Re: [Open-scap] Scanning containers using SPC

2016-02-19 Thread Jan Cerny
. - Original Message - > From: "Martin Preisler" <mprei...@redhat.com> > To: "Jan Cerny" <jce...@redhat.com> > Cc: open-scap-list@redhat.com > Sent: Thursday, February 18, 2016 4:51:16 PM > Subject: Re: [Open-scap] Scanning containers using SPC > &

Re: [Open-scap] Assessing multiple machines in parallel and combining assessment reports

2016-03-16 Thread Jan Cerny
Hi, Oscap-ssh can't scan in parallel. It is only a simple script. Scanning multiple machines in parallel can be done using Red Hat Satellite. It will give you also overview of results for all machines. See http://www.open-scap.org/tools/systems-management/ Best regards Jan Černý Security

Re: [Open-scap] Run-level probes on SUSE

2016-03-21 Thread Jan Cerny
Hello, This sounds good to me. We are looking forward to your patches. Best regards Jan Černý Security Technologies | Red Hat, Inc. - Original Message - > From: "S, Gautam" > To: open-scap-list@redhat.com > Sent: Friday, March 18, 2016 6:52:54 PM > Subject:

Re: [Open-scap] Run-level probes on SUSE

2016-03-22 Thread Jan Cerny
. Best Regards Jan Černý Security Technologies | Red Hat, Inc. - Original Message - > From: "S, Gautam" <gaut...@hpe.com> > To: "Jan Cerny" <jce...@redhat.com> > Cc: open-scap-list@redhat.com > Sent: Tuesday, March 22, 2016 5:40:00 AM > Su

Re: [Open-scap] OVAL rule evaluation order

2016-04-05 Thread Jan Cerny
Hello Pravin, OpenSCAP doesn't have any option to influence the order of evaluation. OVAL is a declarative language. Rule evaluation order should not affect results. OVAL definitions have to be written in a way that it doesn't matter in which order are they evaluated. Moreover, OVAL

Re: [Open-scap] Open-scap-list Digest, Vol 85, Issue 24

2016-04-27 Thread Jan Cerny
can reach the person managing the list at > open-scap-list-ow...@redhat.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Open-scap-list digest..." > &

Re: [Open-scap] process58_object is not supported

2016-05-13 Thread Jan Cerny
Hi Dragos, You are missing sys/capability.h header file. Install libcap-devel package. I have noticed that you also miss other packages for other probes (GConf2-devel, openldap-devel) Build dependencies are listed in: https://github.com/OpenSCAP/openscap/blob/maint-1.2/README.md Regards Jan

Re: [Open-scap] openscap does not collect the uuid property

2016-05-10 Thread Jan Cerny
d 7: > # blkid > ... > /dev/loop2: UUID="----" TYPE="ext3" > > Thanks, > _Dragos. > > > -Original Message- > From: Jan Cerny [mailto:jce...@redhat.com] > Sent: Monday, May 09, 2016 11:42 AM > To: Dr

Re: [Open-scap] Offline scanning - SCE, probes

2016-04-14 Thread Jan Cerny
Hi Zbyněk, - Original Message - > From: "Zbynek Moravec" > To: open-scap-list@redhat.com > Sent: Wednesday, April 13, 2016 11:47:51 PM > Subject: [Open-scap] Offline scanning - SCE, probes > > Hi > > We plan to implement offline scan support for SCE scripts. I

Re: [Open-scap] Offline scanning - SCE, probes

2016-04-15 Thread Jan Cerny
Hi Iankko, - Original Message - > From: "Jan Lieskovsky" > To: "Zbynek Moravec" > Cc: open-scap-list@redhat.com > Sent: Friday, April 15, 2016 1:26:09 PM > Subject: Re: [Open-scap] Offline scanning - SCE, probes > > > Hello Zbynek, > > -

[Open-scap] New COPR repository for OpenSCAP

2016-07-19 Thread Jan Cerny
Hi all, We have created a new COPR repository that provides unofficial builds of latest versions of openscap, scap-security-guide, scap-workbench and openscap-daemon packages. The packages are suitable for use on Red Hat Enterprise Linux 5, 6 and 7 and CentOS 5, 6 and 7. The COPR repository is

Re: [Open-scap] oscap-docker on Ubuntu 14.04

2017-02-07 Thread Jan Cerny
Hi, - Original Message - > From: "Pravin Goyal" <pravin.go...@outlook.com> > To: "Jan Cerny" <jce...@redhat.com> > Sent: Monday, February 6, 2017 3:55:10 PM > Subject: Re: [Open-scap] oscap-docker on Ubuntu 14.04 > > Thanks, Jan. I don'

Re: [Open-scap] oscap-docker on Ubuntu 14.04

2017-02-06 Thread Jan Cerny
Hi, which Python version is used by your /usr/bin/oscap-docker ? There might be a collision between Python2 and Python3. The script should run on both versions of Python, but most likely you have necessary modules only for Python 2. Also notice that oscap-docker needs Atomic [1] installed as a

Re: [Open-scap] oscap xccdf generate fix --template urn:xccdf:fix:script:ansible working?

2017-01-25 Thread Jan Cerny
Hi, thank you very much for reaching us. Your problem can have multiple reasons: 1. Ansible playbooks are a new feature in SCAP Security Guide 0.1.31, released recently. If you use older version, you can download the latest release on

Re: [Open-scap] OpenScap Scanner on Windows

2017-02-20 Thread Jan Cerny
Hi, I agree that it would be beneficial for OpenSCAP if we could scan containers on Debian hosts as well. Unfortunately, oscap-docker can run now only on RHEL7 and Fedora hosts, because it depends on Project Atomic. Atomic handles mounting of container's filesystem to the host's filesystem so

Re: [Open-scap] OpenSCAP Error: OVAL object not correctly defined

2016-08-26 Thread Jan Cerny
Hi Rocio, I am sorry for a late reply, but most of the OpenSCAP team is not present right now. Your issue seems to me like a regular bug, but I don't use Oracle, so I am afraid I can't help so much. AFAIK the code path leading to the message you described should be run on every evaluation of

Re: [Open-scap] Issue with "official" RHEL-7 definitions

2016-08-26 Thread Jan Cerny
Hi, New version of SCAP Security guide usually appears with a new release of RHEL). (but not necessarily always) I haven't looked exactly into firewall rules, but in general SCAP Security Guide is evolving very quickly, so it is very likely that they were not present at all in 0.1.25. OpenSCAP

[Open-scap] OpenSCAP 1.2.11

2016-10-14 Thread Jan Cerny
Hello OpenSCAPers, We are thrilled to announce general availability of OpenSCAP 1.2.11 release. This is the latest release from maint-1.2 maintenance branch. API/ABI is fully compatible with 1.2.0 release. Users of 1.2.x releases are recommended to update. Changes: - New features - huge

Re: [Open-scap] customizing generation of mediation scripts

2017-03-23 Thread Jan Cerny
Hi, The bash code is taken from the input SCAP content, eg. from /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml there is no magic behind that, basically oscap simply extracts snippets from XML. If you want to amend the script that is generated by oscap, unfortunately that is not possible, we

Re: [Open-scap] openscap 1.2.15 failed "make check" -> process58

2017-03-30 Thread Jan Cerny
Hi, thank you for the report. This test is not as deterministic as we want, perhaps we need to improve it again. Usually, running it again will be successful. But it's just a test, you can skip it if you need to install. We will definitely get back into these issues. Jan Černý Security

Re: [Open-scap] “local machine” as a target is not enabled for Workbench on Windows 10

2017-03-29 Thread Jan Cerny
Hi, Unfortunately, OpenSCAP can scan only Linux machines. Windows support is currently not implemented. The use-case for Workbench on Windows is only to scan remote Linux servers from a user's Windows laptop. Installing SSH server locally will not help. You are not the first person asking for

Re: [Open-scap] customizing remediation

2017-03-17 Thread Jan Cerny
Hello, Thank you for contacting us. There is a few things that you might have done incorrectly. In SCAP Workbench, after you click on "Customize", you will be prompted for a new profile ID, that will be the ID of your custom profile. Check if you use the new ID, and not the ID of original

Re: [Open-scap] Using scap workbench to scan Debian on Beaglebone Black

2017-04-07 Thread Jan Cerny
fo > Processing has been finished! > > > > > > On Friday, April 7, 2017 2:02 AM, Luther Goh Lu Feng <elf...@yahoo.com> > wrote: > > > > > > > On Thursday, April 6, 2017 10:20 PM, Luther Goh Lu Feng <elf...@yahoo.com>

Re: [Open-scap] Issues with the recurse_direction="up"

2017-03-10 Thread Jan Cerny
Hi, Thank you for contacting me. See my replies inline below. Jan Černý Security Technologies | Red Hat, Inc. - Original Message - > From: "Dragos Prisaca" > To: open-scap-list@redhat.com > Sent: Monday, March 6, 2017 10:00:40 PM > Subject: [Open-scap] Issues

Re: [Open-scap] Possible OpenSCAP bug

2017-03-10 Thread Jan Cerny
Hi Dragos, Thank you very much for reporting this and sorry for the delay. I had a look into your issue. Let me explain my findings. According to OVAL 5.11.1 specification and XML schema, recurse="none" is deprecated value and it was deprecated in OVAL 5.5. In XML schema

Re: [Open-scap] OSCAP-SCANNER on RHEL7

2017-04-05 Thread Jan Cerny
Hi, Your command # yum -y install openscap-scanner should work, because OpenSCAP is a standard component of RHEL 7. Check your software repositories configuration, eg. output of "yum repolist" command, and /etc/yum.repos.d/ directory. Check if you are able to install other packages. Regards

Re: [Open-scap] Using scap workbench to scan Debian on Beaglebone Black

2017-04-06 Thread Jan Cerny
Hi, That is pretty cool that you want to run OpenSCAP on such a device. I like it! You're the first person that I know running it on ARM :) I think the problem is that Debian Jessie has OpenSCAP 1.0.9, which is an old version that doesn't support systemd related tests and it also can't process

Re: [Open-scap] Tuning/Customisation of SSG OVAL

2017-04-19 Thread Jan Cerny
Hi, Some of the rules in SCAP Security guide can be parametrized using "XCCDF Value". Those values can be set in SCAP Workbench. However that's not the case of this particular rule, the value is hard-coded in regular expressions across the file. We use parametrized values for example in rules

Re: [Open-scap] what profile to use in RHEL7

2017-07-19 Thread Jan Cerny
en-scap.org to figure this out. Click > >> on the product, then browse profiles. The page will always tell you > >> both title and ID of each. > >> > >> Hope this helps! > >> > >> > >> > >> As a future OpenSCAP RFE, could the '

Re: [Open-scap] OpenSCAP Daemon Status

2017-07-19 Thread Jan Cerny
Hi Jordan, OpenSCAP Daemon is an active project. I don't think it will be deprecated. Right now, its main purpose is to integrate OpenSCAP with Project Atomic to provide "atomic scan" feature. But it can do more: continuous compliance of bare-metal machines, VMs, containers. The official RPM is

[Open-scap] OpenSCAP Daemon 0.1.7

2017-08-03 Thread Jan Cerny
Hello OpenSCAPers, We are thrilled to announce general availability of OpenSCAP Daemon 0.1.7 release. Everybody is encouraged to update. Changes: - New features: - Scanning of any XCCDF profile in oscapd-evaluate - Detecting XCCDF profiles applicable to a given target - Generating

[Open-scap] Dockerfiles for OpenSCAP container

2017-06-22 Thread Jan Cerny
Hi, I would like to move the discussion about Dockerfiles for OpenSCAP container from GitHub [1] to the mailing list, because I'm interested in solving that topic. Nowadays, OpenSCAP Deamon upstream repository contains multiple Dockerfiles in this repository to build various container images

Re: [Open-scap] Implementation for an AppArmor probe.

2017-09-15 Thread Jan Cerny
Hi, The new patch looks great. I'll review and test. I'll let you know. Thanks Regards Jan Černý Security Technologies | Red Hat, Inc. - Original Message - > From: "Bruno Ducrot" <br...@poupinou.org> > To: "Jan Cerny" <jce...@redhat.com> >

Re: [Open-scap] fix process58 for Ubuntu

2017-09-08 Thread Jan Cerny
Hi, Thanks for the patch. I have included it in upstream. https://github.com/OpenSCAP/openscap/commit/0844e5fa6fb6624882b50e6915ecb3393559b4cc I tried to reproduce this yesterday, but I wasn't successful. Do I understand it well that this happens only if SELinux is not in use? Regards Jan

[Open-scap] OpenSCAP 1.2.15

2017-08-25 Thread Jan Cerny
Hello OpenSCAPers, We are thrilled to announce general availability of OpenSCAP 1.2.15 release. This is the latest release from maint-1.2 maintenance branch. API/ABI is fully compatible with 1.2.0 release. Users of 1.2.x releases are recommended to update. Changes: - New features - short

Re: [Open-scap] SCE not able to find sh script

2017-11-10 Thread Jan Cerny
Hi, The datastream you mentioned looks like it references another file. But in fact, this is a reference to another part of the datastream, 'extended-component'. There can be multiple reasons for this issue. Could you check you can write to /tmp? Could you run the command with --verbose INFO ?

[Open-scap] OpenSCAP 1.2.17

2018-05-29 Thread Jan Cerny
Hello OpenSCAPers, We are thrilled to announce general availability of OpenSCAP 1.2.17 release. This is the latest release from maint-1.2 maintenance branch. API/ABI is fully compatible with 1.2.0 release. Users of 1.2.x releases are recommended to update. Changes: - New features - HTML

Re: [Open-scap] New GitHub teams

2018-06-26 Thread Jan Cerny
Hi, These are great news! However, I used to change settings in OpenSCAP repository, which I can't now, because I don't have the settings button anymore. This is a huge problem. Now, I can't merge the maint-1.2 branch into master, because I'm not able to temporary disable the required check for

Re: [Open-scap] oscap results stored in central database?

2018-02-12 Thread Jan Cerny
Hi, This idea is very interesting. Unfortunately it is not likely that we in Red Hat work on this database, because it will create a strong competition for Red Hat Satellite. But we will be very happy to provide our support and knowledge if there will be a project developed by community.

Re: [Open-scap] Submitting Remediation Fix Scripts

2018-08-09 Thread Jan Cerny
Hi, Your understanding is correct, the remediation scripts are short scripts that make a finding compliant, in other words they should fix the system in a way the given rule will be passing. The remediations scripts are part of SCAP Security Guide project,

[Open-scap] OpenSCAP 1.3.0_alpha2

2018-08-10 Thread Jan Cerny
Hello OpenSCAPers, We are thrilled to announce general availability of OpenSCAP 1.3.0_alpha2 release. This is the second alpha release from master branch. This alpha release contains significant changes. API/ABI is not compatible with 1.2.x releases. API/ABI may be subject of further changes

Re: [Open-scap] New Structure for Content - Rule Directories in SCAP Security Guide

2018-08-27 Thread Jan Cerny
Hi, Thank you for your excellent write-up. I think this new structure is a big step forward and definitely makes contributing to SSG easier. Kudos! Jan Černý Security Technologies | Red Hat, Inc. - Original Message - > From: "Alexander Scheel" > To: "Open-scap-list" > Sent: Friday,

[Open-scap] OpenSCAP 1.3.0_alpha1

2018-07-18 Thread Jan Cerny
Hello OpenSCAPers, We are thrilled to announce general availability of OpenSCAP 1.3.0_alpha1 release. This is the first alpha release from master branch. This alpha release contains significant changes. API/ABI is not compatible with 1.2.x releases. API/ABI may be subject of further changes

[Open-scap] OpenSCAP Daemon - Fedora Updates

2018-01-18 Thread Jan Cerny
Hi, Please provide Karma on OpenSCAP daemon 0.1.9. Fedora 26 - https://bodhi.fedoraproject.org/updates/FEDORA-2018-8654af23fe Fedora 27 - https://bodhi.fedoraproject.org/updates/FEDORA-2018-509bf79a3b EPEL 7 - https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-db54a11b6d

Re: [Open-scap] Open SCAP on Ubuntu

2018-01-24 Thread Jan Cerny
Hi, Unfortunately, scap-workbench was introduced in Ubuntu 17.04, so it is not available in 16.04. In ubuntu 16.04 you can use still command-line tool oscap, which is found in package libopenscap8. But there is old OpenSCAP 1.2.8. I don't expect Ubuntu people will update packages in LTS

Re: [Open-scap] Openscap and Windows

2018-03-15 Thread Jan Cerny
Hi, I have taken over the initiative and I work on enabling Windows support in OpenSCAP. Unfortunately OpenSCAP was designed for Linux, and there is a lot of low-level stuff that needs to be changed to make it working on Windows. It isn't working on Windows now, but I'm getting closer. I hope

Re: [Open-scap] OVAL filtering on directories?

2018-04-15 Thread Jan Cerny
Hi, I'm afraid you have discovered a bug in OpenSCAP. The problem isn't with the filters, but the problem is that OpenSCAP completely ignores directories. I have reduced your OVAL to just collect everything under /usr/foo, I removed the filters. See the attachement. I run following commands:

Re: [Open-scap] Debugging xinetd_probe

2018-04-19 Thread Jan Cerny
Hi, it could be easier to debug the probe in 'master' branch, where probes are not separate processes, but are included in the oscap process. Regards Jan Černý Security Technologies | Red Hat, Inc. - Original Message - > From: "Šimon Lukašík" > To:

Re: [Open-scap] Developing content for Oracle Linux

2018-10-22 Thread Jan Cerny
Hi Tina, Thank you for reaching us. There is ComplianceAsCode project (formerly known as SCAP Security Guide) that provides SCAP content for various Linux distributions. ComplianceAsCode is an open-source project and it's developed actively on GitHub. Here's the link:

[Open-scap] OpenSCAP 1.3.0

2018-10-09 Thread Jan Cerny
Hello OpenSCAPers, We are thrilled to announce general availability of OpenSCAP 1.3.0 release. This is the first release from maint-1.3 maintenance branch. API/ABI is not compatible with 1.2.x releases. API/ABI is not compatible with 1.3.0_alpha releases. Changes from 1.3.0_alpha2: - New

Re: [Open-scap] OpenSCAP 1.3.0

2018-10-10 Thread Jan Cerny
| Red Hat, Inc. - Original Message - > From: "Shawn Wells" > To: open-scap-list@redhat.com > Sent: Tuesday, October 9, 2018 5:53:08 PM > Subject: Re: [Open-scap] OpenSCAP 1.3.0 > > > > On 10/9/18 7:38 AM, Jan Cerny wrote: > > Hello OpenSCAPers,

Re: [Open-scap] question on addon_fedora_oscap

2018-10-04 Thread Jan Cerny
Hi, Unfortunately, the "tailoring" feature is broken in Anaconda Addon. However, there is a workaround, suggested by Watson Yuuma Sato (adding him to this conversation). Let me copy-paste his idea: There is a tool that can combine the tailoring to the datastream or XCCDF file. So it is

Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS

2019-01-23 Thread Jan Cerny
Hi, You're correct that SCAP Security Guide was not shipped as a package in Ubuntu 16.04, but it is shipped in Ubuntu 18.04. The file “U_Canonical_16-04_LTS_V1R1_STIG.zip" is a different content, which isn't provided by SCAP Security Guide project, but is provided by DISA. Regards Jan Černý

Re: [Open-scap] Making Fix Templates

2019-01-10 Thread Jan Cerny
Hi, I have looked into this quickly. But I haven't able to get that working. I haven't found anything in the source code that uses it. It seems to me that the feature has been removed without changing the documentation. I'm not sure if the removal was intended or if it is a regression. The

Re: [Open-scap] Making Fix Templates

2019-01-14 Thread Jan Cerny
on the fixes within SSG, which was renamed to ComplianceAsCode, on GitHub. https://github.com/ComplianceAsCode/content Regards Jan Černý Security Technologies | Red Hat, Inc. - Original Message - > From: "Boyd Ako" > To: "Jan Cerny" > Cc: open-scap-list@redhat.com

Re: [Open-scap] Ubuntu Security Guide content

2019-01-31 Thread Jan Cerny
Hi Todd, The security content is provided by "ComplianceAsCode" project, which was up until recently known as "SCAP Security Guide" or "SSG". See https://github.com/ComplianceAsCode/content The security content is packaged in Ubuntu since Ubuntu 18.04 (Bionic Beaver). The packages are: ssg-base,

Re: [Open-scap] Ubuntu Security Guide content

2019-02-04 Thread Jan Cerny
Williams" > To: "Jan Cerny" > Sent: Friday, February 1, 2019 4:35:50 PM > Subject: Re: [Open-scap] Ubuntu Security Guide content > > > Hi Jan, > > So I was able to use ssg-ubuntu1804-ds.xml in scap-workbench on Ubuntu > 18.4, and I got this error when I ran

Re: [Open-scap] OVAL: join variables with empty value

2019-06-03 Thread Jan Cerny
Hi, I'm afraid we hit the limitation of OVAL specification: https://oval.mitre.org/language/version5.11/ovaldefinition/documentation/oval-definitions-schema.html#ObjectComponentType > The required object_ref attribute provides a reference to an existing OVAL Object declaration. The referenced

[Open-scap] OpenSCAP 1.3.1

2019-06-13 Thread Jan Cerny
Hello OpenSCAPers, We are thrilled to announce general availability of OpenSCAP 1.3.1 release. This is the latest release from maint-1.3 maintenance branch. API/ABI is fully compatible with 1.3.0 release. Users of 1.3.x releases are recommended to update. Changes: - New features - Support

Re: [Open-scap] Need help on openscap SSG question

2019-04-29 Thread Jan Cerny
Hi, I will try to answer, but I don't use Nessus, so I'm not sure what is the exact reason of this fail. In general, the SSG files are validated against SCAP XML schemas, so they are valid SCAP content. However, SCAP standard consist of multiple separate specifications. Strictly speaking, the

Re: [Open-scap] Need help on openscap SSG question

2019-04-29 Thread Jan Cerny
Hi, I have no idea. Does Nessus have any "verbose" mode to get more helpful error message? Including scap-security-guide list in this conversation because there might be people familiar with using SSG with Nessus. Regards On Mon, Apr 29, 2019 at 4:54 PM Riaz Ebrahim wrote: > &

Re: [Open-scap] openscap for windows?

2019-07-11 Thread Jan Cerny
Hi, OpenSCAP can be run on Windows. The Windows installer can be downloaded from: https://github.com/OpenSCAP/openscap/releases/download/1.3.1/OpenSCAP-1.3.1-win32.msi However, the Windows version it contains only the 4 most used probes, so it can scan only a few checks. There is no integration

Re: [Open-scap] customize scap report

2019-07-08 Thread Jan Cerny
Hi, You need to pass the ID of the customized profile in --profile instead of the ID of the original profile. The ID of the customized profile is the ID that Workbench prompted you when you clicked on "Customize" button. By default it's stig-rhel7-disa_customized. You can check by opening the

Re: [Open-scap] Questions about OVAL

2019-08-15 Thread Jan Cerny
Hi, On Tue, Aug 13, 2019 at 4:53 AM Tim Burress wrote: > > Hello, > > I'm trying to learn my way around SCAP just now, with the main focus > right now on scans of Linux-based systems using oscap and the related > tools. I'm hitting a bit of a wall when it comes to writing OVAL content > and just