manager MZA Associates Corporation 4900 Lang Ave. NE, Suite 100 Albuquerque, NM 87109-9708 Phone: 505.245.9970 x166 Fax: 505.245.9971 Cell: 505.459.7620 [email protected]<mailto:[email protected]> From: Gary Gapinski [mailto:[email protected]] Sent: Monday, February 4, 2019 10:26 AM To: Boucher, William <[email protected]> Cc: [email protected] Subject: Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS I can look but if your oxygen will run out before 48 hours you may wish to order out for extra. On 2/4/19 11:05 AM, Boucher, William wrote: Gary, Is anybody looking at this on the development side (determining why so many rules end up nonapplicable and if the passes and fails are the result of an accurate evaluation)? Thanks, --Bill William B. Boucher, BSEE Embedded Systems Software Engineer Information Systems Security Manager MZA Associates Corporation 4900 Lang Ave. NE, Suite 100 Albuquerque, NM 87109-9708 Phone: 505.245.9970 x166 Fax: 505.245.9971 Cell: 505.459.7620 [email protected]<mailto:[email protected]> From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Boucher, William Sent: Monday, February 4, 2019 9:04 AM To: Gary Gapinski <[email protected]><mailto:[email protected]> Cc: [email protected]<mailto:[email protected]> Subject: Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS Gary, Similar results with Ububtu 16.04. Not all results were notapplicable, score was given as 25%. After building openscap and ComplianceAsCode/content I ran: sudo oscap xccdf eval –profile standard –results ./xccdf-results.xml –cpe /usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-cpe-dictionary.xml /usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml sudo oscap oval eval –results ./oval-results.xml /usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-oval.xml sudo oscap xccdf generate report –oval-template ./oval-results.xml ./xccdf-results.xml > ./report-xccdf-oval.html 15 rules passed, 6 inconclusive (unknown) and all the rest (24) notapplicable. Running: sudo oscap xccdf eval –profile standard –results-arf ./results-arf.xml –report ./report-ds.html –results ./results-ds.xml /usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml produced the same numbers in the ds-generated report. I see the value in using the data stream. But the “notapplicable” items are largely applicable and should be evaluated. --Bill William B. Boucher, BSEE Embedded Systems Software Engineer Information Systems Security Manager MZA Associates Corporation 4900 Lang Ave. NE, Suite 100 Albuquerque, NM 87109-9708 Phone: 505.245.9970 x166 Fax: 505.245.9971 Cell: 505.459.7620 [email protected]<mailto:[email protected]> From: Gary Gapinski [mailto:[email protected]] Sent: Friday, January 25, 2019 9:50 AM To: Boucher, William <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]> Subject: Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS On 1/25/19 10:33 AM, Boucher, William wrote: Thank you, Gary! I will attempt next to duplicate your process with Ubuntu 1604. I may as well but cannot guarantee timeliness. If I am building OpenSCAP over my previous install of the libopenscap8 package, do I need to remove libopenscap8 first or can I just make-install over it? I place the OpenSCAP install in /usr/local and ensure it is used separately and preferentially (via $PATH) rather than the one from the distro (or just not install from the distro). I use cmake-gui ../ from within the openscap/build directory and change CMAKE_INSTALL_PREFIX to /usr/local (cmake-gui, tweak, configure, generate; make; sudo make install). Installing on top of the distro version will likely cause undesirable results. I do not typically install ComplianceAsCode but simply access the content from the cloned (and built) repo, but if you install it I think it best to choose the same installation target (e.g., /usr/local) as that of OpenSCAP. A functional (and available) install of OpenSCAP is a pre-requisite for building ComplianceAsCode. Regards, Gary -- Gary Gapinski — DB Consulting Group NASA Glenn Research Center ℡ +1 216 433 3959<tel:+1%20216%20433%203959> — office ℡ +1 216 820 1849<tel:+1%20216%20820%201849> — mobile [email protected]<mailto:[email protected]> -- Gary Gapinski — DB Consulting Group NASA Glenn Research Center ℡ +1 216 433 3959<tel:+1%20216%20433%203959> — office ℡ +1 216 820 1849<tel:+1%20216%20820%201849> — mobile [email protected]<mailto:[email protected]>
_______________________________________________ Open-scap-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/open-scap-list
