I might be more concerned that the "non-rh_packages" Rule would drive developers to /not/ package software into RPMs at all.
But of course, I have very little context with regard to when/how this CCP profile would be exercised. It's certainly possible to add these sorts of things to the project in a manner that makes explicit their specialized scenario. On Wed, Nov 6, 2013 at 10:33 AM, Haynes, Dan <[email protected]> wrote: > Hi Matt, > > > > A few quick comments inline. > > > > Thanks, > > Danny > > > > From: [email protected] > [mailto:[email protected]] On Behalf Of > Matthew Mariani > Sent: Tuesday, November 05, 2013 11:07 AM > To: [email protected] > Subject: Fwd: Additional Checks for RH Cloud Provider Profile (rht-ccp) > > > > Hi SSG Team, > > > > I'm making some progress here with code to check for non-RH progress (Huge > thanks to Danny Hynes). Two questions: > > > > 1. The XCCDF rule (Rule id="non-rh_packages") is evaluating to True if > there are non-RH packages. My understanding is a 'True' results in a Pass > of the rule - is that correct? However, I want True to result in a fail. > How to make that happen? > > > > > > The SCAP specifications provide a table that maps OVAL results to XCCDF > results (http://scap.nist.gov/revision/index.html). In the SCAP 1.2 > specification, specifically Section 4.5.2, it says: > > > > *definitions with class=”compliance” or class=”inventory” > > -“true” maps to “Pass” > > -“false” maps to “Fail” > > > > *definitions with class=”vulnerability” or class=”patch” > > -“false” maps to “Pass” > > -“true” maps to “Fail” > > > > You may also want to consider joining the XCCDF and OVAL mailing lists as > these are good places to ask questions about the specifications. > > > > http://scap.nist.gov/specifications/xccdf/ > > > > http://oval.mitre.org/community/registration.html > > > > > > > > 2. In order to get past this non-RH package check, the openscap* and scap* > packages need to be ignored. I tried adding filter exclusion statements on > the rpminfo_object; hoewever, can't get past an error so I must have > something wrong. Suggestions? > > > > ...... > > <linux:rpminfo_object id="oval:ssg:obj:10101" version="1" > comment="Collect all rpms and exclude those signed by Red Hat and exclude > those from scap and openscap."> > <linux:name operation="pattern match">.*</linux:name> > <filter action="exclude">oval:ssg:ste:10101</filter> > <!-->Matt: Adding these exclude statements causes the OpenSCAP error > below<--> > <filter action="exclude">oval:ssg:ste:10102</filter> > <filter action="exclude">oval:ssg:ste:10103</filter> > </linux:rpminfo_object> > > ..... > > > > [root@rhel6client ~]# ./run_rht_scap_new > Title Ensure /tmp Located On Separate Partition > Rule partition_for_tmp > Ident CCE-26435-8 > Result fail > > > > Title All packages should be RH signed package > Rule non-rh_packages > Ident (null) > Result unknown > > > > OpenSCAP Error: No definition with ID: oval:ssg:def:10101 in result model. > [oval_agent.c:180] > > > > Unfortunately, I am not sure about this error. It sounds like when it tries > to output the results, it is looking for oval:ssg:def:10101, but, can’t find > it. It sounds like this might be a good question for the OpenSCAP list. > > > > Also, I found this > (http://blog-shawndwells.rhcloud.com/wp-content/uploads/2012/07/2013-03-25-SCAP-Workshop-Coursebook.pdf), > if you haven’t seen it. It may help you with the content development. > > > > > > Attached is a shortened version to show the relevant code additions in the > ssg XCCDF and OVAL files. > > > > Thanks in advance for any help. > > -Matt > > > > ________________________________ > > From: "Matthew Mariani" <[email protected]> > To: [email protected] > Cc: "Karl Stevens" <[email protected]> > Sent: Thursday, October 31, 2013 10:32:29 AM > Subject: Re: Additional Checks for RH Cloud Provider Profile (rht-ccp) > > > > + the attachment for #2 > > > > ________________________________ > > From: "Matthew Mariani" <[email protected]> > To: [email protected] > Cc: "Karl Stevens" <[email protected]> > Sent: Thursday, October 31, 2013 10:30:37 AM > Subject: Additional Checks for RH Cloud Provider Profile (rht-ccp) > > > > Hi SSG team, > > > > For the CCP profile recently added, I would like to add new RHEL6 checks for > the bullets below. > > 1. Cloud image disk checks - do these checks exist already? > > a.) Minimum Disk - 6GB > > b.) Available Disk - 4GB or more > 2. Non-RH packages installed on the RHEL system - ** For this one, on > the open-scap-list, Danny Hynes provided the attached OVAL definition, but > I'm not sure how to build that into the rht-ccp profile. Does anyone have > an example? > > > > Any guidance on how to proceed is appreciated. > > > > Thanks, > > -Matt > > > > ________________________________ > > From: "Matthew Mariani" <[email protected]> > To: [email protected] > Sent: Tuesday, October 15, 2013 2:22:25 PM > Subject: Fwd: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF > example. > > > > As recommended, moving this thread to the SSG mailing list. > > > Background: We are working on developing an SSG profile definition for RH > certified cloud providers. In addition to these XCCDF-based checks, I need > to also detect any non-RedHat packages installed on the system. The > question to the group is: are there any recommendations or examples on how > this may have been done previously. As example, suppose a cloud image has a > monitoring package or hypervisor para-virt rpms install, I want to be made > aware and have those reported by the check. An OVAL path was suggested > below. > > > > Does anyone have additional guidance on how/if I can do this with > SCAP-related tools? > > > > Thanks, > > -Matt > > > > Matthew Mariani > Partner Solution Architect > M: +1-717-756-6834 > [email protected] > > > > ________________________________ > > From: "Shawn Wells" <[email protected]> > To: [email protected] > Sent: Sunday, October 13, 2013 11:30:26 PM > Subject: Re: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF > example. > > > > On 10/10/13 4:44 PM, Matthew Mariani wrote: > > Danny, > > Thanks, very helpful. > > -Matt > > > > ________________________________ > > From: "Dan Haynes" <[email protected]> > To: "Matthew Mariani" <[email protected]>, [email protected] > Sent: Wednesday, October 9, 2013 2:45:35 PM > Subject: RE: SCAP Newbie Questions for simple RHEL6 XCCDF example. > > > > Hi Matthew, > > Comments inline below. Hope this helps. > > > > Thanks, > > Danny > > > > From: [email protected] > [mailto:[email protected]] On Behalf Of Matthew Mariani > Sent: Wednesday, October 09, 2013 1:11 PM > To: [email protected] > Subject: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example. > > > > Hi list, > > 'SCAP newbie here. I'm working with the attached XCCDF profile definition > to be used with a RHEL6 system. The end goal is to define a standard RHEL > cloud image security profile. I have two questions: > > > > 1. I believe I need additional XML syntax in the file to have valid XCCDF > content. When I try both testing with the 'info' function and running an > 'eval', I get an Unknown document type error. > > [root@rhel6client ~]# oscap info rht-ccp.xml > OpenSCAP Error: Unknown document type: 'rht-ccp.xml' [oscapxml.c:554] > > [root@rhel6client ~]# oscap xccdf eval --profile rht-ccp --results > /root/rht-ccp.results.xml --report /root/rht-ccp.report.html rht-ccp.xml > Profile "rht-ccp" was not found. > > > > Looking at some of the xccdf examples referenced here > http://www.open-scap.org/page/Documentation, I'm thinking I need a > <Benchmark> wrapper around my profile. Am I on the right track, and if so > is there a basic <Benchmark> syntax example available? I'm finding it > difficult to id what's required and what's not in examples referenced on the > Documentation page. > > [Danny]: Yes, you will need to include the <Benchmark> component. You may > want to look at the RHEL6 STIG SCAP content being developed in the > scap-security-guide project (https://fedorahosted.org/scap-security-guide/). > It should serve as a good example and you may be able to reuse some of the > content. They also have some tools that you could leverage to help generate > the content. > > > Matt pinged me offline re: the Red Hat CCP profile. I've now merged it into > SSG: > https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=363324350a1c4efe4dceefa3e309865fc54913b6 > > You should now be able to clone the source and run a scan: > https://fedorahosted.org/scap-security-guide/wiki/downloads > > aka > $ sudo yum install git openscap-utils python-lxml > $ cd /tmp ; git clone git://git.fedorahosted.org/git/scap-security-guide.git > ; cd scap-security-guide/RHEL6 > $ make content > $ sudo oscap xccdf eval --profile rht-ccp \ > --results /root/ssg-results-`date`.xml \ > --report /root/ssg-results-`date`.html \ > --cpe output/ssg-rhel6-cpe-dictionary.xml \ > output/ssg-rhel6-xccdf.xml > > > > > > 2. Looking forward, in addition to these XCCDF checks, I have the need to > detect non-RedHat signed packaged installed on the system. Does anyone have > guidance on how/if I can do that with SCAP tools. As example, suppose a > cloud image has a monitoring package or hypervisor para-virt rpms install, I > want to be made aware and have those reported by the check. > > > > [Danny]: Yes, you should be able to check for any non-Red Hat signed > packages using OVAL which is an language for checking the state of an > endpoint. There is the linux-def:rpminfo_test > (http://oval.mitre.org/language/version5.10.1/ovaldefinition/complete/linux-definitions-schema.xsd) > which you can use to check various metadata about the packages installed on > the system including the signature key ID. With that in mind, you should be > able to collect all RPMs on the system and filter out any RPMs that are > signed by Red Hat leaving only those that haven’t been signed by Red Hat. I > have attached an OVAL definition which shows how you might do this. Of > course, you may need to modify it to include the appropriate signature key > IDs. > > > > > > Any help is appreciated. Thanks, > > -Matt > > > > > Since this is largely content related, feel free to kick over the > conversation to the SSG mailing list: > https://fedorahosted.org/scap-security-guide/ > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > > Our friends and allies within the OpenSCAP tooling community let us content > guys play here, but content questions (for SSG) should be kicked over to the > SSG community list :) > > _______________________________________________ > Open-scap-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/open-scap-list > > > > > > > > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > > > > > > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
