On 8/7/19 2:58 PM, Greg Silverman wrote:
Is there any way within oscap to record the time taken for each rule’s
evaluation to complete? We sometimes see it taking over an hour to
complete on RHEL7 and want to understand why.
Could try verbose mode. Not sure if timestamps are generated. Somet
On 6/25/19 11:36 AM, Boucher, William wrote:
I figured it out!
That's great! To help others down the road who may have a similar issue,
what was the fix?
___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/li
On 6/18/19 3:45 PM, Trevor Vaughan wrote:
At some point, these should probably be changed to correlate with the
Vulnerability Severity Assessment Scale as outlined in the NIST 800-30
since it is well defined, a public standard at no cost, and 0-100
which lines up with most people's internal "g
On 6/7/19 5:02 AM, harshad wadkar wrote:
Respected Madam / Sir,
I am referring the following url to know about open-scap and Ubuntu
secure configuration.
https://static.open-scap.org/ssg-guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html
I have one query :
1. At present, the severities a
Would need to understand where the content is coming from. Perhaps
scap-security-guide in RHEL, and if so, what RHEL and SSG version?
Note red hat doesn’t publish rhel6 content in the National Checklist Program
since rhel6 is out of active maintenance:
https://nvd.nist.gov/ncp/repository?author
Pulling the latest atomic scan shows the container image is still based
on RHEL 7.6 (vs 7.7) and contains very old scap-security-guide package.
When will it be rebased?
___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/m
On 2/26/19 12:07 PM, Boucher, William wrote:
My only concern is that sometimes a government customer will mandate using some
flavor of RHEL 6, for whatever reason they may have. For example, we have a
government customer mandating we use 6.5 at the moment. And they are perfectly
happy to hav
On 2/18/19 9:04 AM, Todd Williams wrote:
I am trying to find out how to go about opening a ticket against
openSCAP, can anyone point me in the right direction?
Depends where you're consuming it.
If using a commercial linux distro, would suggest opening a ticket with
them directly. For Red
On 2/14/19 12:21 PM, Marek Haicman wrote:
Hello, according to the v2r2, the check is supposed to be:
```
# cat /etc/pam.d/system-auth | grep pam_pwquality
password required pam_pwquality.so retry=3
If the command does not return an uncommented line containing the
value "pam_pwquality.so", th
On 2/11/19 7:38 PM, Steve Grubb wrote:
On Thursday, February 7, 2019 1:23:58 PM EST Shawn Wells wrote:
So then, to rephrase the question, when will there be OVAL
tests/subjects/states/items for OpenShift, akin to how there are for
systemd and SELinux?
Those were created specifically to
On 2/8/19 2:34 PM, Greg Silverman wrote:
Let me ask in a different way.
DISA published xml files
withhttps://iasecontent.disa.mil/stigs/zip/U_Red_Hat_Enterprise_Linux_7_V2R2_STIG_SCAP_1-2_Benchmark.zip.
The zip's xml file contains a list of vulnerabilities for RHEL7, the Version 2
Release 2
On 2/4/19 2:27 PM, William Munyan wrote:
Hey Shawn,
I’ll add to Steve’s point that if there is not current OVAL support
for the constructs you need, then the new OVAL
tests/objects/states/items would need to be created in either a new
OVAL schema or (more likely) as additions to the existin
On 2/6/19 1:11 PM, Greg Silverman wrote:
We want to use the DISA STIG for RHEL 7 V2R2 profile. The latest
scap-security-guide RPM has V1R4. How is a profile xml file consumed
by oscap?
Most use cases are covered in the RHEL documentation:
https://access.redhat.com/documentation/en-us/red_
On 2/4/19 6:08 PM, Steve Grubb wrote:
On Mon, 4 Feb 2019 11:06:00 -0500
Shawn Wells wrote:
When can OpenSCAP probes be expected for OpenShift?
Are you talking about new OVAL tests?
Probes so that OVAL tests could be created. Akin to the systemd probes
When can OpenSCAP probes be expected for OpenShift?
Need ability to parse configuration data that would be returned by "oc
get" style commands.
Thanks!
___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo
On 1/29/19 11:14 PM, Boucher, William wrote:
Hi folks,
I’ve been tasked with applying the RedHat 6 STIG to several RedHawk
6.5 systems.
Running oscap should be relatively easy, to see where a base install
sits initially (RedHawk is RedHat with modifications for embedded
realtime use).
T
On 11/27/18 6:23 PM, Boucher, William wrote:
Hi folks,
I am currently hardening an Ubuntu embedded system for delivery to a
customer.
I have downloaded the “Canonical Ubuntu 16.04 LTS STIG Ver 1, Rel 1”
from DISA, and I have obtained a copy of the SCAP Compliance checker
tool “SCC 5.0.2
On 10/22/18 7:22 AM, Gaurav Kamathe wrote:
Hello All,
I am a QA who needs to test some functionality when STIG is enabled on
a server (RHEL) by the user.
However the software does not provide any way to disable STIG (factory
reset is the only option).
Is there a workaround for this? Can i di
On 10/10/18 5:01 AM, Jan Cerny wrote:
Hi,
OpenSCAP support for Windows hasn't been improved much since the
1.3.0_alpha1 releases. The only thing that we have done
recently is that we added Windows CPEs to the inbuilt CPE dictionary.
How far along is Windows support? Saw the mention of 'basic
On 10/9/18 7:38 AM, Jan Cerny wrote:
Hello OpenSCAPers,
We are thrilled to announce general availability of OpenSCAP 1.3.0 release.
This is the first release from maint-1.3 maintenance branch. API/ABI is not
compatible with 1.2.x releases. API/ABI is not compatible with 1.3.0_alpha
releases.
On 10/4/18 3:05 AM, Jan Cerny wrote:
Hi,
Unfortunately, the "tailoring" feature is broken in Anaconda Addon.
However, there is a workaround, suggested by Watson Yuuma Sato (adding him to
this conversation).
Let me copy-paste his idea:
There is a tool that can combine the tailoring to the d
On 9/5/18 6:20 AM, Dhanushka Parakrama wrote:
Hi Team
I Wanted to remove the few service checks from the profile
*xccdf_org.ssgproject.content_profile_anssi_np_nt28_high (Eg: Ensure
/tmp Located On Separate Partition ,
*xccdf_org.ssgproject.content_rule_partition_for_tmp ) and build new
*
On 8/22/18 2:01 PM, Marek Haicman wrote:
On 08/22/2018 07:37 PM, Dhanushka Parakrama wrote:
Hi Team
I'm new to Openscap
I able to scan my redhat and centos machines with Openscap for
compliance .
oscap xccdf eval --profile "usgcb-rhel6-server" --report
/tmp/report.html /usr/share/xml
On 6/3/18 11:59 PM, Robert Sanders wrote:
Marek,
Thank you for your reply. While I understand how it can be difficult to
compare between versions, I've found it very useful to do so. I've written a
very rough hack (as in, one step better than a stone axe) that will compare
multiple pro
On 5/14/18 7:26 PM, Geoffry Roberts wrote:
A few weeks ago I saw a thread or two where some were seeking a means
of analyzing large volumes of SCAP result sets.
I'd like to ask the community as to what extent this represents a
problem?
People I know who are using SCAP are scanning on a sma
On 4/27/18 1:18 AM, Mohanraj, Bharath wrote:
Thanks Shawn for the clarification…
One last thing I want to mention here is… some of the RHEL boxes in my
environment are locked down from internet.. .so they will not have
access to the repository to fetch oscap binaries, and that’s the
reason
On 4/26/18 7:00 PM, Christopher Wiedmaier wrote:
How can I be removed from this list? I have completed the unsubscribe
steps multiple times but I still end up receiving e-mails.
https://www.redhat.com/mailman/listinfo/open-scap-list
Under the "openscap-list subscribers" section (last sectio
On 4/26/18 1:09 PM, Mohanraj, Bharath wrote:
I tried to download only the oscap rpms by using the below command,
*yum install --downloadonly --downloaddir=/opt/oscaprpm
openscap-scanner***
**
And once the above command is triggered, it downloaded the below bunch
of RPMs…
My intention h
On 4/24/18 1:12 PM, Mohanraj, Bharath wrote:
>
> Thanks for the info…
>
> The first thing I want to avoid is my enduser machines hitting the
> internet for downloading packages… So, I prefer having them as RPM
> files locally and trigger installation of the same… But, in case the
> RPM installat
On 2/28/18 9:24 AM, Geoffry Roberts wrote:
> All,
>
> I tried my first remote. scan and don't understand the result.
>
> I ran the following, which is almost a cut and past from the manual:
>
> oscap-ssh root@ xccdf eval --profile MAC-3_Sensitive --report
> report.html
> /U_Canonical_Ubuntu_V1R1_
On 2/5/18 2:10 PM, r hartikainen wrote:
> Hello everyone
>
> I am trying to find answer how Openscap should be used when there is need to
> run different minor versions of operating system, in my case its about rhel
> 7.2 and the very latest 7.x.
> I have piece of software that requires me to s
On 2/1/18 1:21 PM, Luke Salsich wrote:
> Thanks for the comments guys. It helps me understand where things are
> and where they might be going.
>
> For me, I would write a (initial) user story much along the lines of:
>
> "I would like to be able to parse oscap results into a MySQL database
> so
On 1/31/18 10:22 PM, Luke Salsich wrote:
> Hey all,
>
> I've been using OpenSCAP for a while on our servers and really
> appreciate what it does.
>
> I've been looking around for a way to store scan results and then
> query them and I can't seem to locate any plugins or apps which do
> this othe
Seems restored now (approx 11am US EST).
> On Jan 20, 2018, at 5:21 AM, Šimon Lukašík wrote:
>
>
> Can you guys please take a look?
>
> ~š.
>
> ___
> Open-scap-list mailing list
> Open-scap-list@redhat.com
> https://www.redhat.com/mailman/listinfo/
On 1/8/18 4:19 PM, Lee Wilson wrote:
>
>
> Hi Watson,
>
>
> Thanks for your detailed reply and apologies for my delay in
> responding. Went off to look for something else that may do the job.
>
>
> The link that Eric has provided was initially what got me thinking
> about using OpenSCAP to do th
On 12/1/17 9:34 PM, Beth Lynn Eicher wrote:
>
> Greetings,
>
> I am excited to be involved in the OpenSCAP community as a security
> specialist. My research as a hopeful grant recipient of the Department
> of Energy Small Business Innovation Research program drives me to
> contribute to OpenSCAP.
On 11/9/17 1:09 PM, Chuck Atkins wrote:
> I'm using the compiled datastream SCAP content for Red Hat security
> advisories
> (https://www.redhat.com/security/data/metrics/ds/com.redhat.rhsa-RHEL7.ds.xml).
>
> From what I can tell, most of the checks are testing if a package
> version indicates
On 9/21/17 8:44 AM, DD Donny Lie wrote:
> Hello,
> I have a CentOS 7 with installed openscap-scanner
> and I use scap-workbench from my laptop with VM RHEL 7, trying to
> remote scan the CentOS 7,
>
> It succeed login via SSH but Diagnostics says:
> *error
> *
> *Failed to locate oscap on rem
On 9/6/17 9:58 AM, Wesley Ceraso Prudencio wrote:
> Thanks Shawn, I didn't notice the extension from common profile.
Of course.
It's incredibly hard to keep tabs on what 3rd parties are putting into
their baselines so while our rule counts may be close, there's
little assurance that mapping
On 9/5/17 4:38 AM, Wesley Ceraso Prudencio wrote:
> I'm not an expert, but if I got it right, we currently cover approximately
> 85% of STIG rules for RHEL7 and 23% for RHEL6.
Something seems off
In RHEL6, the STIG profile extends the common profile:
> $ head -1 stig-rhel6-server-upstream.
On 8/29/17 8:17 PM, Christopher wrote:
> Hi,
>
> How do you use one of Ubuntu profiles in the scap-security-guide directory to
> scan a remote system?
>
> When I launch the SCAP Workbench the only default guides listed in the SCAP
> Security Guide GUI are: CentOS6, CentOS7, Firefox and JRE.
On 7/19/17 1:39 PM, Jordan Caraballo wrote:
>
> Hi Shawn,
>
> Thanks for your reply! I will start digging into them to see if I can
> start developing some patches.
>
> I apologize if these are naive questions:
>
> - CIS has some pdf benchmark files for FreeBSD. Is this a good start
> for recreat
On 7/19/17 12:41 PM, Jordan Caraballo wrote:
>
> Hi guys,
>
> Are there any future or ongoing plans to support Solaris and FreeBSD
> operating systems?
>
> Both to run OpenSCAP and to have compliance files from the
> SCAP-Security-Guide.
>
There were 1-2 people from Oracle interested in porting O
On 7/18/17 2:28 PM, Martin Preisler wrote:
> On Tue, Jul 18, 2017 at 1:34 PM, Shawn Wells wrote:
>>
>> On 7/18/17 1:09 PM, Martin Preisler wrote:
>>
>> On Mon, Jul 17, 2017 at 6:44 PM, Smith, Cathy wrote:
>>
>> Folks
>>
>> I’m trying to b
On 7/18/17 1:09 PM, Martin Preisler wrote:
> On Mon, Jul 17, 2017 at 6:44 PM, Smith, Cathy wrote:
>> Folks
>>
>> I’m trying to build a customized profile for RHEL7. I’m not sure about the
>> list of profile names offered through the oscap command and the list shown
>> in the SCAP Workbench. F
On 7/17/17 2:59 PM, Martin Preisler wrote:
> Hi,
> I have gathered all the logos and other graphics and put them into a
> GitHub repository to make sure they don't get lost. Most of these (if
> not all) have been created by Lenka Horakova.
>
> https://github.com/OpenSCAP/promo
>
> If you have any
On 6/13/17 9:42 AM, leam hall wrote:
> Hey Mike, sorry if I'm dense. I looked at the URL and it seems to be
> the initial welcome page. Messages go back as far as 2009, how do I
> search what has already been answered?
google for "centos site:https://www.redhat.com/archives/open-scap-list/";
sa
On 4/19/17 2:20 PM, Greg Silverman (CS) wrote:
>
> The generated scripts use this idiom
>
>
>
> sed_command=”sed –i …”
>
>
>
> where the ellipsis is replaced a follow symlink option if the file
> being edited is a symbolic link. There are some errors when running
> the generated remediation s
On 4/19/17 4:17 AM, Jan Cerny wrote:
> Hi,
>
> Some of the rules in SCAP Security guide can be parametrized using "XCCDF
> Value".
> Those values can be set in SCAP Workbench. However that's not the case of this
> particular rule, the value is hard-coded in regular expressions across the
> file.
On 4/12/17 7:08 PM, Matthew wrote:
> Curious, what's the best way to use openscap, and be able to get
> results for stigviewer?
IIRC, stigviewer can consume OVAL results. Something like:
oscap xccdf eval --profile stig --report human-readable.html --results
stigviewer-readable.xml ssg-rhel7-ds.
On 4/12/17 1:15 PM, Greg Silverman (CS) wrote:
>
> Many of the generated fixes uses this idiom
>
> IFS=$’\n’ …
>
> unset $IFS
>
> IFS is a variable, but, $IFS is a character string, so, unsetting it
> does not restore IFS to its default value. What am I missing?
>
Those lines are from the audit
On 4/6/17 11:10 AM, Przemek Klosowski wrote:
>
> On a fresh-out-of-the-box+updated RHEL7 (with
> openscap-scanner-1.2.10-3.el7_3.x86_64)
>
> oscap xccdf eval --profile
> xccdf_org.ssgproject.content_profile_common --report
> /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-d
On 4/5/17 2:54 PM, Greg Hennessy wrote:
> Bummer
>
> On Wed, Apr 5, 2017 at 1:53 PM, Shawn Wells <mailto:sh...@redhat.com>> wrote:
>
>
>
> On 4/5/17 1:43 PM, Greg Hennessy wrote:
>> I am exploring the use of open-scap to verify my machines meet
&
On 4/5/17 1:43 PM, Greg Hennessy wrote:
> I am exploring the use of open-scap to verify my machines meet
> the DISA stigs. If I run oscap against the
> /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml file things seem to work
> as expected. If I run oscap against the file from iase.disa.mil
> <
nt to get these resolved before uploading to NIST and before
this release makes it into downstream releases (e.g. RHEL 7.4 rebase).
What's the best way to start working these bugs? Is there a deadline for
when these bugs must be resolved for inclusion downstream?
On 3/30/17 9:07 AM, Shawn W
Thank you! Looking forward to downloading the data stream and testing it. I can
start the process to get the new release posted to Nist .
Shawn Wells
> On Mar 30, 2017, at 8:22 AM, Watson Yuuma Sato wrote:
>
> Hello folks,
>
> We have the pleasure to announce that SCAP Securit
J9Q&m=VwBwnTVJ6mbd1LCcB1mmKlR4TDm7H5rmbFpbSTdl8o8&s=DKeXAv2csKLxOp4wSQI6DAH1VtLlOc0plYIVpTPuVVs&e=>"
> xml:lang="en-US" override="true">This is a *draft* profile for PCI-DSS
> v3
>
> selected="false"/>
>
>
On 1/27/17 2:53 AM, Sona Sarmadi wrote:
>
> Thanks for your quick reply Shawn.
>
> I am trying to figure out how OVAL definitions work.
>
> For example if I want to detect unpatched CVEs in my RedHat Linux 6, I
> should use OVAL definition below:
>
> https://www.redhat.com/security/data/oval/Re
On 1/25/17 9:55 AM, Jan Cerny wrote:
> Hi,
>
> It might be a bug, but also there can be another reason why this rule failed.
>
> First thing that I would try is to add "--oval-results" to your command
> and run the scan again. This option adds more details into the HTML report,
> which hopefully
On 1/23/17 11:29 AM, Shawn Wells wrote:
>
>
> On 1/17/17 11:54 AM, Watson Yuuma Sato wrote:
>>
>> I noticed your screenshot doesn't show the count of selected rules
>> for each profile.
>>
>> And the concatenated profile title is something t
On 1/17/17 11:54 AM, Watson Yuuma Sato wrote:
>
> I noticed your screenshot doesn't show the count of selected rules for
> each profile.
>
> And the concatenated profile title is something that was fixed recently.
> If you edited the customization file, at least once after creating it,
> the wron
On 1/13/17 12:00 PM, Watson Yuuma Sato wrote:
>
> Hi,
>
> A new release of SCAP Workbench is out!
>
> This release brings a lot of bug fixes and improvements, including
> a lot of UX improvements and fixes for inappropriate error messages
> (fetch remote resources and query capabilities).
>
> Kee
On 11/29/16 1:36 PM, Martin Preisler wrote:
> - Original Message -
>> From: "Shawn Wells"
>> To: "Watson Yuuma Sato" ,
>> scap-security-gu...@lists.fedorahosted.org
>> Cc: open-scap-list@redhat.com
>> Sent: Tuesday, November 29, 2016
On 11/29/16 10:49 AM, Watson Yuuma Sato wrote:
> Hi folks,
>
> We have the pleasure to announce that SCAP Security Guide release
> 0.1.31
> has been created.
>
> Highlights of this release:
> * New Wind River Linux profiles,
> * Various STIG profile enhancements,
> * Ubuntu Xenial product has
On 11/21/16 8:24 AM, Jan Cerny wrote:
> Hi Shawn,
>
> In first case you have a mistake, you are using OVAL content instead of XCCDF
> in oscap xccdf evel.
>
> In second case there is a known bug.
> https://bugzilla.redhat.com/show_bug.cgi?id=1387248
> https://github.com/OpenSCAP/openscap/issues/
Attempting to use oscap-docker on RHEL7 host, scanning RHEL7 containers.
I can use the OVAL scanner but not XCCDF eval. Is this a known issue?
e.g.
> # oscap-docker container rhel7.0 oval eval \
> --results oval-results.xml \
> --report report.html\
> /usr/share/xml/scap/ssg/content/ssg-rhel7-ova
On 9/27/16 4:07 AM, Jan Cerny wrote:
> Hello David,
>
> - Original Message -
>> From: "david oliva"
>> To: Open-scap-list@redhat.com
>> Sent: Tuesday, September 27, 2016 3:09:35 AM
>> Subject: [Open-scap] Really nice tool
>>
>>
>>
>> Dear Red Hat /OpenSCAP team:
>>
>>
>>
>>
>> Today 26 S
On 8/2/16 2:51 PM, Martin Preisler wrote:
- Original Message -
>From: "Jan Lieskovsky"
>To: "Martin Preisler"
>Cc: "SCAP Security Guide",
"open-scap-list"
>Sent: Monday, August 1, 2016 12:38:01 PM
>Subject: Re: Latest OpenSCAP changes to speed up SSG builds
>
>
>Hello Martin,
>
>[snip
Was compiling OpenSCAP per directions:
http://static.open-scap.org/openscap-1.0/oscap_user_manual.html#devs
When running ./configure, receive following error:
checking for atomic builtins... yes
configure: error: in `/home/ec2-user/openscap':
configure: error: oscap-docker requires bzip2! Either
On 7/19/16 11:31 AM, Martin Preisler wrote:
- Original Message -
>From: "Jan Cerny"
>To:open-scap-list@redhat.com
>Sent: Tuesday, July 19, 2016 9:19:04 AM
>Subject: [Open-scap] New COPR repository for OpenSCAP
>
>Hi all,
>
>We have created a new COPR repository that provides unofficial
On 7/1/16 3:38 AM, Jan Cerny wrote:
Regarding your second question, OpenSCAP >= 1.2.2 can display OVAL results
in the HTML report if you run it with "--oval-results", eg.:
# oscap xccdf eval --results results.xml --oval-results --report report.html
my_benchmark.xml
The HTML report will look
at to compile that into proper SCAP 1.2
compliant file and run it.
- Auto completion of OVAL definitions (ind:filepath, testcheck...)
--
Shawn Wells
Chief Security Strategist
U.S. Public Sector
sh...@redhat.com | 443.534.0130
___
Open-scap-list mailing
On 5/9/16 8:07 PM, david.ol...@verizon.net wrote:
Fellow Open-Scappers:
I just got my Open-SCAP tool to work on CentOS 7 and works great. In
looking at the output, I noticed
that a significant number of CCEs do not have a numeric value to them,
but appear to be left open.
Who gets to ente
On 4/14/16 4:07 AM, Jan Cerny wrote:
Hi Zbyněk,
- Original Message -
>From: "Zbynek Moravec"
>To:open-scap-list@redhat.com
>Sent: Wednesday, April 13, 2016 11:47:51 PM
>Subject: [Open-scap] Offline scanning - SCE, probes
>
>Hi
>
>We plan to implement offline scan support for SCE scri
'xccdf generate guide' currently creates HTML with a table of contents
depth of two. Could we either:
a) Increase the default table of contents depth? For SSG, a depth of 3
or 4 seems good. Ref code:
https://github.com/OpenSCAP/openscap/blob/maint-1.2/xsl/xccdf-guide-impl.xsl#L468
b) Create C
On 3/8/16 10:58 AM, Joseph Spenner wrote:
Hello, I am testing after installing with the following instructions:
https://www.open-scap.org/resources/documentation/perform-vulnerability-scan-of-rhel-6-machine/
I downloaded CentOS 6.0 to use for a test, thinking there should be
plenty of vulnera
On 2/17/16 2:06 PM, Jan Lieskovsky wrote:
Hello Mike,
thank you for contacting us.
- Original Message -
>From: "Mike Kuhnkey"
>To:Open-scap-list@redhat.com
>Sent: Monday, February 15, 2016 1:29:47 AM
>Subject: [Open-scap] Suspect Error in ssg_rhel6-ds.xml: Incorrect reference to
77 matches
Mail list logo