Thanks Gary! Got your other note. Will look into your comments there and will 
pursue going after RedHawk 6.5 (my other task) using RedHat 5.5 OpenScap and 
DISA xccdf, oval, etc. for that (as suggested by RedHawk folks), if I get stuck 
on Ubuntu, to validate the current oscap process and work out any other issues 
first. Not out of oxygen yet!

William B. Boucher, BSEE
Embedded Systems Software Engineer
Information Systems Security Manager
MZA Associates Corporation
4900 Lang Ave. NE, Suite 100
Albuquerque, NM 87109-9708
Phone: 505.245.9970 x166
Fax: 505.245.9971
Cell: 505.459.7620
william.bouc...@mza.com<mailto:william.bouc...@mza.com>

From: Gary Gapinski [mailto:gapin...@nasa.gov]
Sent: Monday, February 4, 2019 10:26 AM
To: Boucher, William <william.bouc...@mza.com>
Cc: open-scap-list@redhat.com
Subject: Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS

I can look but if your oxygen will run out before 48 hours you may wish to 
order out for extra.


On 2/4/19 11:05 AM, Boucher, William wrote:
Gary,

Is anybody looking at this on the development side (determining why so many 
rules end up nonapplicable and if the passes and fails are the result of an 
accurate evaluation)?

Thanks,

                --Bill

William B. Boucher, BSEE
Embedded Systems Software Engineer
Information Systems Security Manager
MZA Associates Corporation
4900 Lang Ave. NE, Suite 100
Albuquerque, NM 87109-9708
Phone: 505.245.9970 x166
Fax: 505.245.9971
Cell: 505.459.7620
william.bouc...@mza.com<mailto:william.bouc...@mza.com>

From: 
open-scap-list-boun...@redhat.com<mailto:open-scap-list-boun...@redhat.com> 
[mailto:open-scap-list-boun...@redhat.com] On Behalf Of Boucher, William
Sent: Monday, February 4, 2019 9:04 AM
To: Gary Gapinski <gapin...@nasa.gov><mailto:gapin...@nasa.gov>
Cc: open-scap-list@redhat.com<mailto:open-scap-list@redhat.com>
Subject: Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS

Gary,

Similar results with Ububtu 16.04. Not all results were notapplicable, score 
was given as 25%.

After building openscap and ComplianceAsCode/content I ran:

sudo oscap xccdf eval –profile standard –results ./xccdf-results.xml –cpe 
/usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-cpe-dictionary.xml 
/usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml

sudo oscap oval eval –results ./oval-results.xml 
/usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-oval.xml

sudo oscap xccdf generate report –oval-template ./oval-results.xml 
./xccdf-results.xml > ./report-xccdf-oval.html

15 rules passed, 6 inconclusive (unknown) and all the rest (24) notapplicable.

Running:

sudo oscap xccdf eval –profile standard –results-arf ./results-arf.xml –report 
./report-ds.html –results ./results-ds.xml 
/usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml

produced the same numbers in the ds-generated report.

I see the value in using the data stream. But the “notapplicable” items are 
largely applicable and should be evaluated.

                --Bill

William B. Boucher, BSEE
Embedded Systems Software Engineer
Information Systems Security Manager
MZA Associates Corporation
4900 Lang Ave. NE, Suite 100
Albuquerque, NM 87109-9708
Phone: 505.245.9970 x166
Fax: 505.245.9971
Cell: 505.459.7620
william.bouc...@mza.com<mailto:william.bouc...@mza.com>

From: Gary Gapinski [mailto:gapin...@nasa.gov]
Sent: Friday, January 25, 2019 9:50 AM
To: Boucher, William <william.bouc...@mza.com<mailto:william.bouc...@mza.com>>
Cc: open-scap-list@redhat.com<mailto:open-scap-list@redhat.com>
Subject: Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS

On 1/25/19 10:33 AM, Boucher, William wrote:
Thank you, Gary! I will attempt next to duplicate your process with Ubuntu 1604.

I may as well but cannot guarantee timeliness.
If I am building OpenSCAP over my previous install of the libopenscap8 package, 
do I need to remove libopenscap8 first or can I just make-install over it?

I place the OpenSCAP install in /usr/local and ensure it is used separately and 
preferentially (via $PATH) rather than the one from the distro (or just not 
install from the distro). I use cmake-gui ../ from within the openscap/build 
directory and change CMAKE_INSTALL_PREFIX to /usr/local (cmake-gui, tweak, 
configure, generate; make; sudo make install). Installing on top of the distro 
version will likely cause undesirable results.

I do not typically install ComplianceAsCode but simply access the content from 
the cloned (and built) repo, but if you install it I think it best to choose 
the same installation target (e.g., /usr/local) as that of OpenSCAP.

A functional (and available) install of OpenSCAP is a pre-requisite for 
building ComplianceAsCode.

Regards,

Gary
--
Gary Gapinski — DB Consulting Group
NASA Glenn Research Center
℡ +1 216 433 3959<tel:+1%20216%20433%203959> — office
℡ +1 216 820 1849<tel:+1%20216%20820%201849> — mobile
gapin...@nasa.gov<mailto:gapin...@nasa.gov>


--

Gary Gapinski — DB Consulting Group
NASA Glenn Research Center
℡ +1 216 433 3959<tel:+1%20216%20433%203959> — office
℡ +1 216 820 1849<tel:+1%20216%20820%201849> — mobile
gapin...@nasa.gov<mailto:gapin...@nasa.gov>
_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Reply via email to