Re: [Open-scap] SCAP editor

2016-05-23 Thread Shawn Wells
to compile that into proper SCAP 1.2 compliant file and run it. - Auto completion of OVAL definitions (ind:filepath, testcheck...) -- Shawn Wells Chief Security Strategist U.S. Public Sector sh...@redhat.com | 443.534.0130 ___ Open-scap-list mailing list

Re: [Open-scap] New COPR repository for OpenSCAP projects

2016-07-19 Thread Shawn Wells
On 7/19/16 11:31 AM, Martin Preisler wrote: - Original Message - >From: "Jan Cerny" >To:open-scap-list@redhat.com >Sent: Tuesday, July 19, 2016 9:19:04 AM >Subject: [Open-scap] New COPR repository for OpenSCAP > >Hi all, > >We have created a new COPR repository that

Re: [Open-scap] SCAP Workbench 1.1.4

2017-01-23 Thread Shawn Wells
On 1/23/17 11:29 AM, Shawn Wells wrote: > > > On 1/17/17 11:54 AM, Watson Yuuma Sato wrote: >> >> I noticed your screenshot doesn't show the count of selected rules >> for each profile. >> >> And the concatenated profile title is something th

Re: [Open-scap] SCAP Workbench 1.1.4

2017-01-16 Thread Shawn Wells
On 1/13/17 12:00 PM, Watson Yuuma Sato wrote: > > Hi, > > A new release of SCAP Workbench is out! > > This release brings a lot of bug fixes and improvements, including > a lot of UX improvements and fixes for inappropriate error messages > (fetch remote resources and query capabilities). > >

Re: [Open-scap] Really nice tool

2016-09-27 Thread Shawn Wells
On 9/27/16 4:07 AM, Jan Cerny wrote: > Hello David, > > - Original Message - >> From: "david oliva" >> To: Open-scap-list@redhat.com >> Sent: Tuesday, September 27, 2016 3:09:35 AM >> Subject: [Open-scap] Really nice tool >> >> >> >> Dear Red Hat /OpenSCAP team:

Re: [Open-scap] SCAP Security Guide 0.1.32

2017-03-30 Thread Shawn Wells
Thank you! Looking forward to downloading the data stream and testing it. I can start the process to get the new release posted to Nist . Shawn Wells > On Mar 30, 2017, at 8:22 AM, Watson Yuuma Sato <ws...@redhat.com> wrote: > > Hello folks, > > We have the pleasure

Re: [Open-scap] SCAP Security Guide 0.1.32

2017-03-30 Thread Shawn Wells
to get these resolved before uploading to NIST and before this release makes it into downstream releases (e.g. RHEL 7.4 rebase). What's the best way to start working these bugs? Is there a deadline for when these bugs must be resolved for inclusion downstream? On 3/30/17 9:07 AM, Shawn Wells wrote

Re: [Open-scap] tailoring file not working

2017-03-29 Thread Shawn Wells
LlOc0plYIVpTPuVVs=>" > xml:lang="en-US" override="true">This is a *draft* profile for PCI-DSS > v3 > > selected="false"/> > > idref="xccdf_org.ssgproject.content_group_smart_card_login" > selected=&q

Re: [Open-scap] results not being checked in disa stig

2017-04-05 Thread Shawn Wells
On 4/5/17 1:43 PM, Greg Hennessy wrote: > I am exploring the use of open-scap to verify my machines meet > the DISA stigs. If I run oscap against the > /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml file things seem to work > as expected. If I run oscap against the file from iase.disa.mil >

Re: [Open-scap] results not being checked in disa stig

2017-04-05 Thread Shawn Wells
On 4/5/17 2:54 PM, Greg Hennessy wrote: > Bummer > > On Wed, Apr 5, 2017 at 1:53 PM, Shawn Wells <sh...@redhat.com > <mailto:sh...@redhat.com>> wrote: > > > > On 4/5/17 1:43 PM, Greg Hennessy wrote: >> I am exploring the use of open-scap to ver

Re: [Open-scap] the sed_command idiom

2017-04-24 Thread Shawn Wells
On 4/19/17 2:20 PM, Greg Silverman (CS) wrote: > > The generated scripts use this idiom > > > > sed_command=”sed –i …” > > > > where the ellipsis is replaced a follow symlink option if the file > being edited is a symbolic link. There are some errors when running > the generated remediation

Re: [Open-scap] Logos and other materials for SCAP projects

2017-07-17 Thread Shawn Wells
On 7/17/17 2:59 PM, Martin Preisler wrote: > Hi, > I have gathered all the logos and other graphics and put them into a > GitHub repository to make sure they don't get lost. Most of these (if > not all) have been created by Lenka Horakova. > > https://github.com/OpenSCAP/promo > > If you have

Re: [Open-scap] what profile to use in RHEL7

2017-07-18 Thread Shawn Wells
On 7/18/17 1:09 PM, Martin Preisler wrote: > On Mon, Jul 17, 2017 at 6:44 PM, Smith, Cathy wrote: >> Folks >> >> I’m trying to build a customized profile for RHEL7. I’m not sure about the >> list of profile names offered through the oscap command and the list shown >> in

Re: [Open-scap] Tuning/Customisation of SSG OVAL

2017-04-24 Thread Shawn Wells
On 4/19/17 4:17 AM, Jan Cerny wrote: > Hi, > > Some of the rules in SCAP Security guide can be parametrized using "XCCDF > Value". > Those values can be set in SCAP Workbench. However that's not the case of this > particular rule, the value is hard-coded in regular expressions across the >

Re: [Open-scap] [Newbie] Way to search the archives?

2017-06-13 Thread Shawn Wells
On 6/13/17 9:42 AM, leam hall wrote: > Hey Mike, sorry if I'm dense. I looked at the URL and it seems to be > the initial welcome page. Messages go back as far as 2009, how do I > search what has already been answered? google for "centos site:https://www.redhat.com/archives/open-scap-list/;

Re: [Open-scap] scap-workbench remote scan doesnt work

2017-09-21 Thread Shawn Wells
On 9/21/17 8:44 AM, DD Donny Lie wrote: > Hello, > I have a CentOS 7 with installed openscap-scanner > and I use scap-workbench from my laptop with VM RHEL 7, trying to > remote scan the CentOS 7, > > It succeed login via SSH but Diagnostics says: > *error     > * > *Failed to locate oscap on

Re: [Open-scap] [open-scap] scan percentage with respect to rules specified by STIG

2017-09-05 Thread Shawn Wells
On 9/5/17 4:38 AM, Wesley Ceraso Prudencio wrote: > I'm not an expert, but if I got it right, we currently cover approximately > 85% of STIG rules for RHEL7 and 23% for RHEL6. Something seems off In RHEL6, the STIG profile extends the common profile: > $ head -1

Re: [Open-scap] [open-scap] scan percentage with respect to rules specified by STIG

2017-09-06 Thread Shawn Wells
On 9/6/17 9:58 AM, Wesley Ceraso Prudencio wrote: > Thanks Shawn, I didn't notice the extension from common profile. Of course. It's incredibly hard to keep tabs on what 3rd parties are putting into their baselines so while our rule counts may be close, there's little assurance that

Re: [Open-scap] [Suspected Spam] Re: OSCAP Scanner Binaries

2018-04-27 Thread Shawn Wells
On 4/27/18 1:18 AM, Mohanraj, Bharath wrote: Thanks Shawn for the clarification… One last thing I want to mention here is… some of the RHEL boxes in my environment are locked down from internet.. .so they will not have access to the repository to fetch oscap binaries, and that’s the

Re: [Open-scap] Let me poll the community

2018-05-16 Thread Shawn Wells
On 5/14/18 7:26 PM, Geoffry Roberts wrote: A few weeks ago I saw a thread or two where some were seeking a means of analyzing large volumes of SCAP result sets. I'd like to ask the community as to what extent this represents a problem? People I know who are using SCAP are scanning on a

Re: [Open-scap] SCAP customizations and OS migrations

2018-06-05 Thread Shawn Wells
On 6/3/18 11:59 PM, Robert Sanders wrote: Marek, Thank you for your reply. While I understand how it can be difficult to compare between versions, I've found it very useful to do so. I've written a very rough hack (as in, one step better than a stone axe) that will compare multiple

Re: [Open-scap] [Suspected Spam] Re: OSCAP Scanner Binaries

2018-04-26 Thread Shawn Wells
On 4/26/18 1:09 PM, Mohanraj, Bharath wrote: I tried to download only the oscap rpms by using the below command, *yum install --downloadonly --downloaddir=/opt/oscaprpm openscap-scanner*** ** And once the above command is triggered, it downloaded the below bunch of RPMs… My intention

Re: [Open-scap] [Suspected Spam] Re: OSCAP Scanner Binaries

2018-04-26 Thread Shawn Wells
On 4/26/18 7:00 PM, Christopher Wiedmaier wrote: How can I be removed from this list?  I have completed the unsubscribe steps multiple times but I still end up receiving e-mails. https://www.redhat.com/mailman/listinfo/open-scap-list Under the "openscap-list subscribers" section (last

Re: [Open-scap] https://www.open-scap.org/ down?

2018-01-20 Thread Shawn Wells
Seems restored now (approx 11am US EST). > On Jan 20, 2018, at 5:21 AM, Šimon Lukašík wrote: > > > Can you guys please take a look? > > ~š. > > ___ > Open-scap-list mailing list > Open-scap-list@redhat.com >

Re: [Open-scap] oscap results stored in central database?

2018-01-31 Thread Shawn Wells
On 1/31/18 10:22 PM, Luke Salsich wrote: > Hey all, > > I've been using OpenSCAP for a while on our servers and really > appreciate what it does.  > > I've been looking around for a way to store scan results and then > query them and I can't seem to locate any plugins or apps which do > this

Re: [Open-scap] openscap version support

2018-02-05 Thread Shawn Wells
On 2/5/18 2:10 PM, r hartikainen wrote: > Hello everyone > > I am trying to find answer how Openscap should be used when there is need to > run different minor versions of operating system, in my case its about rhel > 7.2 and the very latest 7.x. > I have piece of software that requires me to

Re: [Open-scap] Scanning Ubuntu / Debian servers with openscap

2018-08-23 Thread Shawn Wells
On 8/22/18 2:01 PM, Marek Haicman wrote: On 08/22/2018 07:37 PM, Dhanushka Parakrama wrote: Hi Team I'm new to Openscap I able to scan my redhat and centos machines with Openscap  for   compliance  . oscap xccdf eval --profile "usgcb-rhel6-server" --report /tmp/report.html

Re: [Open-scap] Can we remove some service checks from the profile

2018-09-05 Thread Shawn Wells
On 9/5/18 6:20 AM, Dhanushka Parakrama wrote: Hi Team I  Wanted to remove the few service checks from the profile *xccdf_org.ssgproject.content_profile_anssi_np_nt28_high (Eg: Ensure /tmp Located On Separate Partition , *xccdf_org.ssgproject.content_rule_partition_for_tmp ) and build new

Re: [Open-scap] First try at remote scanning

2018-02-28 Thread Shawn Wells
On 2/28/18 9:24 AM, Geoffry Roberts wrote: > All, > > I tried my first remote. scan and don't understand the result. > > I ran the following, which is almost a cut and past from the manual: > > oscap-ssh root@ xccdf eval --profile MAC-3_Sensitive --report > report.html >

Re: [Open-scap] [Suspected Spam] Re: OSCAP Scanner Binaries

2018-04-24 Thread Shawn Wells
On 4/24/18 1:12 PM, Mohanraj, Bharath wrote: > > Thanks for the info…  > > The first thing I want to avoid is my enduser machines hitting the > internet for downloading packages… So, I prefer having them as RPM > files locally and trigger installation of the same… But, in case the > RPM

Re: [Open-scap] Disable STIG

2018-10-22 Thread Shawn Wells
On 10/22/18 7:22 AM, Gaurav Kamathe wrote: Hello All, I am a QA who needs to test some functionality when STIG is enabled on a server (RHEL) by the user. However the software does not provide any way to disable STIG (factory reset is the only option). Is there a workaround for this? Can i

Re: [Open-scap] OpenSCAP 1.3.0

2018-10-09 Thread Shawn Wells
On 10/9/18 7:38 AM, Jan Cerny wrote: Hello OpenSCAPers, We are thrilled to announce general availability of OpenSCAP 1.3.0 release. This is the first release from maint-1.3 maintenance branch. API/ABI is not compatible with 1.2.x releases. API/ABI is not compatible with 1.3.0_alpha

Re: [Open-scap] OpenSCAP 1.3.0

2018-10-10 Thread Shawn Wells
On 10/10/18 5:01 AM, Jan Cerny wrote: Hi, OpenSCAP support for Windows hasn't been improved much since the 1.3.0_alpha1 releases. The only thing that we have done recently is that we added Windows CPEs to the inbuilt CPE dictionary. How far along is Windows support? Saw the mention of

Re: [Open-scap] question on addon_fedora_oscap

2018-10-04 Thread Shawn Wells
On 10/4/18 3:05 AM, Jan Cerny wrote: Hi, Unfortunately, the "tailoring" feature is broken in Anaconda Addon. However, there is a workaround, suggested by Watson Yuuma Sato (adding him to this conversation). Let me copy-paste his idea: There is a tool that can combine the tailoring to the

Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS

2018-11-27 Thread Shawn Wells
On 11/27/18 6:23 PM, Boucher, William wrote: Hi folks, I am currently hardening an Ubuntu embedded system for delivery to a customer. I have downloaded the “Canonical Ubuntu 16.04 LTS STIG Ver 1, Rel 1” from DISA, and I have obtained a copy of the SCAP Compliance checker tool “SCC 5.0.2

[Open-scap] Atomic Scan still based off RHEL 7.6?

2019-03-03 Thread Shawn Wells
Pulling the latest atomic scan shows the container image is still based on RHEL 7.6 (vs 7.7) and contains very old scap-security-guide package. When will it be rebased? ___ Open-scap-list mailing list Open-scap-list@redhat.com

Re: [Open-scap] Phasing out the RHEL6 CI

2019-02-26 Thread Shawn Wells
On 2/26/19 12:07 PM, Boucher, William wrote: My only concern is that sometimes a government customer will mandate using some flavor of RHEL 6, for whatever reason they may have. For example, we have a government customer mandating we use 6.5 at the moment. And they are perfectly happy to

Re: [Open-scap] When to expect OVAL probes for OpenShift?

2019-02-07 Thread Shawn Wells
On 2/4/19 2:27 PM, William Munyan wrote: Hey Shawn, I’ll add to Steve’s point that if there is not current OVAL support for the constructs you need, then the new OVAL tests/objects/states/items would need to be created in either a new OVAL schema or (more likely) as additions to the

Re: [Open-scap] Using profiles not distributed in scap-security-guide

2019-02-07 Thread Shawn Wells
On 2/6/19 1:11 PM, Greg Silverman wrote: We want to use the DISA STIG for RHEL 7 V2R2 profile. The latest scap-security-guide RPM has V1R4. How is a profile xml file consumed by oscap? Most use cases are covered in the RHEL documentation:

Re: [Open-scap] Using profiles not distributed in

2019-02-08 Thread Shawn Wells
On 2/8/19 2:34 PM, Greg Silverman wrote: Let me ask in a different way. DISA published xml files withhttps://iasecontent.disa.mil/stigs/zip/U_Red_Hat_Enterprise_Linux_7_V2R2_STIG_SCAP_1-2_Benchmark.zip. The zip's xml file contains a list of vulnerabilities for RHEL7, the Version 2 Release

Re: [Open-scap] Open a ticket?

2019-02-18 Thread Shawn Wells
On 2/18/19 9:04 AM, Todd Williams wrote: I am trying to find out how to go about opening a ticket against openSCAP, can anyone point me in the right direction? Depends where you're consuming it. If using a commercial linux distro, would suggest opening a ticket with them directly. For

Re: [Open-scap] V-73159 - Question on requisite vs required in pam.d/system-auth

2019-02-14 Thread Shawn Wells
On 2/14/19 12:21 PM, Marek Haicman wrote: Hello, according to the v2r2, the check is supposed to be: ``` # cat /etc/pam.d/system-auth | grep pam_pwquality password required pam_pwquality.so retry=3 If the command does not return an uncommented line containing the value "pam_pwquality.so",

Re: [Open-scap] Hardening Redhawk 6.5

2019-01-30 Thread Shawn Wells
On 1/29/19 11:14 PM, Boucher, William wrote: Hi folks, I’ve been tasked with applying the RedHat 6 STIG to several RedHawk 6.5 systems. Running oscap should be relatively easy, to see where a base install sits initially (RedHawk is RedHat with modifications for embedded realtime use).

Re: [Open-scap] When to expect OVAL probes for OpenShift?

2019-02-04 Thread Shawn Wells
On 2/4/19 6:08 PM, Steve Grubb wrote: On Mon, 4 Feb 2019 11:06:00 -0500 Shawn Wells wrote: When can OpenSCAP probes be expected for OpenShift? Are you talking about new OVAL tests? Probes so that OVAL tests could be created. Akin to the systemd probes

Re: [Open-scap] Help needed - to Quantify severity levels

2019-06-07 Thread Shawn Wells
On 6/7/19 5:02 AM, harshad wadkar wrote: Respected Madam / Sir, I am referring the following url to know about open-scap and Ubuntu secure configuration. https://static.open-scap.org/ssg-guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html I have one query : 1. At present, the severities

Re: [Open-scap] Help needed - to Quantify severity levels

2019-06-18 Thread Shawn Wells
On 6/18/19 3:45 PM, Trevor Vaughan wrote: At some point, these should probably be changed to correlate with the Vulnerability Severity Assessment Scale as outlined in the NIST 800-30 since it is well defined, a public standard at no cost, and 0-100 which lines up with most people's internal

Re: [Open-scap] Wish to disable check or remediation of STIG rules to remove X Windows and to use smart card

2019-06-25 Thread Shawn Wells
On 6/25/19 11:36 AM, Boucher, William wrote: I figured it out! That's great! To help others down the road who may have a similar issue, what was the fix? ___ Open-scap-list mailing list Open-scap-list@redhat.com

Re: [Open-scap] Need help on openscap SSG question

2019-04-29 Thread Shawn Wells
Would need to understand where the content is coming from. Perhaps scap-security-guide in RHEL, and if so, what RHEL and SSG version? Note red hat doesn’t publish rhel6 content in the National Checklist Program since rhel6 is out of active maintenance:

Re: [Open-scap] timing rule evaluation times

2019-08-07 Thread Shawn Wells
On 8/7/19 2:58 PM, Greg Silverman wrote: Is there any way within oscap to record the time taken for each rule’s evaluation to complete? We sometimes see it taking over an hour to complete on RHEL7 and want to understand why. Could try verbose mode. Not sure if timestamps are generated.