to compile that into proper SCAP 1.2
compliant file and run it.
- Auto completion of OVAL definitions (ind:filepath, testcheck...)
Chief Security Strategist
U.S. Public Sector
sh...@redhat.com | 443.534.0130
Open-scap-list mailing list
On 7/19/16 11:31 AM, Martin Preisler wrote:
- Original Message -
>From: "Jan Cerny"
>Sent: Tuesday, July 19, 2016 9:19:04 AM
>Subject: [Open-scap] New COPR repository for OpenSCAP
>We have created a new COPR repository that
On 1/23/17 11:29 AM, Shawn Wells wrote:
> On 1/17/17 11:54 AM, Watson Yuuma Sato wrote:
>> I noticed your screenshot doesn't show the count of selected rules
>> for each profile.
>> And the concatenated profile title is something th
On 1/13/17 12:00 PM, Watson Yuuma Sato wrote:
> A new release of SCAP Workbench is out!
> This release brings a lot of bug fixes and improvements, including
> a lot of UX improvements and fixes for inappropriate error messages
> (fetch remote resources and query capabilities).
On 9/27/16 4:07 AM, Jan Cerny wrote:
> Hello David,
> - Original Message -
>> From: "david oliva"
>> To: Openfirstname.lastname@example.org
>> Sent: Tuesday, September 27, 2016 3:09:35 AM
>> Subject: [Open-scap] Really nice tool
>> Dear Red Hat /OpenSCAP team:
Thank you! Looking forward to downloading the data stream and testing it. I can
start the process to get the new release posted to Nist .
> On Mar 30, 2017, at 8:22 AM, Watson Yuuma Sato <ws...@redhat.com> wrote:
> Hello folks,
> We have the pleasure
to get these resolved before uploading to NIST and before
this release makes it into downstream releases (e.g. RHEL 7.4 rebase).
What's the best way to start working these bugs? Is there a deadline for
when these bugs must be resolved for inclusion downstream?
On 3/30/17 9:07 AM, Shawn Wells wrote
> xml:lang="en-US" override="true">This is a *draft* profile for PCI-DSS
On 4/5/17 1:43 PM, Greg Hennessy wrote:
> I am exploring the use of open-scap to verify my machines meet
> the DISA stigs. If I run oscap against the
> /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml file things seem to work
> as expected. If I run oscap against the file from iase.disa.mil
On 4/5/17 2:54 PM, Greg Hennessy wrote:
> On Wed, Apr 5, 2017 at 1:53 PM, Shawn Wells <sh...@redhat.com
> <mailto:sh...@redhat.com>> wrote:
> On 4/5/17 1:43 PM, Greg Hennessy wrote:
>> I am exploring the use of open-scap to ver
On 4/19/17 2:20 PM, Greg Silverman (CS) wrote:
> The generated scripts use this idiom
> sed_command=”sed –i …”
> where the ellipsis is replaced a follow symlink option if the file
> being edited is a symbolic link. There are some errors when running
> the generated remediation
On 7/17/17 2:59 PM, Martin Preisler wrote:
> I have gathered all the logos and other graphics and put them into a
> GitHub repository to make sure they don't get lost. Most of these (if
> not all) have been created by Lenka Horakova.
> If you have
On 7/18/17 1:09 PM, Martin Preisler wrote:
> On Mon, Jul 17, 2017 at 6:44 PM, Smith, Cathy wrote:
>> I’m trying to build a customized profile for RHEL7. I’m not sure about the
>> list of profile names offered through the oscap command and the list shown
On 4/19/17 4:17 AM, Jan Cerny wrote:
> Some of the rules in SCAP Security guide can be parametrized using "XCCDF
> Those values can be set in SCAP Workbench. However that's not the case of this
> particular rule, the value is hard-coded in regular expressions across the
On 6/13/17 9:42 AM, leam hall wrote:
> Hey Mike, sorry if I'm dense. I looked at the URL and it seems to be
> the initial welcome page. Messages go back as far as 2009, how do I
> search what has already been answered?
google for "centos site:https://www.redhat.com/archives/open-scap-list/;
On 9/21/17 8:44 AM, DD Donny Lie wrote:
> I have a CentOS 7 with installed openscap-scanner
> and I use scap-workbench from my laptop with VM RHEL 7, trying to
> remote scan the CentOS 7,
> It succeed login via SSH but Diagnostics says:
> *Failed to locate oscap on
On 9/5/17 4:38 AM, Wesley Ceraso Prudencio wrote:
> I'm not an expert, but if I got it right, we currently cover approximately
> 85% of STIG rules for RHEL7 and 23% for RHEL6.
Something seems off
In RHEL6, the STIG profile extends the common profile:
> $ head -1
On 9/6/17 9:58 AM, Wesley Ceraso Prudencio wrote:
> Thanks Shawn, I didn't notice the extension from common profile.
It's incredibly hard to keep tabs on what 3rd parties are putting into
their baselines so while our rule counts may be close, there's
little assurance that
On 4/27/18 1:18 AM, Mohanraj, Bharath wrote:
Thanks Shawn for the clarification…
One last thing I want to mention here is… some of the RHEL boxes in my
environment are locked down from internet.. .so they will not have
access to the repository to fetch oscap binaries, and that’s the
On 5/14/18 7:26 PM, Geoffry Roberts wrote:
A few weeks ago I saw a thread or two where some were seeking a means
of analyzing large volumes of SCAP result sets.
I'd like to ask the community as to what extent this represents a
People I know who are using SCAP are scanning on a
On 6/3/18 11:59 PM, Robert Sanders wrote:
Thank you for your reply. While I understand how it can be difficult to
compare between versions, I've found it very useful to do so. I've written a
very rough hack (as in, one step better than a stone axe) that will compare
On 4/26/18 1:09 PM, Mohanraj, Bharath wrote:
I tried to download only the oscap rpms by using the below command,
*yum install --downloadonly --downloaddir=/opt/oscaprpm
And once the above command is triggered, it downloaded the below bunch
On 4/26/18 7:00 PM, Christopher Wiedmaier wrote:
How can I be removed from this list? I have completed the unsubscribe
steps multiple times but I still end up receiving e-mails.
Under the "openscap-list subscribers" section (last
Seems restored now (approx 11am US EST).
> On Jan 20, 2018, at 5:21 AM, Šimon Lukašík wrote:
> Can you guys please take a look?
> Open-scap-list mailing list
On 1/31/18 10:22 PM, Luke Salsich wrote:
> Hey all,
> I've been using OpenSCAP for a while on our servers and really
> appreciate what it does.
> I've been looking around for a way to store scan results and then
> query them and I can't seem to locate any plugins or apps which do
On 2/5/18 2:10 PM, r hartikainen wrote:
> Hello everyone
> I am trying to find answer how Openscap should be used when there is need to
> run different minor versions of operating system, in my case its about rhel
> 7.2 and the very latest 7.x.
> I have piece of software that requires me to
On 8/22/18 2:01 PM, Marek Haicman wrote:
On 08/22/2018 07:37 PM, Dhanushka Parakrama wrote:
I'm new to Openscap
I able to scan my redhat and centos machines with Openscap for
oscap xccdf eval --profile "usgcb-rhel6-server" --report
On 9/5/18 6:20 AM, Dhanushka Parakrama wrote:
I Wanted to remove the few service checks from the profile
*xccdf_org.ssgproject.content_profile_anssi_np_nt28_high (Eg: Ensure
/tmp Located On Separate Partition ,
*xccdf_org.ssgproject.content_rule_partition_for_tmp ) and build new
On 2/28/18 9:24 AM, Geoffry Roberts wrote:
> I tried my first remote. scan and don't understand the result.
> I ran the following, which is almost a cut and past from the manual:
> oscap-ssh root@ xccdf eval --profile MAC-3_Sensitive --report
On 4/24/18 1:12 PM, Mohanraj, Bharath wrote:
> Thanks for the info…
> The first thing I want to avoid is my enduser machines hitting the
> internet for downloading packages… So, I prefer having them as RPM
> files locally and trigger installation of the same… But, in case the
On 10/22/18 7:22 AM, Gaurav Kamathe wrote:
I am a QA who needs to test some functionality when STIG is enabled on
a server (RHEL) by the user.
However the software does not provide any way to disable STIG (factory
reset is the only option).
Is there a workaround for this? Can i
On 10/9/18 7:38 AM, Jan Cerny wrote:
We are thrilled to announce general availability of OpenSCAP 1.3.0 release.
This is the first release from maint-1.3 maintenance branch. API/ABI is not
compatible with 1.2.x releases. API/ABI is not compatible with 1.3.0_alpha
On 10/10/18 5:01 AM, Jan Cerny wrote:
OpenSCAP support for Windows hasn't been improved much since the
1.3.0_alpha1 releases. The only thing that we have done
recently is that we added Windows CPEs to the inbuilt CPE dictionary.
How far along is Windows support? Saw the mention of
On 10/4/18 3:05 AM, Jan Cerny wrote:
Unfortunately, the "tailoring" feature is broken in Anaconda Addon.
However, there is a workaround, suggested by Watson Yuuma Sato (adding him to
Let me copy-paste his idea:
There is a tool that can combine the tailoring to the
On 11/27/18 6:23 PM, Boucher, William wrote:
I am currently hardening an Ubuntu embedded system for delivery to a
I have downloaded the “Canonical Ubuntu 16.04 LTS STIG Ver 1, Rel 1”
from DISA, and I have obtained a copy of the SCAP Compliance checker
tool “SCC 5.0.2
Pulling the latest atomic scan shows the container image is still based
on RHEL 7.6 (vs 7.7) and contains very old scap-security-guide package.
When will it be rebased?
Open-scap-list mailing list
On 2/26/19 12:07 PM, Boucher, William wrote:
My only concern is that sometimes a government customer will mandate using some
flavor of RHEL 6, for whatever reason they may have. For example, we have a
government customer mandating we use 6.5 at the moment. And they are perfectly
On 2/4/19 2:27 PM, William Munyan wrote:
I’ll add to Steve’s point that if there is not current OVAL support
for the constructs you need, then the new OVAL
tests/objects/states/items would need to be created in either a new
OVAL schema or (more likely) as additions to the
On 2/6/19 1:11 PM, Greg Silverman wrote:
We want to use the DISA STIG for RHEL 7 V2R2 profile. The latest
scap-security-guide RPM has V1R4. How is a profile xml file consumed
Most use cases are covered in the RHEL documentation:
On 2/8/19 2:34 PM, Greg Silverman wrote:
Let me ask in a different way.
DISA published xml files
The zip's xml file contains a list of vulnerabilities for RHEL7, the Version 2
On 2/18/19 9:04 AM, Todd Williams wrote:
I am trying to find out how to go about opening a ticket against
openSCAP, can anyone point me in the right direction?
Depends where you're consuming it.
If using a commercial linux distro, would suggest opening a ticket with
them directly. For
On 2/14/19 12:21 PM, Marek Haicman wrote:
Hello, according to the v2r2, the check is supposed to be:
# cat /etc/pam.d/system-auth | grep pam_pwquality
password required pam_pwquality.so retry=3
If the command does not return an uncommented line containing the
On 1/29/19 11:14 PM, Boucher, William wrote:
I’ve been tasked with applying the RedHat 6 STIG to several RedHawk
Running oscap should be relatively easy, to see where a base install
sits initially (RedHawk is RedHat with modifications for embedded
On 2/4/19 6:08 PM, Steve Grubb wrote:
On Mon, 4 Feb 2019 11:06:00 -0500
Shawn Wells wrote:
When can OpenSCAP probes be expected for OpenShift?
Are you talking about new OVAL tests?
Probes so that OVAL tests could be created. Akin to the systemd probes
On 6/7/19 5:02 AM, harshad wadkar wrote:
Respected Madam / Sir,
I am referring the following url to know about open-scap and Ubuntu
I have one query :
1. At present, the severities
On 6/18/19 3:45 PM, Trevor Vaughan wrote:
At some point, these should probably be changed to correlate with the
Vulnerability Severity Assessment Scale as outlined in the NIST 800-30
since it is well defined, a public standard at no cost, and 0-100
which lines up with most people's internal
On 6/25/19 11:36 AM, Boucher, William wrote:
I figured it out!
That's great! To help others down the road who may have a similar issue,
what was the fix?
Open-scap-list mailing list
Would need to understand where the content is coming from. Perhaps
scap-security-guide in RHEL, and if so, what RHEL and SSG version?
Note red hat doesn’t publish rhel6 content in the National Checklist Program
since rhel6 is out of active maintenance:
On 8/7/19 2:58 PM, Greg Silverman wrote:
Is there any way within oscap to record the time taken for each rule’s
evaluation to complete? We sometimes see it taking over an hour to
complete on RHEL7 and want to understand why.
Could try verbose mode. Not sure if timestamps are generated.
Mail list logo