Re: [Open-scap] Ubuntu Security Guide content
Hi Bill,
I installed by using apt-get and I did not compile the code. And it did
not put the /usr/share/openscap/cpe/openscap-cpe-dict.xml and
openscap-cpe-oval.xml files at all. That's why I was looking for them
with Ububtu 18 in it. I just looked at the dict and oval file sin the link
Jan sent and they don't have any references to Ububtu like you mentioned.
while waiting on this to get worked out I have installed/setup a RHEL 7.6
server. It has these files and worked without any issues pretty much as
soon as I got it installed. The Ubuntu software is much more difficult to
get operational. How would I go about getting those version 8 dict and
oval files to test with?
Thanks,
Todd M. Williams
Unix System Admin, devIT-US,
AIX/Linux/CC/CQ/SPoRT/DB2
Phone: 772-257-5706 | Mobile: 772-925-2042
E-Mail: tod...@us.ibm.com
devIT
From: "Boucher, William"
To: Jan Cerny , Todd Williams
, "gapin...@nasa.gov"
Cc: Open-scap-list
Date: 02/04/2019 11:16 AM
Subject:RE: Ubuntu Security Guide content
Hi Todd and Jan,
Please excuse me, I do not intend to hijack Jan's thread but I believe the
following may be related enough to be helpful.
These OpenSCAP CPE files exist on my system
at /usr/local/share/openscap/cpe/, after compiling openscap from source on
my machine. But neither they nor the versions available via the links
provided below have any references to Ubuntu in them. Browsing through the
files I see, for example, sections in the xml files for various flavors of
rhel, opensuse, fedora, etc. but Ubuntu is not there.
Compiling the ssg from source (at /usr/local/src/ComplianceAsCode/content/)
does put Ubuntu-specific cpe files {ssg-ubuntu1604-cpe-dictionary.xml,
ssg-ubuntu1604-cpe-oval.xml, ssg-ubuntu1804-cpe-dictionary.xml,
ssg-ubuntu1804-cpe-oval.xml} in /usr/local/share/xml/scap/ssg/content, as
well as similarly named ds, ocil, oval and xccdf files.
Running scap using these files, however, with the command:
sudo oscap xccdf eval –profile standard –results-arf ./results-arf.xml
–report ./report-ds.html
–results ./results-ds.xml
/usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml
results in 15 rules passed, 6 inconclusive (unknown) and 24 notapplicable.
The notapplicable rules (ignored by oscap) seem to refer to the STIG
controls I would consider the most applicable for evaluation.
Since my install is Ubuntu 16.04.5, not Ubuntu 18, I would be interested to
see the results Todd Williams would get running this on his install. In an
earlier thread (Benchmark for Canonical Ubuntu 16.04 LTS), Gary did get
similar results with Ubuntu 18 and stated "Determining why rules end up
notapplicable, or seem to be skipped during evaluation, will require
additional inspection, as will evaluating the veracity of the passes and
fails".
Is anybody looking at this on the development side (determining why rules
end up nonapplicable)?
Thanks,
--Bill
William B. Boucher, BSEE
Embedded Systems Software Engineer
Information Systems Security Manager
MZA Associates Corporation
4900 Lang Ave. NE, Suite 100
Albuquerque, NM 87109-9708
Phone: 505.245.9970 x166
Fax: 505.245.9971
Cell: 505.459.7620
william.bouc...@mza.com
-Original Message-
From: open-scap-list-boun...@redhat.com [
mailto:open-scap-list-boun...@redhat.com] On Behalf Of Jan Cerny
Sent: Monday, February 4, 2019 2:01 AM
To: Todd Williams
Cc: Open-scap-list
Subject: Re: [Open-scap] Ubuntu Security Guide content
Hi,
You're correct it's missing CPE dictionary and CPE OVAL.
The files are located here:
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_OpenSCAP_openscap_blob_maint-2D1.2_cpe_openscap-2Dcpe-2Ddict.xml&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=4BwPnN3sPgNQjvaJ-rrOQD9wYgWK1vlNlqk921f9rTw&m=Z4sUeu_Kart8jB_BGe4QPt9ZzTZn4Z1PozLnRay3Xks&s=aAJgbbf7PAvRcqrA86m4_hgOHHkU4eTvZP_I81Moyxg&e=
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_OpenSCAP_openscap_blob_maint-2D1.2_cpe_openscap-2Dcpe-2Doval.xml&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=4BwPnN3sPgNQjvaJ-rrOQD9wYgWK1vlNlqk921f9rTw&m=Z4sUeu_Kart8jB_BGe4QPt9ZzTZn4Z1PozLnRay3Xks&s=2-w6ssekSlLXgLmtwY5eJU5-NWTpAi__T0fsp5e4iwk&e=
They're list of platform definitions based on which the platform
applicability of SCAP content is determined.
Op
Re: [Open-scap] Ubuntu Security Guide content
Hi Todd and Jan,
Please excuse me, I do not intend to hijack Jan's thread but I believe the
following may be related enough to be helpful.
These OpenSCAP CPE files exist on my system at /usr/local/share/openscap/cpe/,
after compiling openscap from source on my machine. But neither they nor the
versions available via the links provided below have any references to Ubuntu
in them. Browsing through the files I see, for example, sections in the xml
files for various flavors of rhel, opensuse, fedora, etc. but Ubuntu is not
there.
Compiling the ssg from source (at /usr/local/src/ComplianceAsCode/content/)
does put Ubuntu-specific cpe files {ssg-ubuntu1604-cpe-dictionary.xml,
ssg-ubuntu1604-cpe-oval.xml, ssg-ubuntu1804-cpe-dictionary.xml,
ssg-ubuntu1804-cpe-oval.xml} in /usr/local/share/xml/scap/ssg/content, as well
as similarly named ds, ocil, oval and xccdf files.
Running scap using these files, however, with the command:
sudo oscap xccdf eval –profile standard –results-arf ./results-arf.xml –report
./report-ds.html –results ./results-ds.xml
/usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml
results in 15 rules passed, 6 inconclusive (unknown) and 24 notapplicable. The
notapplicable rules (ignored by oscap) seem to refer to the STIG controls I
would consider the most applicable for evaluation.
Since my install is Ubuntu 16.04.5, not Ubuntu 18, I would be interested to see
the results Todd Williams would get running this on his install. In an earlier
thread (Benchmark for Canonical Ubuntu 16.04 LTS), Gary did get similar results
with Ubuntu 18 and stated "Determining why rules end up notapplicable, or seem
to be skipped during evaluation, will require additional inspection, as will
evaluating the veracity of the passes and fails".
Is anybody looking at this on the development side (determining why rules end
up nonapplicable)?
Thanks,
--Bill
William B. Boucher, BSEE
Embedded Systems Software Engineer
Information Systems Security Manager
MZA Associates Corporation
4900 Lang Ave. NE, Suite 100
Albuquerque, NM 87109-9708
Phone: 505.245.9970 x166
Fax: 505.245.9971
Cell: 505.459.7620
william.bouc...@mza.com
-Original Message-
From: open-scap-list-boun...@redhat.com
[mailto:open-scap-list-boun...@redhat.com] On Behalf Of Jan Cerny
Sent: Monday, February 4, 2019 2:01 AM
To: Todd Williams
Cc: Open-scap-list
Subject: Re: [Open-scap] Ubuntu Security Guide content
Hi,
You're correct it's missing CPE dictionary and CPE OVAL.
The files are located here:
https://github.com/OpenSCAP/openscap/blob/maint-1.2/cpe/openscap-cpe-dict.xml
https://github.com/OpenSCAP/openscap/blob/maint-1.2/cpe/openscap-cpe-oval.xml
They're list of platform definitions based on which the platform applicability
of SCAP content is determined.
OpenSCAP expect them to be present in '/usr/share/openscap/cpe/'
I'm not an Ubuntu user, so I'm only guessing, but I think that downloading
these files and saving them to '/usr/share/openscap/cpe/' should help.
This is probably a bug in Ubuntu packaging, because it seems Ubuntu doesn't
ship these files in its packages, but they are required by OpenSCAP to work
correctly. You can try to file a bug report on Ubuntu.
Regards
Jan Černý
Security Technologies | Red Hat, Inc.
- Original Message -
> From: "Todd Williams"
> To: "Jan Cerny"
> Sent: Friday, February 1, 2019 4:35:50 PM
> Subject: Re: [Open-scap] Ubuntu Security Guide content
>
>
> Hi Jan,
>
> So I was able to use ssg-ubuntu1804-ds.xml in scap-workbench on Ubuntu
> 18.4, and I got this error when I ran the scan
>
>
> 14:27:38
> info
> SCAP Workbench 1.1.5, compiled with Qt 4.8.7, using OpenSCAP 1.2.15
>
>
> 14:28:16
> info
> Opened file '/root/scap-security-guide-0.1.42/ssg-ubuntu1804-ds.xml'.
>
>
> 14:28:25
> info
> Querying capabilities...
>
>
> 14:28:25
> info
> Creating temporary files...
>
>
> 14:28:25
> info
> Starting the oscap process...
>
>
> 14:28:25
> info
> Processing...
>
>
> 14:28:30
> error
> The 'oscap' process has written the following content to stderr:
> OpenSCAP
> Error: Unable to open file:
> '/usr/share/openscap/cpe/openscap-cpe-dict.xml'
> [../../../src/source/oscap_source.c:284]
>
>
>
> 14:28:30
> error
> The 'oscap' process has written the following content to stderr:
> Failed to add default CPE to newly created CPE Session.
> [../../../src/CPE/cpe_session.c:58]
>
>
> 14:28:30
> info
> The oscap tool has finished. Reading results...
>
>
> 14:28:30
> info
> Processing has been finished!
>
>
> 14:28:58
> info
> Querying capabilities...
>
>
> 14:28:58
> info
> Creating tempo
Re: [Open-scap] Ubuntu Security Guide content
Hi, You're correct it's missing CPE dictionary and CPE OVAL. The files are located here: https://github.com/OpenSCAP/openscap/blob/maint-1.2/cpe/openscap-cpe-dict.xml https://github.com/OpenSCAP/openscap/blob/maint-1.2/cpe/openscap-cpe-oval.xml They're list of platform definitions based on which the platform applicability of SCAP content is determined. OpenSCAP expect them to be present in '/usr/share/openscap/cpe/' I'm not an Ubuntu user, so I'm only guessing, but I think that downloading these files and saving them to '/usr/share/openscap/cpe/' should help. This is probably a bug in Ubuntu packaging, because it seems Ubuntu doesn't ship these files in its packages, but they are required by OpenSCAP to work correctly. You can try to file a bug report on Ubuntu. Regards Jan Černý Security Technologies | Red Hat, Inc. - Original Message - > From: "Todd Williams" > To: "Jan Cerny" > Sent: Friday, February 1, 2019 4:35:50 PM > Subject: Re: [Open-scap] Ubuntu Security Guide content > > > Hi Jan, > > So I was able to use ssg-ubuntu1804-ds.xml in scap-workbench on Ubuntu > 18.4, and I got this error when I ran the scan > > > 14:27:38 > info > SCAP Workbench 1.1.5, compiled with Qt 4.8.7, using OpenSCAP 1.2.15 > > > 14:28:16 > info > Opened file '/root/scap-security-guide-0.1.42/ssg-ubuntu1804-ds.xml'. > > > 14:28:25 > info > Querying capabilities... > > > 14:28:25 > info > Creating temporary files... > > > 14:28:25 > info > Starting the oscap process... > > > 14:28:25 > info > Processing... > > > 14:28:30 > error > The 'oscap' process has written the following content to stderr: OpenSCAP > Error: Unable to open file: > '/usr/share/openscap/cpe/openscap-cpe-dict.xml' > [../../../src/source/oscap_source.c:284] > > > > 14:28:30 > error > The 'oscap' process has written the following content to stderr: Failed to > add default CPE to newly created CPE Session. > [../../../src/CPE/cpe_session.c:58] > > > 14:28:30 > info > The oscap tool has finished. Reading results... > > > 14:28:30 > info > Processing has been finished! > > > 14:28:58 > info > Querying capabilities... > > > 14:28:58 > info > Creating temporary files... > > > 14:28:58 > info > Starting the oscap process... > > > 14:28:58 > info > Processing... > > > 14:29:00 > error > The 'oscap' process has written the following content to stderr: OpenSCAP > Error: Unable to open file: > '/usr/share/openscap/cpe/openscap-cpe-dict.xml' > [../../../src/source/oscap_source.c:284] > > > > 14:29:00 > error > The 'oscap' process has written the following content to stderr: Failed to > add default CPE to newly created CPE Session. > [../../../src/CPE/cpe_session.c:58] > > > 14:29:00 > info > The oscap tool has finished. Reading results... > > > 14:29:00 > info > Processing has been finished! > > > So I went to /usr/share/openscap/cpe and the only file there is the README, > so I read it and it pointed me to https://nvd.nist.gov/Products/CPE. I > found these files there: > official-cpe-dictionary_v2.3.xml.gz > official-cpe-dictionary_v2.2.xml.gz > Can I rename and use 1 of these? > > I have it setup and running on RHEL 7.6 and when I look at that dir on that > system it has 2 files, can I use them? > openscap-cpe-dict.xml > openscap-cpe-oval.xml > > > BTW, the setup for RHEL goes much smoother than Ubuntu.. > > > > > Thanks, > Todd M. Williams >Unix System Admin, devIT-US, >AIX/Linux/CC/CQ/SPoRT/DB2 >Phone: 772-257-5706 | Mobile: 772-925-2042 >E-Mail: tod...@us.ibm.com >devIT > > > > > > > > From: Jan Cerny > To: Todd Williams > Cc: open-scap-list@redhat.com > Date: 01/31/2019 03:57 AM > Subject: Re: [Open-scap] Ubuntu Security Guide content > > > > Hi Todd, > > The security content is provided by "ComplianceAsCode" project, which was > up until recently known as "SCAP Security Guide" or "SSG". > See > https://urldefen
Re: [Open-scap] Ubuntu Security Guide content
Hi Todd, The security content is provided by "ComplianceAsCode" project, which was up until recently known as "SCAP Security Guide" or "SSG". See https://github.com/ComplianceAsCode/content The security content is packaged in Ubuntu since Ubuntu 18.04 (Bionic Beaver). The packages are: ssg-base, ssg-debderived, ssg-debian, ssg-nondebian, ssg-applications. However, the packages contain outdated versions of upstream content, and AFAIK the content in the packages is applicable to Ubuntu 16.04 an 14.04. That is kind of useless on 18.04 :) Therefore, I suggest downloading the latest upstream release from GitHub: https://github.com/ComplianceAsCode/content/releases/download/v0.1.42/scap-security-guide-0.1.42.zip Extract the archive and then open ssg-ubuntu1804-ds.xml in SCAP Workbench. Thank you very much for reminding us about the outdated web site. I will try to update the web soon. Best Regards Jan Černý Security Technologies | Red Hat, Inc. - Original Message - > From: "Todd Williams" > To: open-scap-list@redhat.com > Sent: Wednesday, January 30, 2019 6:58:40 PM > Subject: [Open-scap] Ubuntu Security Guide content > > > > Hello, > > I am new to SCAP and have been tasked with setting it up on a Ubuntu test > system. It is running Ubuntu 18.04.1 LTS. I have these 2 packages installed: > > libopenscap8/bionic,now 1.2.15-1build1 amd64 [installed] > scap-workbench/bionic,now 1.1.5-1 amd64 [installed] > > I can bring up the GUI for the workbench, but with no security content I am > stuck as far as being able to run a scan and/or editing the security > requirements. According to the web site there is no security guide for > Ubuntu. > > > > But I have been told that there is a package for Ubuntu out there, "apt-get > list" did not return anything, can someone tell if there is or not? > > > > Thanks, > Todd M. Williams > Unix System Admin, devIT-US, AIX/Linux/CC/CQ/SPoRT/DB2 > Phone: 772-257-5706 | Mobile: 772-925-2042 > E-Mail: tod...@us.ibm.com > devIT > > > ___ > Open-scap-list mailing list > Open-scap-list@redhat.com > https://www.redhat.com/mailman/listinfo/open-scap-list ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
