Re: [Open-scap] Ubuntu Security Guide content
Hi Bill, I installed by using apt-get and I did not compile the code. And it did not put the /usr/share/openscap/cpe/openscap-cpe-dict.xml and openscap-cpe-oval.xml files at all. That's why I was looking for them with Ububtu 18 in it. I just looked at the dict and oval file sin the link Jan sent and they don't have any references to Ububtu like you mentioned. while waiting on this to get worked out I have installed/setup a RHEL 7.6 server. It has these files and worked without any issues pretty much as soon as I got it installed. The Ubuntu software is much more difficult to get operational. How would I go about getting those version 8 dict and oval files to test with? Thanks, Todd M. Williams Unix System Admin, devIT-US, AIX/Linux/CC/CQ/SPoRT/DB2 Phone: 772-257-5706 | Mobile: 772-925-2042 E-Mail: tod...@us.ibm.com devIT From: "Boucher, William" To: Jan Cerny , Todd Williams , "gapin...@nasa.gov" Cc: Open-scap-list Date: 02/04/2019 11:16 AM Subject:RE: Ubuntu Security Guide content Hi Todd and Jan, Please excuse me, I do not intend to hijack Jan's thread but I believe the following may be related enough to be helpful. These OpenSCAP CPE files exist on my system at /usr/local/share/openscap/cpe/, after compiling openscap from source on my machine. But neither they nor the versions available via the links provided below have any references to Ubuntu in them. Browsing through the files I see, for example, sections in the xml files for various flavors of rhel, opensuse, fedora, etc. but Ubuntu is not there. Compiling the ssg from source (at /usr/local/src/ComplianceAsCode/content/) does put Ubuntu-specific cpe files {ssg-ubuntu1604-cpe-dictionary.xml, ssg-ubuntu1604-cpe-oval.xml, ssg-ubuntu1804-cpe-dictionary.xml, ssg-ubuntu1804-cpe-oval.xml} in /usr/local/share/xml/scap/ssg/content, as well as similarly named ds, ocil, oval and xccdf files. Running scap using these files, however, with the command: sudo oscap xccdf eval –profile standard –results-arf ./results-arf.xml –report ./report-ds.html –results ./results-ds.xml /usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml results in 15 rules passed, 6 inconclusive (unknown) and 24 notapplicable. The notapplicable rules (ignored by oscap) seem to refer to the STIG controls I would consider the most applicable for evaluation. Since my install is Ubuntu 16.04.5, not Ubuntu 18, I would be interested to see the results Todd Williams would get running this on his install. In an earlier thread (Benchmark for Canonical Ubuntu 16.04 LTS), Gary did get similar results with Ubuntu 18 and stated "Determining why rules end up notapplicable, or seem to be skipped during evaluation, will require additional inspection, as will evaluating the veracity of the passes and fails". Is anybody looking at this on the development side (determining why rules end up nonapplicable)? Thanks, --Bill William B. Boucher, BSEE Embedded Systems Software Engineer Information Systems Security Manager MZA Associates Corporation 4900 Lang Ave. NE, Suite 100 Albuquerque, NM 87109-9708 Phone: 505.245.9970 x166 Fax: 505.245.9971 Cell: 505.459.7620 william.bouc...@mza.com -Original Message- From: open-scap-list-boun...@redhat.com [ mailto:open-scap-list-boun...@redhat.com] On Behalf Of Jan Cerny Sent: Monday, February 4, 2019 2:01 AM To: Todd Williams Cc: Open-scap-list Subject: Re: [Open-scap] Ubuntu Security Guide content Hi, You're correct it's missing CPE dictionary and CPE OVAL. The files are located here: https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_OpenSCAP_openscap_blob_maint-2D1.2_cpe_openscap-2Dcpe-2Ddict.xml&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=4BwPnN3sPgNQjvaJ-rrOQD9wYgWK1vlNlqk921f9rTw&m=Z4sUeu_Kart8jB_BGe4QPt9ZzTZn4Z1PozLnRay3Xks&s=aAJgbbf7PAvRcqrA86m4_hgOHHkU4eTvZP_I81Moyxg&e= https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_OpenSCAP_openscap_blob_maint-2D1.2_cpe_openscap-2Dcpe-2Doval.xml&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=4BwPnN3sPgNQjvaJ-rrOQD9wYgWK1vlNlqk921f9rTw&m=Z4sUeu_Kart8jB_BGe4QPt9ZzTZn4Z1PozLnRay3Xks&s=2-w6ssekSlLXgLmtwY5eJU5-NWTpAi__T0fsp5e4iwk&e= They're list of platform definitions based on which the platform applicability of SCAP content is determined. Op
Re: [Open-scap] Ubuntu Security Guide content
Hi Todd and Jan, Please excuse me, I do not intend to hijack Jan's thread but I believe the following may be related enough to be helpful. These OpenSCAP CPE files exist on my system at /usr/local/share/openscap/cpe/, after compiling openscap from source on my machine. But neither they nor the versions available via the links provided below have any references to Ubuntu in them. Browsing through the files I see, for example, sections in the xml files for various flavors of rhel, opensuse, fedora, etc. but Ubuntu is not there. Compiling the ssg from source (at /usr/local/src/ComplianceAsCode/content/) does put Ubuntu-specific cpe files {ssg-ubuntu1604-cpe-dictionary.xml, ssg-ubuntu1604-cpe-oval.xml, ssg-ubuntu1804-cpe-dictionary.xml, ssg-ubuntu1804-cpe-oval.xml} in /usr/local/share/xml/scap/ssg/content, as well as similarly named ds, ocil, oval and xccdf files. Running scap using these files, however, with the command: sudo oscap xccdf eval –profile standard –results-arf ./results-arf.xml –report ./report-ds.html –results ./results-ds.xml /usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml results in 15 rules passed, 6 inconclusive (unknown) and 24 notapplicable. The notapplicable rules (ignored by oscap) seem to refer to the STIG controls I would consider the most applicable for evaluation. Since my install is Ubuntu 16.04.5, not Ubuntu 18, I would be interested to see the results Todd Williams would get running this on his install. In an earlier thread (Benchmark for Canonical Ubuntu 16.04 LTS), Gary did get similar results with Ubuntu 18 and stated "Determining why rules end up notapplicable, or seem to be skipped during evaluation, will require additional inspection, as will evaluating the veracity of the passes and fails". Is anybody looking at this on the development side (determining why rules end up nonapplicable)? Thanks, --Bill William B. Boucher, BSEE Embedded Systems Software Engineer Information Systems Security Manager MZA Associates Corporation 4900 Lang Ave. NE, Suite 100 Albuquerque, NM 87109-9708 Phone: 505.245.9970 x166 Fax: 505.245.9971 Cell: 505.459.7620 william.bouc...@mza.com -Original Message- From: open-scap-list-boun...@redhat.com [mailto:open-scap-list-boun...@redhat.com] On Behalf Of Jan Cerny Sent: Monday, February 4, 2019 2:01 AM To: Todd Williams Cc: Open-scap-list Subject: Re: [Open-scap] Ubuntu Security Guide content Hi, You're correct it's missing CPE dictionary and CPE OVAL. The files are located here: https://github.com/OpenSCAP/openscap/blob/maint-1.2/cpe/openscap-cpe-dict.xml https://github.com/OpenSCAP/openscap/blob/maint-1.2/cpe/openscap-cpe-oval.xml They're list of platform definitions based on which the platform applicability of SCAP content is determined. OpenSCAP expect them to be present in '/usr/share/openscap/cpe/' I'm not an Ubuntu user, so I'm only guessing, but I think that downloading these files and saving them to '/usr/share/openscap/cpe/' should help. This is probably a bug in Ubuntu packaging, because it seems Ubuntu doesn't ship these files in its packages, but they are required by OpenSCAP to work correctly. You can try to file a bug report on Ubuntu. Regards Jan Černý Security Technologies | Red Hat, Inc. - Original Message - > From: "Todd Williams" > To: "Jan Cerny" > Sent: Friday, February 1, 2019 4:35:50 PM > Subject: Re: [Open-scap] Ubuntu Security Guide content > > > Hi Jan, > > So I was able to use ssg-ubuntu1804-ds.xml in scap-workbench on Ubuntu > 18.4, and I got this error when I ran the scan > > > 14:27:38 > info > SCAP Workbench 1.1.5, compiled with Qt 4.8.7, using OpenSCAP 1.2.15 > > > 14:28:16 > info > Opened file '/root/scap-security-guide-0.1.42/ssg-ubuntu1804-ds.xml'. > > > 14:28:25 > info > Querying capabilities... > > > 14:28:25 > info > Creating temporary files... > > > 14:28:25 > info > Starting the oscap process... > > > 14:28:25 > info > Processing... > > > 14:28:30 > error > The 'oscap' process has written the following content to stderr: > OpenSCAP > Error: Unable to open file: > '/usr/share/openscap/cpe/openscap-cpe-dict.xml' > [../../../src/source/oscap_source.c:284] > > > > 14:28:30 > error > The 'oscap' process has written the following content to stderr: > Failed to add default CPE to newly created CPE Session. > [../../../src/CPE/cpe_session.c:58] > > > 14:28:30 > info > The oscap tool has finished. Reading results... > > > 14:28:30 > info > Processing has been finished! > > > 14:28:58 > info > Querying capabilities... > > > 14:28:58 > info > Creating tempo
Re: [Open-scap] Ubuntu Security Guide content
Hi, You're correct it's missing CPE dictionary and CPE OVAL. The files are located here: https://github.com/OpenSCAP/openscap/blob/maint-1.2/cpe/openscap-cpe-dict.xml https://github.com/OpenSCAP/openscap/blob/maint-1.2/cpe/openscap-cpe-oval.xml They're list of platform definitions based on which the platform applicability of SCAP content is determined. OpenSCAP expect them to be present in '/usr/share/openscap/cpe/' I'm not an Ubuntu user, so I'm only guessing, but I think that downloading these files and saving them to '/usr/share/openscap/cpe/' should help. This is probably a bug in Ubuntu packaging, because it seems Ubuntu doesn't ship these files in its packages, but they are required by OpenSCAP to work correctly. You can try to file a bug report on Ubuntu. Regards Jan Černý Security Technologies | Red Hat, Inc. - Original Message - > From: "Todd Williams" > To: "Jan Cerny" > Sent: Friday, February 1, 2019 4:35:50 PM > Subject: Re: [Open-scap] Ubuntu Security Guide content > > > Hi Jan, > > So I was able to use ssg-ubuntu1804-ds.xml in scap-workbench on Ubuntu > 18.4, and I got this error when I ran the scan > > > 14:27:38 > info > SCAP Workbench 1.1.5, compiled with Qt 4.8.7, using OpenSCAP 1.2.15 > > > 14:28:16 > info > Opened file '/root/scap-security-guide-0.1.42/ssg-ubuntu1804-ds.xml'. > > > 14:28:25 > info > Querying capabilities... > > > 14:28:25 > info > Creating temporary files... > > > 14:28:25 > info > Starting the oscap process... > > > 14:28:25 > info > Processing... > > > 14:28:30 > error > The 'oscap' process has written the following content to stderr: OpenSCAP > Error: Unable to open file: > '/usr/share/openscap/cpe/openscap-cpe-dict.xml' > [../../../src/source/oscap_source.c:284] > > > > 14:28:30 > error > The 'oscap' process has written the following content to stderr: Failed to > add default CPE to newly created CPE Session. > [../../../src/CPE/cpe_session.c:58] > > > 14:28:30 > info > The oscap tool has finished. Reading results... > > > 14:28:30 > info > Processing has been finished! > > > 14:28:58 > info > Querying capabilities... > > > 14:28:58 > info > Creating temporary files... > > > 14:28:58 > info > Starting the oscap process... > > > 14:28:58 > info > Processing... > > > 14:29:00 > error > The 'oscap' process has written the following content to stderr: OpenSCAP > Error: Unable to open file: > '/usr/share/openscap/cpe/openscap-cpe-dict.xml' > [../../../src/source/oscap_source.c:284] > > > > 14:29:00 > error > The 'oscap' process has written the following content to stderr: Failed to > add default CPE to newly created CPE Session. > [../../../src/CPE/cpe_session.c:58] > > > 14:29:00 > info > The oscap tool has finished. Reading results... > > > 14:29:00 > info > Processing has been finished! > > > So I went to /usr/share/openscap/cpe and the only file there is the README, > so I read it and it pointed me to https://nvd.nist.gov/Products/CPE. I > found these files there: > official-cpe-dictionary_v2.3.xml.gz > official-cpe-dictionary_v2.2.xml.gz > Can I rename and use 1 of these? > > I have it setup and running on RHEL 7.6 and when I look at that dir on that > system it has 2 files, can I use them? > openscap-cpe-dict.xml > openscap-cpe-oval.xml > > > BTW, the setup for RHEL goes much smoother than Ubuntu.. > > > > > Thanks, > Todd M. Williams >Unix System Admin, devIT-US, >AIX/Linux/CC/CQ/SPoRT/DB2 >Phone: 772-257-5706 | Mobile: 772-925-2042 >E-Mail: tod...@us.ibm.com >devIT > > > > > > > > From: Jan Cerny > To: Todd Williams > Cc: open-scap-list@redhat.com > Date: 01/31/2019 03:57 AM > Subject: Re: [Open-scap] Ubuntu Security Guide content > > > > Hi Todd, > > The security content is provided by "ComplianceAsCode" project, which was > up until recently known as "SCAP Security Guide" or "SSG". > See > https://urldefen
Re: [Open-scap] Ubuntu Security Guide content
Hi Todd, The security content is provided by "ComplianceAsCode" project, which was up until recently known as "SCAP Security Guide" or "SSG". See https://github.com/ComplianceAsCode/content The security content is packaged in Ubuntu since Ubuntu 18.04 (Bionic Beaver). The packages are: ssg-base, ssg-debderived, ssg-debian, ssg-nondebian, ssg-applications. However, the packages contain outdated versions of upstream content, and AFAIK the content in the packages is applicable to Ubuntu 16.04 an 14.04. That is kind of useless on 18.04 :) Therefore, I suggest downloading the latest upstream release from GitHub: https://github.com/ComplianceAsCode/content/releases/download/v0.1.42/scap-security-guide-0.1.42.zip Extract the archive and then open ssg-ubuntu1804-ds.xml in SCAP Workbench. Thank you very much for reminding us about the outdated web site. I will try to update the web soon. Best Regards Jan Černý Security Technologies | Red Hat, Inc. - Original Message - > From: "Todd Williams" > To: open-scap-list@redhat.com > Sent: Wednesday, January 30, 2019 6:58:40 PM > Subject: [Open-scap] Ubuntu Security Guide content > > > > Hello, > > I am new to SCAP and have been tasked with setting it up on a Ubuntu test > system. It is running Ubuntu 18.04.1 LTS. I have these 2 packages installed: > > libopenscap8/bionic,now 1.2.15-1build1 amd64 [installed] > scap-workbench/bionic,now 1.1.5-1 amd64 [installed] > > I can bring up the GUI for the workbench, but with no security content I am > stuck as far as being able to run a scan and/or editing the security > requirements. According to the web site there is no security guide for > Ubuntu. > > > > But I have been told that there is a package for Ubuntu out there, "apt-get > list" did not return anything, can someone tell if there is or not? > > > > Thanks, > Todd M. Williams > Unix System Admin, devIT-US, AIX/Linux/CC/CQ/SPoRT/DB2 > Phone: 772-257-5706 | Mobile: 772-925-2042 > E-Mail: tod...@us.ibm.com > devIT > > > ___ > Open-scap-list mailing list > Open-scap-list@redhat.com > https://www.redhat.com/mailman/listinfo/open-scap-list ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list