I installed OpenSCAP using the pre-built installer found here: https://github.com/OpenSCAP/openscap/releases
OpenSCAP-1.3.0-win32.msi To scan a benchmark, I had to extract the xml file from the benchmark zip. For example, in the Windows 10 SCAP content, I extracted the file “U_Windows_10_V1R12_STIG_SCAP_1-2_Benchmark.xml”. Then to run the scan, I scanned using the following command line: oscap xccdf eval --results Windows_10_Results.xml --report Windows_10_Report.html U_Windows_10_V1R12_STIG_SCAP_1-2_Benchmark.xml The Windows_10_Results.xml file that is generated can then be used to import into a STIG checklist. Best regards, Trey Henefield, CISSP Senior IAVA Engineer Ultra Electronics Advanced Tactical Systems, Inc. 4101 Smith School Road Building IV, Suite 100 Austin, TX 78744 USA trey.henefi...@ultra-ats.com<mailto:trey.henefi...@ultra-ats.com> Tel: +1 512 327 6795 ext. 647 Fax: +1 512 327 8043 Mobile: +1 512 541 6450 From: Ruben Oliva <david.ol...@verizon.net> Sent: Friday, October 12, 2018 5:58 PM To: Trey Henefield <trey.henefi...@ultra-ats.com>; sh...@redhat.com; open-scap-list@redhat.com Subject: Re: [Open-scap] OpenSCAP 1.3.0 Trey: You got me curious about this. How did you do it? David Oliva -----Original Message----- From: Trey Henefield <trey.henefi...@ultra-ats.com<mailto:trey.henefi...@ultra-ats.com>> To: Shawn Wells <sh...@redhat.com<mailto:sh...@redhat.com>>; open-scap-list <open-scap-list@redhat.com<mailto:open-scap-list@redhat.com>> Sent: Tue, Oct 9, 2018 12:08 pm Subject: Re: [Open-scap] OpenSCAP 1.3.0 For what its worth, I was able to perform scans on Windows with OpenSCAP 1.3.0 using the following DISA STIG benchmarks: Google Chrome Adobe Acrobat DC Windows Defender Windows Firewall Windows 10 All of the scans work. However, Windows 10 results were a bit off. Allot of unknowns and false positives. This could be an issue with the benchmark, however it works fine in SCAP Compliance Checker. All others were spot on. I was also able to import my results from the scan into the STIG Viewer to populate the results into a checklist. Excellent work! Best regards, Trey Henefield, CISSP Senior IAVA Engineer Ultra Electronics Advanced Tactical Systems, Inc. 4101 Smith School Road Building IV, Suite 100 Austin, TX 78744 USA trey.henefi...@ultra-ats.com<mailto:trey.henefi...@ultra-ats.com> Tel: +1 512 327 6795 ext. 647 Fax: +1 512 327 8043 Mobile: +1 512 541 6450 -----Original Message----- From: open-scap-list-boun...@redhat.com<mailto:open-scap-list-boun...@redhat.com> <open-scap-list-boun...@redhat.com<mailto:boun...@redhat.com>> On Behalf Of Shawn Wells Sent: Tuesday, October 9, 2018 10:53 AM To: open-scap-list@redhat.com<mailto:open-scap-list@redhat.com> Subject: Re: [Open-scap] OpenSCAP 1.3.0 On 10/9/18 7:38 AM, Jan Cerny wrote: > Hello OpenSCAPers, > > We are thrilled to announce general availability of OpenSCAP 1.3.0 release. > > This is the first release from maint-1.3 maintenance branch. API/ABI > is not compatible with 1.2.x releases. API/ABI is not compatible with > 1.3.0_alpha releases. > > Changes from 1.3.0_alpha2: > - New features > - Introduced a virtual '(all)' profile selecting all rules > - Verbose mode is a global option in all modules > - Added Microsoft Windows CPEs > - oscap-ssh can supply SSH options into an environment variable > - Maintenance > - Removed SEXP parser > - Added Fedora 30 CPE > - Fixed many Coverity defects (memory leaks etc.) > - SCE builds are enabled by default > - Moved many low-level functions out of public API > - Removed unused and dead code > - Updated manual pages > - Numerous small fixes > > Key differences from 1.2.x series: > - Basic Microsoft Windows support > - Removed deprecated command line interfaces > - Removed deprecated API symbols > - Probes are not separate processes anymore > - CMake used as build system > - CTest used as a test framework > > Download: > https://github.com/OpenSCAP/openscap/releases/download/1.3.0/openscap-1.3.0.tar.gz<https://github.com/OpenSCAP/openscap/releases/download/1.3.0/openscap-1.3.0.tar.gz> > > SHA512: > 9405d0f17b60ab4a52ddd0f49d0e2395eb2540f0d07d68dfd142e2b8b2988e88cf1272 > 30523e68f67d3d22a6dd4eb2397f9468c923d19bb7cb059abf487ab5a1 > > Audit, Fix, And Be Merry! Thanks Jan! How far along is Windows support? Saw the mention of 'basic' -- but how should OpenSCAP on Windows be positioned? For example: - How many Windows probes are implemented? - Does OpenSCAP on Windows pass the NIST automated tooling? - Where can we send people who want to find out more? _______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com<mailto:Open-scap-list@redhat.com> https://www.redhat.com/mailman/listinfo/open-scap-list<https://www.redhat.com/mailman/listinfo/open-scap-list> Disclaimer The information contained in this communication from trey.henefi...@ultra-ats.com<mailto:trey.henefi...@ultra-ats.com> sent at 2018-10-09 12:08:47 is private and may be legally privileged or export controlled. It is intended solely for use by open-scap-list@redhat.com<mailto:l...@redhat.com> and others authorized to receive it. If you are not open-scap-list@redhat.com<mailto:l...@redhat.com> you are hereby notified that any disclosure, copying, distribution or taking action in reliance of the contents of this information is strictly prohibited and may be unlawful. _______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com<mailto:l...@redhat.com> https://www.redhat.com/mailman/listinfo/open-scap-list<https://www.redhat.com/mailman/listinfo/open-scap-list>
_______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list