Re: [Open-scap] Open SCAP for Windows

[Mohanraj, Bharath]

Thankyou for the detailed explanation, Jan. I will discuss this with my team 
here and will get back to you.

Regards,
Bharath M

-Original Message-
From: Jan Cerny [mailto:jce...@redhat.com] 
Sent: Thursday, February 09, 2017 1:55 PM
To: Mohanraj, Bharath
Cc: open-scap-list@redhat.com
Subject: Re: [Open-scap] Open SCAP for Windows

Hi Bharath,

We're very pleased that you're interested in OpenSCAP project.

Indeed, OpenSCAP is a great tool for evaluating compliance with a given
security policy for bare-metal machines, virtual machines and also containers.

Actually, OpenSCAP was designed to be able to integrate with other products,
and it already is integrated with system management solutions like ManageIQ,
Red Hat Satellite, and Project Atomic.

I will try to answer your questions.

ad 1) Define a security policy (SCAP Content):

First of all, I'd like to mention that our project "SCAP Security Guide" [1]
provides tested and verified SCAP Content for various systems.
It implements popular security benchmarks like PCI-DSS, STIG or USGCB.
Windows is not currently supported by SCAP Security Guide, but that's
just because nobody started implementing it. It's an open-source project,
so any contributions are welcome :-)

Secondly, if the content provided by "SCAP Security Guide" doesn't exactly
fit user's needs, it can be easily customized by a GUI tool called
SCAP Workbench.

Also, we in OpenSCAP strongly focus on compliance with SCAP standards
as defined by specification. That means OpenSCAP is able to evaluate any
SCAP content that you can obtain from third-party sources (there are many
available) our create yourself.

Unfortunately, we don't provide any "SCAP editor" that would enable
to create security policies from scratch for people with any knowledge
of respective SCAP standards. That's mainly because of complexity of 
the standards, so people rather prefer to have SCAP content written
by security experts than spending weeks by struggling with SCAP languages.


ad 2) Scan a Windows machine:

We can't scan Windows machines now, because we don't have implemented
Windows checks yet.

Fortunately, our developer Raphael Sanchez Prudencio started to work
on Windows scanning last week. He is in design phase now, and he has
started a discussion on the mailing list recently [2].
If you have any comments or if you are able to help him somehow,
please don't hesitate to contact him.


ad 3) Get the results from Open SCAP on whether the Windows machine is compliant

This requirement obviously needs to have Windows scanning implemented
first :-) as I mentioned above.

On Linux, it is possible to get the results either in machine-readable form
of XML documents or as a very nice detailed HTML report that user can display
in his web browser. If Windows will be supported in future, reporting should
work in the same way as on Linux.



[1] 
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.open-2Dscap.org_security-2Dpolicies_scap-2Dsecurity-2Dguide_&d=CwIFaQ&c=UrUhmHsiTVT5qkaA4d_oSzcamb9hmamiCDMzBAEwC7E&r=AUaowh4kDgwmfFF8B9dpIGVcrfeOZDaHu6Di1CZTnp4&m=6wh69S7-VLPd67PefRgUWaRDngvqyBGwloUIiu1ULIk&s=QC_FyHkeZSYVA_RXoHaPl4jFZoZjPVnQd8fkg5lyqKY&e=
 
[2] 
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.redhat.com_archives_open-2Dscap-2Dlist_2017-2DFebruary_msg1.html&d=CwIFaQ&c=UrUhmHsiTVT5qkaA4d_oSzcamb9hmamiCDMzBAEwC7E&r=AUaowh4kDgwmfFF8B9dpIGVcrfeOZDaHu6Di1CZTnp4&m=6wh69S7-VLPd67PefRgUWaRDngvqyBGwloUIiu1ULIk&s=Xnyuu2a6RIG98NTFRr_UsUjTVoaSGK_7LPS4DN6UDqg&e=
 


I hope that I helped you a little and I'm looking forward to hear from you 
again.

Best regards

Jan Černý
Security Technologies | Red Hat, Inc.



- Original Message -
> From: "Bharath Mohanraj" 
> To: open-scap-list@redhat.com
> Sent: Wednesday, February 8, 2017 7:34:19 AM
> Subject: [Open-scap] Open SCAP for Windows
> 
> 
> 
> Hi Team,
> 
> 
> 
> I work for a client management product, and I see Open SCAP to be a promising
> solution for validating compliance of machines based on a defined policy.
> 
> 
> 
> I’m more interested in making use of Open SCAP in the product I work for, but
> however I need some assistance from you.
> 
> 
> 
> Please let me know if this can be achieved,
> 
> - Define a security policy (SCAP Content)
> 
> - Scan a Windows machine
> 
> - Get the results from Open SCAP on whether the Windows machine is compliant
> 
> 
> 
> Please let me know if this can be achieved.
> 
> 
> 
> Regards,
> 
> Bharath M
> 
> ___
> Open-scap-list mailing list
> Open-scap-list@redhat.com
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.redhat.com_mailman_listinfo_open-2Dscap-2Dlist&d=CwIFaQ&c=UrUhmHsiTVT5qkaA4d_oSzcamb9hmamiCDMzBAEwC7E&r=AUaowh4kDgwmfFF8B9dpIGVcrfeOZDaHu6Di1CZTnp4&m=6wh69S7-VLPd67PefRgUWaRDngvqyBGwloUIiu1ULIk&s=On5li6cvuSS9drcI1cgw5VT5hUgcCgJFj5t76juvBwc&e=
>  

___
Open-scap-list mailing list
Open-scap-list@redhat

Re: [Open-scap] Windows Support

[Raphael Sanchez Prudencio]

Hello Calvin,

On 02/09/2017 01:20 PM, Calvin Hartwell wrote:
> 1) Change probe architecture:
> 
> Currently our probe system have individual binaries for each OVAL
> object, making it more complex and harder to maintain/debug due to IPC,
> the historical reasons to this is to be able to use tailored SELinux
> policies for each probe, which makes sense but sadly we never
> implemented those policies. My proposal is to avoid having multiple
> binaries for Windows environments and make object collecting easier with
> a single probe which handles all objects.
> * Extra: Changing Linux to a single-probe would be interesting too, feel
> free to comment on this topic too!
> 
> +1 for this, I assume you are going to use native win32 api? 
Yes, we'll use native WIN32 API for Windows objects.
> 
> Have you started a branch for this? I am pretty interested.
I'm going to make pull request in master branch for now, but we can
create a specific branch for that as well. Nice to see more people
interested on this effort :)
> 
> Cheers,
> 
> - Calvin 
> 
> On Fri, Feb 3, 2017 at 4:28 PM, Raphael Sanchez Prudencio
> mailto:rspruden...@redhat.com>> wrote:
> 
> Hello,
> 
> I'm planning some effort towards Windows support for OpenSCAP and I'd
> like to discuss a few topics so we can have an architecture that pleases
> both users and developers.
> 
> 1) Change probe architecture:
> 
> Currently our probe system have individual binaries for each OVAL
> object, making it more complex and harder to maintain/debug due to IPC,
> the historical reasons to this is to be able to use tailored SELinux
> policies for each probe, which makes sense but sadly we never
> implemented those policies. My proposal is to avoid having multiple
> binaries for Windows environments and make object collecting easier with
> a single probe which handles all objects.
> * Extra: Changing Linux to a single-probe would be interesting too, feel
> free to comment on this topic too!
> 
> 
> 2) Make it possible to implement/extend object collecting with Lua
> 
> My idea here is to make it easier to implement new (custom) objects or
> to extend/modify existing ones using Lua, interfacing it with all needed
> underlying API for Windows probes like WMI-related objects. Also would
> enable remote scan features such as making extended probes that would
> report only Pass/Fail like Thin Results, which would be really
> interesting for a remote scan in a big infrastructure.
> Lua Virtual Machine is around 100-200kb, it would be really light and
> easy to send it through the network along with Lua probes for remote
> scanning with dissolvable agents which is another plus, not needing
> openscap installed on target machines and deleting the agent after scan.
> 
> 
> I think these are huge and audacious changes that would be more
> interesting than just simply implementing Windows probes in the current
> probe system as is. I'd like to hear feedback from our users,
> developers, maintainers, everyone.
> 
> 
> Thanks
> --
> Raphael Sanchez Prudencio
> Security Technologies | Red Hat, Inc.
> 
> ___
> Open-scap-list mailing list
> Open-scap-list@redhat.com 
> https://www.redhat.com/mailman/listinfo/open-scap-list
> 
> 
> 
> 
> 
> -- 
> 
>   
> 
> 
> Calvin Hartwell
> 
> *Red Hat, Inc.* |Infrastructure Consultant - EMEA GPS 
> 
> Peninsular House, 30-36 Monument Street, 4th Floor, London, EC3R 8NB.
> 
> *☏ Mobile:*+44 (0) 7917052881 | *✉ Email: calvin.hartw...@redhat.com
> *
> 

-- 
Raphael Sanchez Prudencio
Security Technologies | Red Hat, Inc.

___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] Windows Support

[Calvin Hartwell]

1) Change probe architecture:

Currently our probe system have individual binaries for each OVAL
object, making it more complex and harder to maintain/debug due to IPC,
the historical reasons to this is to be able to use tailored SELinux
policies for each probe, which makes sense but sadly we never
implemented those policies. My proposal is to avoid having multiple
binaries for Windows environments and make object collecting easier with
a single probe which handles all objects.
* Extra: Changing Linux to a single-probe would be interesting too, feel
free to comment on this topic too!

+1 for this, I assume you are going to use native win32 api?

Have you started a branch for this? I am pretty interested.

Cheers,

- Calvin

On Fri, Feb 3, 2017 at 4:28 PM, Raphael Sanchez Prudencio <
rspruden...@redhat.com> wrote:

> Hello,
>
> I'm planning some effort towards Windows support for OpenSCAP and I'd
> like to discuss a few topics so we can have an architecture that pleases
> both users and developers.
>
> 1) Change probe architecture:
>
> Currently our probe system have individual binaries for each OVAL
> object, making it more complex and harder to maintain/debug due to IPC,
> the historical reasons to this is to be able to use tailored SELinux
> policies for each probe, which makes sense but sadly we never
> implemented those policies. My proposal is to avoid having multiple
> binaries for Windows environments and make object collecting easier with
> a single probe which handles all objects.
> * Extra: Changing Linux to a single-probe would be interesting too, feel
> free to comment on this topic too!
>
>
> 2) Make it possible to implement/extend object collecting with Lua
>
> My idea here is to make it easier to implement new (custom) objects or
> to extend/modify existing ones using Lua, interfacing it with all needed
> underlying API for Windows probes like WMI-related objects. Also would
> enable remote scan features such as making extended probes that would
> report only Pass/Fail like Thin Results, which would be really
> interesting for a remote scan in a big infrastructure.
> Lua Virtual Machine is around 100-200kb, it would be really light and
> easy to send it through the network along with Lua probes for remote
> scanning with dissolvable agents which is another plus, not needing
> openscap installed on target machines and deleting the agent after scan.
>
>
> I think these are huge and audacious changes that would be more
> interesting than just simply implementing Windows probes in the current
> probe system as is. I'd like to hear feedback from our users,
> developers, maintainers, everyone.
>
>
> Thanks
> --
> Raphael Sanchez Prudencio
> Security Technologies | Red Hat, Inc.
>
> ___
> Open-scap-list mailing list
> Open-scap-list@redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list
>



-- 

--

Calvin Hartwell

*Red Hat, Inc.* |Infrastructure Consultant - EMEA GPS

Peninsular House, 30-36 Monument Street, 4th Floor, London, EC3R 8NB.

*☏ Mobile:* +44 (0) 7917052881 | *✉ Email: calvin.hartw...@redhat.com
*
___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] Open SCAP for Windows

[Jan Cerny]

Hi Bharath,

We're very pleased that you're interested in OpenSCAP project.

Indeed, OpenSCAP is a great tool for evaluating compliance with a given
security policy for bare-metal machines, virtual machines and also containers.

Actually, OpenSCAP was designed to be able to integrate with other products,
and it already is integrated with system management solutions like ManageIQ,
Red Hat Satellite, and Project Atomic.

I will try to answer your questions.

ad 1) Define a security policy (SCAP Content):

First of all, I'd like to mention that our project "SCAP Security Guide" [1]
provides tested and verified SCAP Content for various systems.
It implements popular security benchmarks like PCI-DSS, STIG or USGCB.
Windows is not currently supported by SCAP Security Guide, but that's
just because nobody started implementing it. It's an open-source project,
so any contributions are welcome :-)

Secondly, if the content provided by "SCAP Security Guide" doesn't exactly
fit user's needs, it can be easily customized by a GUI tool called
SCAP Workbench.

Also, we in OpenSCAP strongly focus on compliance with SCAP standards
as defined by specification. That means OpenSCAP is able to evaluate any
SCAP content that you can obtain from third-party sources (there are many
available) our create yourself.

Unfortunately, we don't provide any "SCAP editor" that would enable
to create security policies from scratch for people with any knowledge
of respective SCAP standards. That's mainly because of complexity of 
the standards, so people rather prefer to have SCAP content written
by security experts than spending weeks by struggling with SCAP languages.


ad 2) Scan a Windows machine:

We can't scan Windows machines now, because we don't have implemented
Windows checks yet.

Fortunately, our developer Raphael Sanchez Prudencio started to work
on Windows scanning last week. He is in design phase now, and he has
started a discussion on the mailing list recently [2].
If you have any comments or if you are able to help him somehow,
please don't hesitate to contact him.


ad 3) Get the results from Open SCAP on whether the Windows machine is compliant

This requirement obviously needs to have Windows scanning implemented
first :-) as I mentioned above.

On Linux, it is possible to get the results either in machine-readable form
of XML documents or as a very nice detailed HTML report that user can display
in his web browser. If Windows will be supported in future, reporting should
work in the same way as on Linux.



[1] https://www.open-scap.org/security-policies/scap-security-guide/
[2] https://www.redhat.com/archives/open-scap-list/2017-February/msg1.html


I hope that I helped you a little and I'm looking forward to hear from you 
again.

Best regards

Jan Černý
Security Technologies | Red Hat, Inc.



- Original Message -
> From: "Bharath Mohanraj" 
> To: open-scap-list@redhat.com
> Sent: Wednesday, February 8, 2017 7:34:19 AM
> Subject: [Open-scap] Open SCAP for Windows
> 
> 
> 
> Hi Team,
> 
> 
> 
> I work for a client management product, and I see Open SCAP to be a promising
> solution for validating compliance of machines based on a defined policy.
> 
> 
> 
> I’m more interested in making use of Open SCAP in the product I work for, but
> however I need some assistance from you.
> 
> 
> 
> Please let me know if this can be achieved,
> 
> - Define a security policy (SCAP Content)
> 
> - Scan a Windows machine
> 
> - Get the results from Open SCAP on whether the Windows machine is compliant
> 
> 
> 
> Please let me know if this can be achieved.
> 
> 
> 
> Regards,
> 
> Bharath M
> 
> ___
> Open-scap-list mailing list
> Open-scap-list@redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list

___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list