I almost forgot -- I just posted a CentOS 6.5 vagrant box pre-configured to the "server" baseline profile. OpenSCAP, SSG, and GovReady are already installed. So it is a good learning machine.
https://github.com/GovReady/govready-centos-6.5-x86_64-noX_server_vagrant Greg Elin http://govready.org - Making FISMA compliance easier for innovators email: [email protected] phone: 917-304-3488 On Sat, Jan 10, 2015 at 2:54 PM, Greg Elin <[email protected]> wrote: > Lesley, > > I know how you feel. SCAP seems like it should be easy because it is "just > XML". Then you dig into looking for a test and it gets confusing fast. > > SCAP (Security Content Automation Protocol) is actually a set of multiple > standards and specifications that are used together to enable automatically > testing hundreds of nerd settings. Let me emphasize that: *SCAP is not a > single XML specification -- SCAP is multiple standards and specs*. > Whenever you give "SCAP Content" to a scanner to check a system > configurations you are giving the scanner multiple XML files representing > multiple standards. > > - XCCDF describes the checklist (Extensible Configuration Checklist > Description Format). [1] > - CCE are unique identifiers and descriptive material for specific > configuration settings (Common Configuration Enumeration). [1] > - OVAL is the XML that describes tests, including multi-part tests, that > assess if a CCE identified configuration setting is correct on a system. > (Open Vulnerability Assessment Language) [1] > - CPE is as unique string of text to uniquely identify a "platform" of > software, hardware, or application (Common Platform Enumeration). The idea > is that CPE string can be used to associate a checklist (XCCDF), a > configuration setting (CCE) or test (OVAL) with a specific platform. (Oy!) > [1] > > And the list goes on. But to understand how to use SCAP-Security-Guide on > CentOS we only need to worry about XCCDF, CCE, OVAL, and CPE. (At least I > think...) > > Almost all RHEL CCE's (config settings) and OVAL (test criterion) work on > CentOS. The exception are those settings/tests like the RHEL GPG key > installed which only make sense in relation to a RHEL subscription and do > not apply to CentOS. > > So why does OpenSCAP run SCAP-Security-Guide on CentOS, but the results > come back "not applicable?" Two reasons: > 1) Because the XCCDF in RHEL refers to CPE XML file that specifies RHEL > and not CentOS. > 2) Because CPE platform string is verified with an OVAL test that checks > the RPMs for platform identification. > > Thus, to get OpenSCAP to work on CentOS, we need to tell OpenSCAP to use a > CPE-dictionary.xml file that includes a CPE string for CentOS *and* we > need to have a corrected OVAL test that validates we are on CentOS. > > And how do we do this reliability? Part of what I'm trying to do with my > software, GovReady [2], is to make things like this easier. > > But you don't have to use GovReady. If you read the CentOS quick start in > the GovReady README, you will see link to a CentOS ssg-centos6-cpe-oval.xml > and ssg-centos6-cpe-oval.xml file that make the necessary adjustments. You > just need to copy them to your local CentOS server and then correctly > specify their path when running OpenSCAP. Like so: > > oscap xccdf eval --oval-results --profile server --cpe > scap/content/ssg-centos6-cpe-dictionary.xml > /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml > > Alternatively, you could manually update the CPE and OVAL XML file using > (e.g., using a sed statement). > > It's still kind of confusing for me. So I hope I have the above correct. > > [1] http://wiki.gentoo.org/wiki/SCAP > [2] https://github.com/GovReady/govready > > Greg Elin > http://govready.org - Making FISMA compliance easier for innovators > > email: [email protected] > phone: 917-304-3488 > > > On Fri, Jan 9, 2015 at 5:20 AM, Simon Lukasik <[email protected]> > wrote: > >> On 01/08/2015 09:04 PM, Lesley Kimmel wrote: >> >>> I just downloaded the RHEL7 SCAP content and was 'playing' with it on a >>> CentOS 6 system. I found that in order to make the checks run I needed >>> to add 'cpe:/o:centos:centos:6' in a <platform> tag near the beginning >>> of the XCCDF component. I found this, in part, from various posts on the >>> interwebs. I'm really curious how this validation occurs and where the >>> information comes from on the target OS. Can anyone give me insight to >>> this issue? >>> >>> >> If you really wish to understand the things, your best bet would be to >> read the actual standards. >> >> For example XCCDF Standard document (NIST Interagency Report 7275) gives >> basic insight into CPE matching. >> >> Best regards, >> >> -- >> Simon Lukasik >> Security Technologies, Red Hat, Inc. >> -- >> SCAP Security Guide mailing list >> [email protected] >> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide >> https://github.com/OpenSCAP/scap-security-guide/ > > >
-- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
