Hello, Thank you! I am using the all_rules profile to compare currently developed SCAP rules to the checks carried-out by SECSCN. For some of the auditing checks that SECSCN runs this may be difficult, but I hope to prove that SCAP is just as comprehensive.
I guess this has turned into an OVAL oriented question concerning how it defines system objects. I think at this point a fail/pass value and a well-described rule should be more than enough for a system administrator to find and address whatever caused a "fail". Luke Kordell ________________________________________ From: [email protected] [[email protected]] on behalf of Shawn Wells [[email protected]] Sent: Thursday, October 31, 2013 11:52 AM To: [email protected] Subject: EXTERNAL: Re: SECSCN and all_rules profile On 10/31/13, 12:51 PM, Kordell, Luke T wrote: > Hello, > > I thought it would be useful to generate an "all_rules" profile to help us > in the requirements-gathering phase of a profile development. To create this > profile I grepped the .xml files contained in the system and services > directories for "Rule id=" and used the output to create an all_rules > profile. The all_rules profile and CS2 profile list 388 rules while the STIG > lists 389. I expected the all_rules profile to have more rules than either > since it should contain at least all the rules called by both CS2 and the > STIG. Are there rules in other directories, or am I missing something else? You're correct - something is off here. The STIG profile has 251 rules: > [shawn@SSG-RHEL6 input]$ pwd > /var/www/html/scap-security-guide/RHEL6/input > [shawn@SSG-RHEL6 input]$ grep -rin "<select id" profiles/common.xml > profiles/stig-rhel6-server.xml | wc -l > 251 The CS2 profile has 318: > [shawn@SSG-RHEL6 input]$ grep -rin "<select id" profiles/CS2.xml | wc -l > 318 And the total available rules: > [shawn@SSG-RHEL6 input]$ grep -ri "<rule id" services/ system/ wc -l > 385 If you wanted to create an XCCDF profile with everything, a quick hack job would be: > [shawn@SSG-RHEL6 input]$ grep -ri "<rule id" services/ system/ | awk > -F: '{print $2}' | \ > sed 's/Rule id/select idref/g' > profiles/scan_everything.xml > > [shawn@SSG-RHEL6 input]$ echo -e "<Profile id=\"scan_everything\">\n \ > <description>I'm going to scan everything, because I'm kinda crazy > :)</description>\n \ > $(cat profiles/scan_everything.xml)" > profiles/scan_everything.xml > > [shawn@SSG-RHEL6 input]$ echo "</Profile>" >> profiles/scan_everything.xml If you don't want to take the default refine values (such as for password lengths, you'll have 49 tunables to incorporate into the profile: > [shawn@SSG-RHEL6 input]$ grep -rin "<Value id" * | wc -l > 49 Note that in the XCCDF these are expressed as value IDs, whereas XCCDF profiles need the <refine value= tags. A quick sed one-liner should take care of this for you, if there's a need. Once the profile is created, add the relevant lines to input/guide.xslt and then (re)run "make content" > I have been comparing SECSCN output to the STIG and CS2 profiles and > thus-far it has raised a couple questions. First SECSCN lists the bash > commands it uses to gather its results and lists the exact reasons for a > failed test. Are there plans to include this capability in the future or > would this be handled by a scanning automation tool like oscap? SECSCN utilizes shell scripting to perform the configuration checks, which makes it easier to show the command(s) used to perform a particular test. Since we're using OVAL.... well.... things would get incredibly ugly (and arguably confusing to the average user) if we dumped the OVAL code into the result output. Failure reasons -- such as giving the piece of a config file or system element that caused the failure -- is up for debate. Here's an example of how a few checks looked on RHEL5. Unless someone is feeling ambitious, I wouldn't expect this anytime soon. http://blog-shawndwells.rhcloud.com/wp-content/uploads/2012/10/stigscanresults-beforeaqueduct.html#ruleresult-idp28747760 For Certification Test Plan type docs, this table might help: http://people.redhat.com/swells/scap-security-guide/RHEL6/output/table-stig-rhel6.html While this one is for the STIG, per-profile tables are reasonable to create. > What component of SCAP and/or OVAL is linked to bash? Is it possible to get > access to this underlying source-code for modification purposes? Francisco Slavin of Tresys wrote RHEL6/transforms/xccdf-addfixes.xslt to merge things together. In short, for every XCCDF rule, the script checks to see if there is a bash script within the RHEL6/input/fixes/bash directory of the same name. If so, the script combines things together automagically during the Make process. _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
