Hello,
This sounds good to me. We are looking forward to your patches.
Best regards
Jan Černý
Security Technologies | Red Hat, Inc.
- Original Message -
> From: "S, Gautam"
> To: open-scap-list@redhat.com
> Sent: Friday, March 18, 2016 6:52:54 PM
> Subject:
.
Best Regards
Jan Černý
Security Technologies | Red Hat, Inc.
- Original Message -
> From: "S, Gautam" <gaut...@hpe.com>
> To: "Jan Cerny" <jce...@redhat.com>
> Cc: open-scap-list@redhat.com
> Sent: Tuesday, March 22, 2016 5:40:00 AM
> Su
Hello Pravin,
OpenSCAP doesn't have any option to influence the order of evaluation.
OVAL is a declarative language. Rule evaluation order should not affect results.
OVAL definitions have to be written in a way that it doesn't matter in which
order
are they evaluated.
Moreover, OVAL
Hi Iankko,
- Original Message -
> From: "Jan Lieskovsky"
> To: "Zbynek Moravec"
> Cc: open-scap-list@redhat.com
> Sent: Friday, April 15, 2016 1:26:09 PM
> Subject: Re: [Open-scap] Offline scanning - SCE, probes
>
>
> Hello Zbynek,
>
> -
Hi all,
We have created a new COPR repository that provides unofficial builds
of latest versions of openscap, scap-security-guide, scap-workbench
and openscap-daemon packages. The packages are suitable for use
on Red Hat Enterprise Linux 5, 6 and 7 and CentOS 5, 6 and 7.
The COPR repository is
Hi,
- Original Message -
> From: "Pravin Goyal" <pravin.go...@outlook.com>
> To: "Jan Cerny" <jce...@redhat.com>
> Sent: Monday, February 6, 2017 3:55:10 PM
> Subject: Re: [Open-scap] oscap-docker on Ubuntu 14.04
>
> Thanks, Jan. I don'
Hi,
which Python version is used by your /usr/bin/oscap-docker ?
There might be a collision between Python2 and Python3.
The script should run on both versions of Python, but most likely
you have necessary modules only for Python 2.
Also notice that oscap-docker needs Atomic [1] installed
as a
Hi,
I agree that it would be beneficial for OpenSCAP if we could scan containers
on Debian hosts as well.
Unfortunately, oscap-docker can run now only on RHEL7 and Fedora hosts,
because it depends on Project Atomic. Atomic handles mounting of container's
filesystem to the host's filesystem so
Hi Rocio,
I am sorry for a late reply, but most of the OpenSCAP team is not present right
now.
Your issue seems to me like a regular bug, but I don't use Oracle,
so I am afraid I can't help so much.
AFAIK the code path leading to the message you described should be run
on every evaluation of
Hi,
New version of SCAP Security guide usually appears with a new release of RHEL).
(but not necessarily always)
I haven't looked exactly into firewall rules, but in general SCAP Security Guide
is evolving very quickly, so it is very likely that they were not present at
all in 0.1.25.
OpenSCAP
Hello OpenSCAPers,
We are thrilled to announce general availability of OpenSCAP 1.2.11 release.
This is the latest release from maint-1.2 maintenance branch. API/ABI is
fully compatible with 1.2.0 release. Users of 1.2.x releases are
recommended to update.
Changes:
- New features
- huge
Hi,
The bash code is taken from the input SCAP content,
eg. from /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
there is no magic behind that, basically oscap simply extracts
snippets from XML.
If you want to amend the script that is generated by oscap, unfortunately
that is not possible, we
Hi,
thank you for the report.
This test is not as deterministic as we want, perhaps we need to improve it
again.
Usually, running it again will be successful.
But it's just a test, you can skip it if you need to install.
We will definitely get back into these issues.
Jan Černý
Security
Hi,
Unfortunately, OpenSCAP can scan only Linux machines.
Windows support is currently not implemented.
The use-case for Workbench on Windows is only to scan remote
Linux servers from a user's Windows laptop.
Installing SSH server locally will not help.
You are not the first person asking for
Hello,
Thank you for contacting us.
There is a few things that you might have done incorrectly.
In SCAP Workbench, after you click on "Customize", you will be prompted
for a new profile ID, that will be the ID of your custom profile.
Check if you use the new ID, and not the ID of original
fo
> Processing has been finished!
>
>
>
>
>
> On Friday, April 7, 2017 2:02 AM, Luther Goh Lu Feng <elf...@yahoo.com>
> wrote:
>
>
>
>
>
>
> On Thursday, April 6, 2017 10:20 PM, Luther Goh Lu Feng <elf...@yahoo.com>
Hi,
Thank you for contacting me.
See my replies inline below.
Jan Černý
Security Technologies | Red Hat, Inc.
- Original Message -
> From: "Dragos Prisaca"
> To: open-scap-list@redhat.com
> Sent: Monday, March 6, 2017 10:00:40 PM
> Subject: [Open-scap] Issues
Hi Dragos,
Thank you very much for reporting this and sorry for the delay.
I had a look into your issue. Let me explain my findings.
According to OVAL 5.11.1 specification and XML schema,
recurse="none" is deprecated value and it was deprecated in OVAL 5.5.
In XML schema
Hi,
Your command
# yum -y install openscap-scanner
should work, because OpenSCAP is a standard component of RHEL 7.
Check your software repositories configuration, eg. output of "yum repolist"
command,
and /etc/yum.repos.d/ directory. Check if you are able to install
other packages.
Regards
Hi,
That is pretty cool that you want to run OpenSCAP on such a device.
I like it! You're the first person that I know running it on ARM :)
I think the problem is that Debian Jessie has OpenSCAP 1.0.9,
which is an old version that doesn't support systemd related tests
and it also can't process
Hi,
Some of the rules in SCAP Security guide can be parametrized using "XCCDF
Value".
Those values can be set in SCAP Workbench. However that's not the case of this
particular rule, the value is hard-coded in regular expressions across the
file. We use parametrized values for example in rules
en-scap.org to figure this out. Click
> >> on the product, then browse profiles. The page will always tell you
> >> both title and ID of each.
> >>
> >> Hope this helps!
> >>
> >>
> >>
> >> As a future OpenSCAP RFE, could the '
Hi Jordan,
OpenSCAP Daemon is an active project. I don't think it will be deprecated.
Right now, its main purpose is to integrate OpenSCAP with Project Atomic
to provide "atomic scan" feature. But it can do more: continuous compliance
of bare-metal machines, VMs, containers.
The official RPM is
Hello OpenSCAPers,
We are thrilled to announce general availability of OpenSCAP Daemon 0.1.7
release.
Everybody is encouraged to update.
Changes:
- New features:
- Scanning of any XCCDF profile in oscapd-evaluate
- Detecting XCCDF profiles applicable to a given target
- Generating
Hi,
I would like to move the discussion about Dockerfiles for OpenSCAP container
from GitHub [1] to the mailing list, because I'm interested in solving that
topic.
Nowadays, OpenSCAP Deamon upstream repository contains multiple Dockerfiles
in this repository to build various container images
Hi,
The new patch looks great. I'll review and test. I'll let you know.
Thanks
Regards
Jan Černý
Security Technologies | Red Hat, Inc.
- Original Message -
> From: "Bruno Ducrot" <br...@poupinou.org>
> To: "Jan Cerny" <jce...@redhat.com>
>
Hi,
Thanks for the patch. I have included it in upstream.
https://github.com/OpenSCAP/openscap/commit/0844e5fa6fb6624882b50e6915ecb3393559b4cc
I tried to reproduce this yesterday, but I wasn't successful.
Do I understand it well that this happens only if SELinux is
not in use?
Regards
Jan
Hello OpenSCAPers,
We are thrilled to announce general availability of OpenSCAP 1.2.15 release.
This is the latest release from maint-1.2 maintenance branch. API/ABI is
fully compatible with 1.2.0 release. Users of 1.2.x releases are
recommended to update.
Changes:
- New features
- short
Hi,
The datastream you mentioned looks like it references another file. But in
fact, this
is a reference to another part of the datastream, 'extended-component'. There
can be
multiple reasons for this issue. Could you check you can write to /tmp? Could
you run the command with --verbose INFO ?
Hello OpenSCAPers,
We are thrilled to announce general availability of OpenSCAP 1.2.17 release.
This is the latest release from maint-1.2 maintenance branch. API/ABI is
fully compatible with 1.2.0 release. Users of 1.2.x releases are
recommended to update.
Changes:
- New features
- HTML
Hi,
These are great news!
However, I used to change settings in OpenSCAP repository, which I can't now,
because I don't have the settings button anymore.
This is a huge problem. Now, I can't merge the maint-1.2 branch into master,
because I'm not able to temporary disable the required check for
Hi,
This idea is very interesting.
Unfortunately it is not likely that we in Red Hat work on this database,
because it will create a strong competition for Red Hat Satellite.
But we will be very happy to provide our support and knowledge
if there will be a project developed by community.
Hello OpenSCAPers,
We are thrilled to announce general availability of OpenSCAP 1.3.0_alpha2
release.
This is the second alpha release from master branch. This alpha release
contains significant changes. API/ABI is not compatible with 1.2.x releases.
API/ABI may be subject of further changes
Hi,
Thank you for your excellent write-up. I think this new structure
is a big step forward and definitely makes contributing to SSG easier.
Kudos!
Jan Černý
Security Technologies | Red Hat, Inc.
- Original Message -
> From: "Alexander Scheel"
> To: "Open-scap-list"
> Sent: Friday,
Hello OpenSCAPers,
We are thrilled to announce general availability of OpenSCAP 1.3.0_alpha1
release.
This is the first alpha release from master branch. This alpha release
contains significant changes. API/ABI is not compatible with 1.2.x releases.
API/ABI may be subject of further changes
Hi,
Please provide Karma on OpenSCAP daemon 0.1.9.
Fedora 26 - https://bodhi.fedoraproject.org/updates/FEDORA-2018-8654af23fe
Fedora 27 - https://bodhi.fedoraproject.org/updates/FEDORA-2018-509bf79a3b
EPEL 7 - https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-db54a11b6d
Hi,
Unfortunately, scap-workbench was introduced in Ubuntu 17.04, so it is not
available in 16.04.
In ubuntu 16.04 you can use still command-line tool oscap, which is found in
package libopenscap8.
But there is old OpenSCAP 1.2.8. I don't expect Ubuntu people will update
packages in LTS
Hi,
I have taken over the initiative and I work on enabling Windows support in
OpenSCAP.
Unfortunately OpenSCAP was designed for Linux, and there is a lot of low-level
stuff
that needs to be changed to make it working on Windows.
It isn't working on Windows now, but I'm getting closer.
I hope
Hi Tina,
Thank you for reaching us. There is ComplianceAsCode project (formerly known
as SCAP Security Guide) that provides SCAP content for various Linux
distributions.
ComplianceAsCode is an open-source project and it's developed actively on
GitHub.
Here's the link:
Hello OpenSCAPers,
We are thrilled to announce general availability of OpenSCAP 1.3.0 release.
This is the first release from maint-1.3 maintenance branch. API/ABI is not
compatible with 1.2.x releases. API/ABI is not compatible with 1.3.0_alpha
releases.
Changes from 1.3.0_alpha2:
- New
| Red Hat, Inc.
- Original Message -
> From: "Shawn Wells"
> To: open-scap-list@redhat.com
> Sent: Tuesday, October 9, 2018 5:53:08 PM
> Subject: Re: [Open-scap] OpenSCAP 1.3.0
>
>
>
> On 10/9/18 7:38 AM, Jan Cerny wrote:
> > Hello OpenSCAPers,
Hi,
Unfortunately, the "tailoring" feature is broken in Anaconda Addon.
However, there is a workaround, suggested by Watson Yuuma Sato (adding him to
this conversation).
Let me copy-paste his idea:
There is a tool that can combine the tailoring to the datastream or XCCDF file.
So it is
Hi,
You're correct that SCAP Security Guide was not shipped as a package in Ubuntu
16.04, but it is
shipped in Ubuntu 18.04.
The file “U_Canonical_16-04_LTS_V1R1_STIG.zip" is a different content, which
isn't provided by
SCAP Security Guide project, but is provided by DISA.
Regards
Jan Černý
Hi,
I have looked into this quickly. But I haven't able to get that working. I
haven't found
anything in the source code that uses it. It seems to me that the feature has
been removed
without changing the documentation. I'm not sure if the removal was intended or
if it is
a regression.
The
on the fixes within SSG, which was renamed to
ComplianceAsCode, on GitHub. https://github.com/ComplianceAsCode/content
Regards
Jan Černý
Security Technologies | Red Hat, Inc.
- Original Message -
> From: "Boyd Ako"
> To: "Jan Cerny"
> Cc: open-scap-list@redhat.com
Hi Todd,
The security content is provided by "ComplianceAsCode" project, which was
up until recently known as "SCAP Security Guide" or "SSG".
See https://github.com/ComplianceAsCode/content
The security content is packaged in Ubuntu since Ubuntu 18.04 (Bionic Beaver).
The packages are: ssg-base,
Williams"
> To: "Jan Cerny"
> Sent: Friday, February 1, 2019 4:35:50 PM
> Subject: Re: [Open-scap] Ubuntu Security Guide content
>
>
> Hi Jan,
>
> So I was able to use ssg-ubuntu1804-ds.xml in scap-workbench on Ubuntu
> 18.4, and I got this error when I ran
Hi,
I'm afraid we hit the limitation of OVAL specification:
https://oval.mitre.org/language/version5.11/ovaldefinition/documentation/oval-definitions-schema.html#ObjectComponentType
> The required object_ref attribute provides a reference to an existing
OVAL Object declaration. The referenced
Hello OpenSCAPers,
We are thrilled to announce general availability of OpenSCAP 1.3.1 release.
This is the latest release from maint-1.3 maintenance branch. API/ABI is
fully compatible with 1.3.0 release. Users of 1.3.x releases are
recommended to update.
Changes:
- New features
- Support
Hi,
I will try to answer, but I don't use Nessus, so I'm not sure what is
the exact reason of this fail.
In general, the SSG files are validated against SCAP XML schemas, so
they are valid SCAP content.
However, SCAP standard consist of multiple separate specifications.
Strictly speaking, the
Hi,
I have no idea. Does Nessus have any "verbose" mode to get more
helpful error message?
Including scap-security-guide list in this conversation because there
might be people familiar with using SSG with Nessus.
Regards
On Mon, Apr 29, 2019 at 4:54 PM Riaz Ebrahim wrote:
>
&
Hi,
OpenSCAP can be run on Windows. The Windows installer can be downloaded from:
https://github.com/OpenSCAP/openscap/releases/download/1.3.1/OpenSCAP-1.3.1-win32.msi
However, the Windows version it contains only the 4 most used probes,
so it can scan only a few checks.
There is no integration
Hi,
You need to pass the ID of the customized profile in --profile instead
of the ID of the original profile.
The ID of the customized profile is the ID that Workbench prompted you
when you clicked on "Customize" button.
By default it's stig-rhel7-disa_customized. You can check by opening
the
Hi,
On Tue, Aug 13, 2019 at 4:53 AM Tim Burress wrote:
>
> Hello,
>
> I'm trying to learn my way around SCAP just now, with the main focus
> right now on scans of Linux-based systems using oscap and the related
> tools. I'm hitting a bit of a wall when it comes to writing OVAL content
> and just
Hi Gopal,
Red Hat Satellite provides a web interface for OpenSCAP.
See
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.2/html/host_configuration_guide/chap-red_hat_satellite-host_configuration_guide-security_compliance_management_with_openscap
Watch the demo here:
Hi,
Just a note: running tests is optional part of the build process, you can
skip the tests and proceed to install.
On Tue, Dec 10, 2019 at 1:00 PM Jan Cerny wrote:
> Hi Bryan,
>
> Thank you very much for reaching us.
>
> In general, the tests aren't expected to fail. I think t
Hi Bryan,
Thank you very much for reaching us.
In general, the tests aren't expected to fail. I think that the problem is
that the tests were written on Fedora, without considering other Linux
distributions. If a test fails, it doesn't necessarily mean that the tested
part of the OpenSCAP code
Hi Fen,
On RHEL7 you can build OpenSCAP 1.3.3 from source code. Check [1] for
instructions. Unfortunately, RHEL 7 won't ship OpenSCAP 1.3.x as a
RPM package, because OpenSCAP 1.3.x isn't API compatible with the
1.2.x versions.
But, OpenSCAP and SSG in RHEL7 should work together. There was a fix
Hi,
We have received feedback from multiple people that they want to try
the latest OpenSCAP 1.3.3 on their RHEL 7 and RHEL 8 systems.
Therefore, we have added OpenSCAP 1.3.3 builds for RHEL 7 and RHEL 8
to our COPR account:
https://copr.fedorainfracloud.org/coprs/openscapmaint/openscap-latest/
Hi,
This is a very interesting issue that we haven't hit so far.
I checked on updated RHEL 7 machine which contains:
- openscap-1.2.17-9.el7.x86_64
- scap-security-guide-0.1.46-11.el7.noarch
The scap-security-guide-0.1.46-11.el7.noarch contains 2 RHEL 7 datastreams:
-
Hi Giacomo,
Using content-type = scap-security-guide in the kickstart means that
Anaconda addon uses SCAP content from the scap-security-guide RPM
package in the installation media.
The other options (datastream, archive, rpm) allow you to provide your
own SCAP content and use it instead. The
't work-around it,
> unless the remediation resolves it. If not, then I'll have to change
> the default boot target and fixed it after reboot.
>
> Thank you.
> Giacomo
>
>
> On Thu, 2020-05-28 at 10:31 +0200, Jan Cerny wrote:
> > Hi Giacomo,
> >
> > Let me r
Hi,
SCAP Workbench can use only files in XCCDF or DataStream format, but
not in OVAL format.
Use the files from https://www.redhat.com/security/data/metrics/ds/v2/ instead.
Regards
On Mon, Jun 8, 2020 at 6:59 PM MrWanny wrote:
>
> Dear Open-Scap
>
>
>
> I am trying out OpenScap Workbench UI
Hi,
Recently we have checked SCAP 1.3 specification [1] and SCAP 1.3
Validation Program Test Requirements [2]. We have also executed the
SCAP 1.3 Validation test suite [3]. The goal was to find out which
SCAP 1.3 features we miss in OpenSCAP and to find out what needs to be
done to satisfy [1]
Hi,
The libopenscap8 is a part of OpenSCAP and its sources are located on
https://github.com/OpenSCAP/openscap.
Regards
On Wed, Nov 4, 2020 at 2:05 PM Adam Horeth
wrote:
> Hey all, was just wondering if there's anywhere I can find the source for
> the library in the subject (libopenscap8), if
Hello all,
ComplianceAsCode/Content v0.1.68 is out.
Some of the highlights of this release are:
- Bump OL8 STIG version to V1R6 (#10497)
- Introduce a Product class, make the project work with it (#10529)
- Introduce Fedora and Firefox CaC profiles for common workstation
users (#10506)
- OL7
66 matches
Mail list logo