Re: [Open-scap] Run-level probes on SUSE

Hello, This sounds good to me. We are looking forward to your patches. Best regards Jan Černý Security Technologies | Red Hat, Inc. - Original Message - > From: "S, Gautam" > To: open-scap-list@redhat.com > Sent: Friday, March 18, 2016 6:52:54 PM > Subject:

Re: [Open-scap] Run-level probes on SUSE

. Best Regards Jan Černý Security Technologies | Red Hat, Inc. - Original Message - > From: "S, Gautam" <gaut...@hpe.com> > To: "Jan Cerny" <jce...@redhat.com> > Cc: open-scap-list@redhat.com > Sent: Tuesday, March 22, 2016 5:40:00 AM > Su

Re: [Open-scap] OVAL rule evaluation order

Hello Pravin, OpenSCAP doesn't have any option to influence the order of evaluation. OVAL is a declarative language. Rule evaluation order should not affect results. OVAL definitions have to be written in a way that it doesn't matter in which order are they evaluated. Moreover, OVAL

Re: [Open-scap] Offline scanning - SCE, probes

Hi Iankko, - Original Message - > From: "Jan Lieskovsky" > To: "Zbynek Moravec" > Cc: open-scap-list@redhat.com > Sent: Friday, April 15, 2016 1:26:09 PM > Subject: Re: [Open-scap] Offline scanning - SCE, probes > > > Hello Zbynek, > > -

[Open-scap] New COPR repository for OpenSCAP

Hi all, We have created a new COPR repository that provides unofficial builds of latest versions of openscap, scap-security-guide, scap-workbench and openscap-daemon packages. The packages are suitable for use on Red Hat Enterprise Linux 5, 6 and 7 and CentOS 5, 6 and 7. The COPR repository is

Re: [Open-scap] oscap-docker on Ubuntu 14.04

Hi, - Original Message - > From: "Pravin Goyal" <pravin.go...@outlook.com> > To: "Jan Cerny" <jce...@redhat.com> > Sent: Monday, February 6, 2017 3:55:10 PM > Subject: Re: [Open-scap] oscap-docker on Ubuntu 14.04 > > Thanks, Jan. I don'

Re: [Open-scap] oscap-docker on Ubuntu 14.04

Hi, which Python version is used by your /usr/bin/oscap-docker ? There might be a collision between Python2 and Python3. The script should run on both versions of Python, but most likely you have necessary modules only for Python 2. Also notice that oscap-docker needs Atomic [1] installed as a

Re: [Open-scap] OpenScap Scanner on Windows

Hi, I agree that it would be beneficial for OpenSCAP if we could scan containers on Debian hosts as well. Unfortunately, oscap-docker can run now only on RHEL7 and Fedora hosts, because it depends on Project Atomic. Atomic handles mounting of container's filesystem to the host's filesystem so

Re: [Open-scap] OpenSCAP Error: OVAL object not correctly defined

Hi Rocio, I am sorry for a late reply, but most of the OpenSCAP team is not present right now. Your issue seems to me like a regular bug, but I don't use Oracle, so I am afraid I can't help so much. AFAIK the code path leading to the message you described should be run on every evaluation of

Re: [Open-scap] Issue with "official" RHEL-7 definitions

Hi, New version of SCAP Security guide usually appears with a new release of RHEL). (but not necessarily always) I haven't looked exactly into firewall rules, but in general SCAP Security Guide is evolving very quickly, so it is very likely that they were not present at all in 0.1.25. OpenSCAP

[Open-scap] OpenSCAP 1.2.11

Hello OpenSCAPers, We are thrilled to announce general availability of OpenSCAP 1.2.11 release. This is the latest release from maint-1.2 maintenance branch. API/ABI is fully compatible with 1.2.0 release. Users of 1.2.x releases are recommended to update. Changes: - New features - huge

Re: [Open-scap] customizing generation of mediation scripts

Hi, The bash code is taken from the input SCAP content, eg. from /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml there is no magic behind that, basically oscap simply extracts snippets from XML. If you want to amend the script that is generated by oscap, unfortunately that is not possible, we

Re: [Open-scap] openscap 1.2.15 failed "make check" -> process58

Hi, thank you for the report. This test is not as deterministic as we want, perhaps we need to improve it again. Usually, running it again will be successful. But it's just a test, you can skip it if you need to install. We will definitely get back into these issues. Jan Černý Security

Re: [Open-scap] “local machine” as a target is not enabled for Workbench on Windows 10

Hi, Unfortunately, OpenSCAP can scan only Linux machines. Windows support is currently not implemented. The use-case for Workbench on Windows is only to scan remote Linux servers from a user's Windows laptop. Installing SSH server locally will not help. You are not the first person asking for

Re: [Open-scap] customizing remediation

Hello, Thank you for contacting us. There is a few things that you might have done incorrectly. In SCAP Workbench, after you click on "Customize", you will be prompted for a new profile ID, that will be the ID of your custom profile. Check if you use the new ID, and not the ID of original

Re: [Open-scap] Using scap workbench to scan Debian on Beaglebone Black

fo > Processing has been finished! > > > > > > On Friday, April 7, 2017 2:02 AM, Luther Goh Lu Feng <elf...@yahoo.com> > wrote: > > > > > > > On Thursday, April 6, 2017 10:20 PM, Luther Goh Lu Feng <elf...@yahoo.com>

Re: [Open-scap] Issues with the recurse_direction="up"

Hi, Thank you for contacting me. See my replies inline below. Jan Černý Security Technologies | Red Hat, Inc. - Original Message - > From: "Dragos Prisaca" > To: open-scap-list@redhat.com > Sent: Monday, March 6, 2017 10:00:40 PM > Subject: [Open-scap] Issues

Re: [Open-scap] Possible OpenSCAP bug

Hi Dragos, Thank you very much for reporting this and sorry for the delay. I had a look into your issue. Let me explain my findings. According to OVAL 5.11.1 specification and XML schema, recurse="none" is deprecated value and it was deprecated in OVAL 5.5. In XML schema

Re: [Open-scap] OSCAP-SCANNER on RHEL7

Hi, Your command # yum -y install openscap-scanner should work, because OpenSCAP is a standard component of RHEL 7. Check your software repositories configuration, eg. output of "yum repolist" command, and /etc/yum.repos.d/ directory. Check if you are able to install other packages. Regards

Re: [Open-scap] Using scap workbench to scan Debian on Beaglebone Black

Hi, That is pretty cool that you want to run OpenSCAP on such a device. I like it! You're the first person that I know running it on ARM :) I think the problem is that Debian Jessie has OpenSCAP 1.0.9, which is an old version that doesn't support systemd related tests and it also can't process

Re: [Open-scap] Tuning/Customisation of SSG OVAL

Hi, Some of the rules in SCAP Security guide can be parametrized using "XCCDF Value". Those values can be set in SCAP Workbench. However that's not the case of this particular rule, the value is hard-coded in regular expressions across the file. We use parametrized values for example in rules

Re: [Open-scap] what profile to use in RHEL7

en-scap.org to figure this out. Click > >> on the product, then browse profiles. The page will always tell you > >> both title and ID of each. > >> > >> Hope this helps! > >> > >> > >> > >> As a future OpenSCAP RFE, could the '

Re: [Open-scap] OpenSCAP Daemon Status

Hi Jordan, OpenSCAP Daemon is an active project. I don't think it will be deprecated. Right now, its main purpose is to integrate OpenSCAP with Project Atomic to provide "atomic scan" feature. But it can do more: continuous compliance of bare-metal machines, VMs, containers. The official RPM is

[Open-scap] OpenSCAP Daemon 0.1.7

Hello OpenSCAPers, We are thrilled to announce general availability of OpenSCAP Daemon 0.1.7 release. Everybody is encouraged to update. Changes: - New features: - Scanning of any XCCDF profile in oscapd-evaluate - Detecting XCCDF profiles applicable to a given target - Generating

[Open-scap] Dockerfiles for OpenSCAP container

Hi, I would like to move the discussion about Dockerfiles for OpenSCAP container from GitHub [1] to the mailing list, because I'm interested in solving that topic. Nowadays, OpenSCAP Deamon upstream repository contains multiple Dockerfiles in this repository to build various container images

Re: [Open-scap] Implementation for an AppArmor probe.

Hi, The new patch looks great. I'll review and test. I'll let you know. Thanks Regards Jan Černý Security Technologies | Red Hat, Inc. - Original Message - > From: "Bruno Ducrot" <br...@poupinou.org> > To: "Jan Cerny" <jce...@redhat.com> >

Re: [Open-scap] fix process58 for Ubuntu

Hi, Thanks for the patch. I have included it in upstream. https://github.com/OpenSCAP/openscap/commit/0844e5fa6fb6624882b50e6915ecb3393559b4cc I tried to reproduce this yesterday, but I wasn't successful. Do I understand it well that this happens only if SELinux is not in use? Regards Jan

[Open-scap] OpenSCAP 1.2.15

Hello OpenSCAPers, We are thrilled to announce general availability of OpenSCAP 1.2.15 release. This is the latest release from maint-1.2 maintenance branch. API/ABI is fully compatible with 1.2.0 release. Users of 1.2.x releases are recommended to update. Changes: - New features - short

Re: [Open-scap] SCE not able to find sh script

Hi, The datastream you mentioned looks like it references another file. But in fact, this is a reference to another part of the datastream, 'extended-component'. There can be multiple reasons for this issue. Could you check you can write to /tmp? Could you run the command with --verbose INFO ?

[Open-scap] OpenSCAP 1.2.17

Hello OpenSCAPers, We are thrilled to announce general availability of OpenSCAP 1.2.17 release. This is the latest release from maint-1.2 maintenance branch. API/ABI is fully compatible with 1.2.0 release. Users of 1.2.x releases are recommended to update. Changes: - New features - HTML

Re: [Open-scap] New GitHub teams

Hi, These are great news! However, I used to change settings in OpenSCAP repository, which I can't now, because I don't have the settings button anymore. This is a huge problem. Now, I can't merge the maint-1.2 branch into master, because I'm not able to temporary disable the required check for

Re: [Open-scap] oscap results stored in central database?

Hi, This idea is very interesting. Unfortunately it is not likely that we in Red Hat work on this database, because it will create a strong competition for Red Hat Satellite. But we will be very happy to provide our support and knowledge if there will be a project developed by community.

[Open-scap] OpenSCAP 1.3.0_alpha2

Hello OpenSCAPers, We are thrilled to announce general availability of OpenSCAP 1.3.0_alpha2 release. This is the second alpha release from master branch. This alpha release contains significant changes. API/ABI is not compatible with 1.2.x releases. API/ABI may be subject of further changes

Re: [Open-scap] New Structure for Content - Rule Directories in SCAP Security Guide

Hi, Thank you for your excellent write-up. I think this new structure is a big step forward and definitely makes contributing to SSG easier. Kudos! Jan Černý Security Technologies | Red Hat, Inc. - Original Message - > From: "Alexander Scheel" > To: "Open-scap-list" > Sent: Friday,

[Open-scap] OpenSCAP 1.3.0_alpha1

Hello OpenSCAPers, We are thrilled to announce general availability of OpenSCAP 1.3.0_alpha1 release. This is the first alpha release from master branch. This alpha release contains significant changes. API/ABI is not compatible with 1.2.x releases. API/ABI may be subject of further changes

[Open-scap] OpenSCAP Daemon - Fedora Updates

Hi, Please provide Karma on OpenSCAP daemon 0.1.9. Fedora 26 - https://bodhi.fedoraproject.org/updates/FEDORA-2018-8654af23fe Fedora 27 - https://bodhi.fedoraproject.org/updates/FEDORA-2018-509bf79a3b EPEL 7 - https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-db54a11b6d

Re: [Open-scap] Open SCAP on Ubuntu

Hi, Unfortunately, scap-workbench was introduced in Ubuntu 17.04, so it is not available in 16.04. In ubuntu 16.04 you can use still command-line tool oscap, which is found in package libopenscap8. But there is old OpenSCAP 1.2.8. I don't expect Ubuntu people will update packages in LTS

Re: [Open-scap] Openscap and Windows

Hi, I have taken over the initiative and I work on enabling Windows support in OpenSCAP. Unfortunately OpenSCAP was designed for Linux, and there is a lot of low-level stuff that needs to be changed to make it working on Windows. It isn't working on Windows now, but I'm getting closer. I hope

Re: [Open-scap] Developing content for Oracle Linux

Hi Tina, Thank you for reaching us. There is ComplianceAsCode project (formerly known as SCAP Security Guide) that provides SCAP content for various Linux distributions. ComplianceAsCode is an open-source project and it's developed actively on GitHub. Here's the link:

[Open-scap] OpenSCAP 1.3.0

Hello OpenSCAPers, We are thrilled to announce general availability of OpenSCAP 1.3.0 release. This is the first release from maint-1.3 maintenance branch. API/ABI is not compatible with 1.2.x releases. API/ABI is not compatible with 1.3.0_alpha releases. Changes from 1.3.0_alpha2: - New

Re: [Open-scap] OpenSCAP 1.3.0

| Red Hat, Inc. - Original Message - > From: "Shawn Wells" > To: open-scap-list@redhat.com > Sent: Tuesday, October 9, 2018 5:53:08 PM > Subject: Re: [Open-scap] OpenSCAP 1.3.0 > > > > On 10/9/18 7:38 AM, Jan Cerny wrote: > > Hello OpenSCAPers,

Re: [Open-scap] question on addon_fedora_oscap

Hi, Unfortunately, the "tailoring" feature is broken in Anaconda Addon. However, there is a workaround, suggested by Watson Yuuma Sato (adding him to this conversation). Let me copy-paste his idea: There is a tool that can combine the tailoring to the datastream or XCCDF file. So it is

Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS

Hi, You're correct that SCAP Security Guide was not shipped as a package in Ubuntu 16.04, but it is shipped in Ubuntu 18.04. The file “U_Canonical_16-04_LTS_V1R1_STIG.zip" is a different content, which isn't provided by SCAP Security Guide project, but is provided by DISA. Regards Jan Černý

Re: [Open-scap] Making Fix Templates

Hi, I have looked into this quickly. But I haven't able to get that working. I haven't found anything in the source code that uses it. It seems to me that the feature has been removed without changing the documentation. I'm not sure if the removal was intended or if it is a regression. The

Re: [Open-scap] Making Fix Templates

on the fixes within SSG, which was renamed to ComplianceAsCode, on GitHub. https://github.com/ComplianceAsCode/content Regards Jan Černý Security Technologies | Red Hat, Inc. - Original Message - > From: "Boyd Ako" > To: "Jan Cerny" > Cc: open-scap-list@redhat.com

Re: [Open-scap] Ubuntu Security Guide content

Hi Todd, The security content is provided by "ComplianceAsCode" project, which was up until recently known as "SCAP Security Guide" or "SSG". See https://github.com/ComplianceAsCode/content The security content is packaged in Ubuntu since Ubuntu 18.04 (Bionic Beaver). The packages are: ssg-base,

Re: [Open-scap] Ubuntu Security Guide content

Williams" > To: "Jan Cerny" > Sent: Friday, February 1, 2019 4:35:50 PM > Subject: Re: [Open-scap] Ubuntu Security Guide content > > > Hi Jan, > > So I was able to use ssg-ubuntu1804-ds.xml in scap-workbench on Ubuntu > 18.4, and I got this error when I ran

Re: [Open-scap] OVAL: join variables with empty value

Hi, I'm afraid we hit the limitation of OVAL specification: https://oval.mitre.org/language/version5.11/ovaldefinition/documentation/oval-definitions-schema.html#ObjectComponentType > The required object_ref attribute provides a reference to an existing OVAL Object declaration. The referenced

[Open-scap] OpenSCAP 1.3.1

Hello OpenSCAPers, We are thrilled to announce general availability of OpenSCAP 1.3.1 release. This is the latest release from maint-1.3 maintenance branch. API/ABI is fully compatible with 1.3.0 release. Users of 1.3.x releases are recommended to update. Changes: - New features - Support

Re: [Open-scap] Need help on openscap SSG question

Hi, I will try to answer, but I don't use Nessus, so I'm not sure what is the exact reason of this fail. In general, the SSG files are validated against SCAP XML schemas, so they are valid SCAP content. However, SCAP standard consist of multiple separate specifications. Strictly speaking, the

Re: [Open-scap] Need help on openscap SSG question

Hi, I have no idea. Does Nessus have any "verbose" mode to get more helpful error message? Including scap-security-guide list in this conversation because there might be people familiar with using SSG with Nessus. Regards On Mon, Apr 29, 2019 at 4:54 PM Riaz Ebrahim wrote: > &

Re: [Open-scap] openscap for windows?

Hi, OpenSCAP can be run on Windows. The Windows installer can be downloaded from: https://github.com/OpenSCAP/openscap/releases/download/1.3.1/OpenSCAP-1.3.1-win32.msi However, the Windows version it contains only the 4 most used probes, so it can scan only a few checks. There is no integration

Re: [Open-scap] customize scap report

Hi, You need to pass the ID of the customized profile in --profile instead of the ID of the original profile. The ID of the customized profile is the ID that Workbench prompted you when you clicked on "Customize" button. By default it's stig-rhel7-disa_customized. You can check by opening the

Re: [Open-scap] Questions about OVAL

Hi, On Tue, Aug 13, 2019 at 4:53 AM Tim Burress wrote: > > Hello, > > I'm trying to learn my way around SCAP just now, with the main focus > right now on scans of Linux-based systems using oscap and the related > tools. I'm hitting a bit of a wall when it comes to writing OVAL content > and just

Re: [Open-scap] OpenSCAP web interface

Hi Gopal, Red Hat Satellite provides a web interface for OpenSCAP. See https://access.redhat.com/documentation/en-us/red_hat_satellite/6.2/html/host_configuration_guide/chap-red_hat_satellite-host_configuration_guide-security_compliance_management_with_openscap Watch the demo here:

Re: [Open-scap] make test fails on Debian 9 and Debian 10

Hi, Just a note: running tests is optional part of the build process, you can skip the tests and proceed to install. On Tue, Dec 10, 2019 at 1:00 PM Jan Cerny wrote: > Hi Bryan, > > Thank you very much for reaching us. > > In general, the tests aren't expected to fail. I think t

Re: [Open-scap] make test fails on Debian 9 and Debian 10

Hi Bryan, Thank you very much for reaching us. In general, the tests aren't expected to fail. I think that the problem is that the tests were written on Fedora, without considering other Linux distributions. If a test fails, it doesn't necessarily mean that the tested part of the OpenSCAP code

Re: [Open-scap] OpenSCAP 1.3.3

Hi Fen, On RHEL7 you can build OpenSCAP 1.3.3 from source code. Check [1] for instructions. Unfortunately, RHEL 7 won't ship OpenSCAP 1.3.x as a RPM package, because OpenSCAP 1.3.x isn't API compatible with the 1.2.x versions. But, OpenSCAP and SSG in RHEL7 should work together. There was a fix

[Open-scap] OpenSCAP 1.3.3 COPR builds are available for RHEL 7 and RHEL 8

Hi, We have received feedback from multiple people that they want to try the latest OpenSCAP 1.3.3 on their RHEL 7 and RHEL 8 systems. Therefore, we have added OpenSCAP 1.3.3 builds for RHEL 7 and RHEL 8 to our COPR account: https://copr.fedorainfracloud.org/coprs/openscapmaint/openscap-latest/

Re: [Open-scap] OpenSCAP 1.3.3

Hi, This is a very interesting issue that we haven't hit so far. I checked on updated RHEL 7 machine which contains: - openscap-1.2.17-9.el7.x86_64 - scap-security-guide-0.1.46-11.el7.noarch The scap-security-guide-0.1.46-11.el7.noarch contains 2 RHEL 7 datastreams: -

Re: [Open-scap] OSCAP Anaconda Addon usage examples

Hi Giacomo, Using content-type = scap-security-guide in the kickstart means that Anaconda addon uses SCAP content from the scap-security-guide RPM package in the installation media. The other options (datastream, archive, rpm) allow you to provide your own SCAP content and use it instead. The

Re: [Open-scap] [EXTERNAL] Re: OSCAP Anaconda Addon usage examples

't work-around it, > unless the remediation resolves it. If not, then I'll have to change > the default boot target and fixed it after reboot. > > Thank you. > Giacomo > > > On Thu, 2020-05-28 at 10:31 +0200, Jan Cerny wrote: > > Hi Giacomo, > > > > Let me r

Re: [Open-scap] OpenScap Workbench MACOS with custom Content

Hi, SCAP Workbench can use only files in XCCDF or DataStream format, but not in OVAL format. Use the files from https://www.redhat.com/security/data/metrics/ds/v2/ instead. Regards On Mon, Jun 8, 2020 at 6:59 PM MrWanny wrote: > > Dear Open-Scap > > > > I am trying out OpenScap Workbench UI

[Open-scap] SCAP 1.3 support status

Hi, Recently we have checked SCAP 1.3 specification [1] and SCAP 1.3 Validation Program Test Requirements [2]. We have also executed the SCAP 1.3 Validation test suite [3]. The goal was to find out which SCAP 1.3 features we miss in OpenSCAP and to find out what needs to be done to satisfy [1]

Re: [Open-scap] Where to find source code for libopenscap8

Hi, The libopenscap8 is a part of OpenSCAP and its sources are located on https://github.com/OpenSCAP/openscap. Regards On Wed, Nov 4, 2020 at 2:05 PM Adam Horeth wrote: > Hey all, was just wondering if there's anywhere I can find the source for > the library in the subject (libopenscap8), if

[Open-scap] ComplianceAsCode/content v0.1.68

Hello all, ComplianceAsCode/Content v0.1.68 is out. Some of the highlights of this release are: - Bump OL8 STIG version to V1R6 (#10497) - Introduce a Product class, make the project work with it (#10529) - Introduce Fedora and Firefox CaC profiles for common workstation users (#10506) - OL7