[Open-scap] Scanning Ubuntu / Debian servers with openscap
Hi Team I'm new to Openscap I able to scan my redhat and centos machines with Openscap for compliance . oscap xccdf eval --profile "usgcb-rhel6-server" --report /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml 1. Is there any way to scan Ubuntu and Debian machine for certain complicate ? 2. Are there any XCCDF files for ubunti and Debain ? Thanks in Advance Dhanushka ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
Re: [Open-scap] Scanning Ubuntu / Debian servers with openscap
Hi Marek and All Thanks for the input , I downloaded https://github.com/OpenSCAP/scap-security-guide/releases and ran the scan on *Ubuntu 14.04.1 LTS *machine but got following error in the output , Is there any reason for that *oscap-ssh --sudo ubuntu@192.168.58.16 22 xccdf eval --profile "xccdf_org.ssgproject.content_profile_standard" ssg-ubuntu1404-ds.xml* Connecting to 'ubuntu@192.168.58.16' on port '22'... Connected! Copying input file 'ssg-ubuntu1404-ds.xml' to remote working directory '/tmp/tmp.gnlzPqb9fD'... Starting the evaluation... sudo: unable to resolve host openscap-client^M OpenSCAP Error: File '/tmp/tmp.gnlzPqb9fD/input.xml' line 3197: Element '{ http://oval.mitre.org/XMLSchema/oval-definitions-5#linux}systemdunitdependency_test': This element is not expected.^M [../../../src/XCCDF/xccdf_session.c:341]^M File '/tmp/tmp.gnlzPqb9fD/input.xml' line 4154: Element '{ http://oval.mitre.org/XMLSchema/oval-definitions-5#linux}systemdunitdependency_object': This element is not expected.^M [../../../src/XCCDF/xccdf_session.c:341]^M File '/tmp/tmp.gnlzPqb9fD/input.xml' line 5349: Element '{ http://oval.mitre.org/XMLSchema/oval-definitions-5#linux}systemdunitdependency_state': This element is not expected.^M [../../../src/XCCDF/xccdf_session.c:341]^M On Wed, 22 Aug 2018 at 23:31, Marek Haicman wrote: > On 08/22/2018 07:37 PM, Dhanushka Parakrama wrote: > > Hi Team > > > > I'm new to Openscap > > > > I able to scan my redhat and centos machines with Openscap for > > compliance . > > > > oscap xccdf eval --profile "usgcb-rhel6-server" --report > > /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml > > > > 1. Is there any way to scan Ubuntu and Debian machine for certain > > complicate ? > > 2. Are there any XCCDF files for ubunti and Debain ? > > > > > > Thanks in Advance > > Dhanushka > > > Hello Dhanushka, > if you take a look at our upstream github release page > https://github.com/OpenSCAP/scap-security-guide/releases there is > "scap-security-guide-0.1.40.zip" archive. This archive contains > datastreams for all products we generate content for. > > Mind you, RHEL content is more complete than the rest, mostly because of > Red Hat contributors. > > Hope it will help! > Marek > ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
[Open-scap] syslog-ng setting issue in debian 8
Hi Team We have ran the scan for debian 8 using below command *oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_anssi_np_nt28_high --report report.html ssg-debian8-ds.xml* Got alerts as below , == [image: image.png] To Fixed it we ran the below commands as suggested by the report * apt-get install syslog-ng-core * systemctl status syslog-ng ● syslog-ng.service - System Logger Daemon Loaded: loaded (/lib/systemd/system/syslog-ng.service; enabled) Active: active (running) since Tue 2018-08-28 15:04:28 IST; 23h ago Docs: man:syslog-ng(8) Process: 16275 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS) Main PID: 14555 (syslog-ng) CGroup: /system.slice/syslog-ng.service └─14555 /usr/sbin/syslog-ng -F Aug 28 15:04:28 oscapserver systemd[1]: Starting System Logger Daemon... Aug 28 15:04:28 oscapserver systemd[1]: Started System Logger Daemon. Aug 29 06:25:03 oscapserver systemd[1]: Reloading System Logger Daemon. Aug 29 06:25:03 oscapserver systemd[1]: Reloaded System Logger Daemon. But even after we ran the scan after fixing it Report still shows as Ensure syslog-ng is installed -> FAILED Ensure Syslog-ng Service -> FAILED Is there any reason for that ? ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
Re: [Open-scap] syslog-ng setting issue in debian 8
Hi Watson On Wed, 29 Aug 2018 at 14:51, Watson Yuuma Sato wrote: > On 29/08/18 11:05, Dhanushka Parakrama wrote: > > Hi Team > > > Hello Dhanushka, > > What version of SSG are you using? > This looks like a bug on 0.1.40 release, the package and service names > used in bash remediation for syslog-ng are different than your commands, we > use "syslogng" for package and service name. > > Would you be willing to propose a fix for that? > These are the files that would need to be changed: > > https://github.com/OpenSCAP/scap-security-guide/blob/master/debian8/templates/csv/packages_installed.csv > > https://github.com/OpenSCAP/scap-security-guide/blob/master/debian8/templates/csv/services_enabled.csv > > I have send the Pull request for those files > > We have ran the scan for debian 8 using below command > > *oscap xccdf eval --profile > xccdf_org.ssgproject.content_profile_anssi_np_nt28_high --report > report.html ssg-debian8-ds.xml* > > Got alerts as below , > == > [image: image.png] > > > To Fixed it we ran the below commands as suggested by the report > > * apt-get install syslog-ng-core > > * systemctl status syslog-ng > > ● syslog-ng.service - System Logger Daemon >Loaded: loaded (/lib/systemd/system/syslog-ng.service; enabled) >Active: active (running) since Tue 2018-08-28 15:04:28 IST; 23h ago > Docs: man:syslog-ng(8) > Process: 16275 ExecReload=/bin/kill -HUP $MAINPID (code=exited, > status=0/SUCCESS) > Main PID: 14555 (syslog-ng) >CGroup: /system.slice/syslog-ng.service >└─14555 /usr/sbin/syslog-ng -F > > Aug 28 15:04:28 oscapserver systemd[1]: Starting System Logger Daemon... > Aug 28 15:04:28 oscapserver systemd[1]: Started System Logger Daemon. > Aug 29 06:25:03 oscapserver systemd[1]: Reloading System Logger Daemon. > Aug 29 06:25:03 oscapserver systemd[1]: Reloaded System Logger Daemon. > > > But even after we ran the scan after fixing it Report still shows as > > Ensure syslog-ng is installed -> FAILED > Ensure Syslog-ng Service -> FAILED > > > Is there any reason for that ? > > > ___ > Open-scap-list mailing > listOpen-scap-list@redhat.comhttps://www.redhat.com/mailman/listinfo/open-scap-list > > > -- > Watson Sato > Security Technologies | Red Hat, Inc > > ___ > Open-scap-list mailing list > Open-scap-list@redhat.com > https://www.redhat.com/mailman/listinfo/open-scap-list ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
[Open-scap] ntp and auditd setting issue in debian 8
Hi Team We have ran the scan for debian 8 using below command *oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_anssi_np_nt28_high --report report.html ssg-debian8-ds.xml* Got alerts as below , === [image: image.png] To Fixed it we ran the below commands as suggested by the report *service ntp status* ● ntp.service - LSB: Start NTP daemon Loaded: loaded (/etc/init.d/ntp) Active: active (running) since Mon 2018-08-27 18:24:21 IST; 2 days ago CGroup: /system.slice/ntp.service └─473 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 112:120 Aug 27 18:24:21 oscapserver ntpd[473]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123 Aug 27 18:24:21 oscapserver ntpd[473]: Listen and drop on 1 v6wildcard :: UDP 123 Aug 27 18:24:21 oscapserver ntpd[473]: Listen normally on 2 lo 127.0.0.1 UDP 123 Aug 27 18:24:21 oscapserver ntpd[473]: Listen normally on 3 eth0 192.168.8.150 UDP 123 Aug 27 18:24:21 oscapserver ntpd[473]: Listen normally on 4 lo ::1 UDP 123 Aug 27 18:24:21 oscapserver ntpd[473]: peers refreshed Aug 27 18:24:21 oscapserver ntpd[473]: Listening on routing socket on fd #21 for interface updates Aug 27 18:24:21 oscapserver systemd[1]: Started LSB: Start NTP daemon. Aug 27 18:24:24 oscapserver ntpd[473]: Listen normally on 5 eth0 fe80::250:56ff:fe94:6150 UDP 123 Aug 27 18:24:24 oscapserver ntpd[473]: peers refreshed *service auditd status* ● auditd.service - Security Auditing Service Loaded: loaded (/lib/systemd/system/auditd.service; enabled) Active: active (running) since Tue 2018-08-28 14:41:28 IST; 1 day 6h ago Main PID: 12464 (auditd) CGroup: /system.slice/auditd.service └─12464 /sbin/auditd -n But even after we ran the scan after fixing it Report still shows as [image: image.png] Is there any reason for that ? Thank You Dhanushka ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
[Open-scap] Ensure Log Files Are Owned By Appropriate Group setting Issue in Debian 8
Hi Team We have ran the scan for debian 8 using below command *oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_anssi_np_nt28_high --report report.html ssg-debian8-ds.xml* Got alerts as below , === [image: image.png] As the solution suggested change the group as below * chgrp adm /var/log/* -R * [image: image.png] but we still getting the *Ensure Log Files Are Owned By Appropriate Group -> Failed * Is there any reason for that ? Thank You Dhanushka ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
[Open-scap] Set SSH Idle Timeout Interval Debian 8
Guys In Debian 8 i have configured the settings as below for ssh client timeout ClientAliveInterval 400 but seems like scan is not picking it up , Version scap-security-guide-0.1.40 *oscap-ssh --sudo wso2@192.168.8.150 22 xccdf eval --profile xccdf_org.ssgproject.content_profile_anssi_np_nt28_high --report abc.html ssg-debian8-ds.xml* and still shows output as below *Title Set SSH Idle Timeout Interval* *Rulexccdf_org.ssgproject.content_rule_sshd_set_idle_timeout* *Result fail* ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
[Open-scap] rsyslog and syslog-ng issue in Debian 8
Hi Team When i'm using* xccdf_org.ssgproject.content_profile_anssi_np_nt28_high *profile in Debian 8 *ssg-debian8-ds.xml* in version scap-security-guide-0.1.40 it says Title Ensure syslog-ng is Installed Rulexccdf_org.ssgproject.content_rule_package_syslogng_installed Result fail Title Enable syslog-ng Service Rulexccdf_org.ssgproject.content_rule_service_syslogng_enabled Result fail Title Ensure rsyslog is Installed Rulexccdf_org.ssgproject.content_rule_package_rsyslog_installed Result fail Title Enable rsyslog Service Rulexccdf_org.ssgproject.content_rule_service_rsyslog_enabled Result fail But when i'm installing rsyslog Debian 8 System automatically removes the syslog-ng package and vice versa . So one of the conditions will always failed Please see the below screenshot [image: image.png] ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
Re: [Open-scap] ntp and auditd setting issue in debian 8
Guys Any news regarding the error On Wed, 29 Aug 2018 at 21:33, Dhanushka Parakrama wrote: > > Hi Team > > We have ran the scan for debian 8 using below command > > *oscap xccdf eval --profile > xccdf_org.ssgproject.content_profile_anssi_np_nt28_high --report > report.html ssg-debian8-ds.xml* > > Got alerts as below , > === > > [image: image.png] > > > > To Fixed it we ran the below commands as suggested by the report > > *service ntp status* > ● ntp.service - LSB: Start NTP daemon >Loaded: loaded (/etc/init.d/ntp) >Active: active (running) since Mon 2018-08-27 18:24:21 IST; 2 days ago >CGroup: /system.slice/ntp.service >└─473 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 112:120 > > Aug 27 18:24:21 oscapserver ntpd[473]: Listen and drop on 0 v4wildcard > 0.0.0.0 UDP 123 > Aug 27 18:24:21 oscapserver ntpd[473]: Listen and drop on 1 v6wildcard :: > UDP 123 > Aug 27 18:24:21 oscapserver ntpd[473]: Listen normally on 2 lo 127.0.0.1 > UDP 123 > Aug 27 18:24:21 oscapserver ntpd[473]: Listen normally on 3 eth0 > 192.168.8.150 UDP 123 > Aug 27 18:24:21 oscapserver ntpd[473]: Listen normally on 4 lo ::1 UDP 123 > Aug 27 18:24:21 oscapserver ntpd[473]: peers refreshed > Aug 27 18:24:21 oscapserver ntpd[473]: Listening on routing socket on fd > #21 for interface updates > Aug 27 18:24:21 oscapserver systemd[1]: Started LSB: Start NTP daemon. > Aug 27 18:24:24 oscapserver ntpd[473]: Listen normally on 5 eth0 > fe80::250:56ff:fe94:6150 UDP 123 > Aug 27 18:24:24 oscapserver ntpd[473]: peers refreshed > > > *service auditd status* > ● auditd.service - Security Auditing Service >Loaded: loaded (/lib/systemd/system/auditd.service; enabled) >Active: active (running) since Tue 2018-08-28 14:41:28 IST; 1 day 6h ago > Main PID: 12464 (auditd) >CGroup: /system.slice/auditd.service >└─12464 /sbin/auditd -n > > > But even after we ran the scan after fixing it Report still shows as > > > [image: image.png] > > Is there any reason for that ? > > > Thank You > Dhanushka > > > ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
[Open-scap] Can we remove some service checks from the profile
Hi Team I Wanted to remove the few service checks from the profile *xccdf_org.ssgproject.content_profile_anssi_np_nt28_high (Eg: Ensure /tmp Located On Separate Partition , *xccdf_org.ssgproject.content_rule_partition_for_tmp ) and build new *ssg-centos6-ds.xml* check file how can i do that ? Thank You Dhanushka ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
Re: [Open-scap] Ensure Log Files Are Owned By Appropriate Group setting Issue in Debian 8
Hi Wasto Please correct me if i'm not mistaken . in the URL [1] that you shared i can't see the rsyslog-ng , instead of it have package_rsyslog_installed So its check for the correct package is'nt it ? [1] https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml Thank you Dhanushka On Fri, 31 Aug 2018 at 18:28, Watson Yuuma Sato wrote: > On 29/08/18 18:34, Dhanushka Parakrama wrote: > > Hi Team > > We have ran the scan for debian 8 using below command > > *oscap xccdf eval --profile > xccdf_org.ssgproject.content_profile_anssi_np_nt28_high --report > report.html ssg-debian8-ds.xml* > > Got alerts as below , > === > > [image: image.png] > > As the solution suggested change the group as below > > * chgrp adm /var/log/* -R * > > [image: image.png] > > but we still getting the > > *Ensure Log Files Are Owned By Appropriate Group -> Failed * > > Is there any reason for that ? > > Hello, Dhanushka, > > The check for this rule also verifies if rsyslog is in use. Now, > unfortunately, it checks for rsyslog, not rsyslog-ng. > > Here is where the check is defined: > https://github.com/OpenSCAP/scap-security-guide/blob/master/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml > > Thank You > > Dhanushka > > > > ___ > Open-scap-list mailing > listOpen-scap-list@redhat.comhttps://www.redhat.com/mailman/listinfo/open-scap-list > > > -- > Watson Sato > Security Technologies | Red Hat, Inc > > ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
[Open-scap] Ensure that official distribution repositories are used check failed in Debian 8
Hi Team In Debian 8 */etc/apt/sources.list *file include below repositories deb http://ftp.us.debian.org/debian/ jessie main deb-src http://ftp.us.debian.org/debian/ jessie main deb http://security.debian.org/ jessie/updates main deb-src http://security.debian.org/ jessie/updates main but still *oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_anssi_np_nt28_high --report report.html ssg-debian8-ds.xml * Scan says [image: image.png] *Ensure that official distribution repositories are used * -> *FAIL* Is there any reason for that ? Thank You Dhanushka ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
Re: [Open-scap] Ensure that official distribution repositories are used check failed in Debian 8
Hi Marek I will have a look On Fri, 7 Sep 2018 at 14:55, Marek Haicman wrote: > Hello Dhanushka, > first of, I added scap-security-guide list, as that will make more sense > for this kind of questions. open-scap-list is mostly about scanner > issues (and in 99% cases, problem is in content, not in the scanner). > > Regarding the problem itself, it would be great if you took a look at > the sources for the oval, maybe you'll be able to find the issue > yourself. As you are on the platform. > > To find the source for the issue, I have checked the ID of the rule is > rule_apt_sources_official. So calling this in cloned git repo: > `find . | grep apt_sources_list` > will tell you where are the sources: > ./linux_os/guide/services/apt/apt_sources_list_official/oval/shared.xml > is the source for check. > There is no complexity, there just regexes, so if you find an issue, > pull request with the fix would be awesome, but explanation what is the > bug will also do. > > Thanks! > Marek > > On 09/07/2018 07:38 AM, Dhanushka Parakrama wrote: > > Hi Team > > > > In Debian 8 */etc/apt/sources.list *file include below repositories > > > > deb http://ftp.us.debian.org/debian/ jessie main > > deb-src http://ftp.us.debian.org/debian/ jessie main > > > > deb http://security.debian.org/ jessie/updates main > > deb-src http://security.debian.org/ jessie/updates main > > > > but still *oscap xccdf eval --profile > > xccdf_org.ssgproject.content_profile_anssi_np_nt28_high --report > > report.html ssg-debian8-ds.xml * Scan says > > > > image.png > > > > *Ensure that official distribution repositories are used * -> *FAIL* > > Is there any reason for that ? > > > > Thank You > > Dhanushka > > > > > > ___ > > Open-scap-list mailing list > > Open-scap-list@redhat.com > > https://www.redhat.com/mailman/listinfo/open-scap-list > > > > ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list