[Open-scap] SCAP Security Guide 0.1.31

Hi folks, We have the pleasure to announce that SCAP Security Guide release 0.1.31 has been created. Highlights of this release: * New Wind River Linux profiles, * Various STIG profile enhancements, * Ubuntu Xenial product has been added, * Support for Ansible remediations, * Refactored bu

[Open-scap] SCAP Workbench 1.1.4

Hi, A new release of SCAP Workbench is out! This release brings a lot of bug fixes and improvements, including a lot of UX improvements and fixes for inappropriate error messages (fetch remote resources and query capabilities). Keep in mind that Windows and MacOSX builds use unreleased OpenSCAP

Re: [Open-scap] SCAP Workbench 1.1.4

On 17/01/17 17:54, Watson Yuuma Sato wrote: If you edited the customization file, at least once after creating it, the wrong title is now in the customization file itself, so you will need to edit the file with a text editor to fix it. Actually, I think it is enough to edit the title within

Re: [Open-scap] Windows Support

On 13/02/17 20:32, Lubell, Joshua (Fed) wrote: I'm excited about the planned Windows support! Hi, happy to hear that. My particular interest relates to the SCAP Security Guide project. Specifically, I would like to be able to experiment with the SSG source and possibly contribute to SSG in t

Re: [Open-scap] OpenSCAP for embedded/network devices

On 25/02/17 16:43, Lee Wilson wrote: Hi Everyone, Hi Lee, sorry for delayed response. I've recently come across OpenSCAP after wasting my time with openVAS as a means of improving the way my company does vulnerability and configuration management of our network devices (e.g. Cisco, Junip

Re: [Open-scap] OpenSCAP for embedded/network devices

On 15/03/17 17:24, Eric Holtzclaw wrote: You do have support for Cisco http://www.cisco.com/c/en/us/about/security-center/oval-security-automation.html I see that Cisco provides OVAL content to scan their devices, and even provides an example of how to do so, but using joval, which can per

Re: [Open-scap] RHOSP system evaluation with Openscap

On 14/03/17 21:50, Shri Prakash Sikariwal wrote: Hi, Hello, System (Packstack newton deployed on RHEL7.3 virtual box VM) evaluation using policy ‘ssg-rhel-osp7-xccdf.xml’ shows 6 cases pass and 26 notchecked. Report is attached. This openscap security policy is downloaded from following l

Re: [Open-scap] Open-scap-list Digest, Vol 96, Issue 8

Hi Greg, On 17/03/17 21:06, Greg Silverman (CS) wrote: Still having problems, the generated script is an empty file. Here is the tailoring file I created, ssg-rhel7-ds-tailoring.xml, with the workbench. It is just an example, to verify I can customize the scanning and fix generation. This tai

[Open-scap] SCAP Security Guide 0.1.32

Hello folks, We have the pleasure to announce that SCAP Security Guide version 0.1.32 has has been release. Highlights of this release: * New CMake build system * Improved NIST 800-171 profile * Initial RHVH profile * New CPE to identify systems like machines (bare-metal and VM) and containers

Re: [Open-scap] fetch remote resources on RHEL7 fails

On 07/04/17 07:17, Shawn Wells wrote: On 4/6/17 11:10 AM, Przemek Klosowski wrote: On a fresh-out-of-the-box+updated RHEL7 (with openscap-scanner-1.2.10-3.el7_3.x86_64) oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_common --report /tmp/report.html /usr/share/x

[Open-scap] SCAP Security Guide 0.1.33

Hello folks, We have the pleasure to announce that SCAP Security Guide version 0.1.33 has been released. Highlights of this release: * DISA RHEL7 STIG profile alignment improved * Introduction of remediation roles * RPM and DEB test packages are built by CMake with CPack * Lots of remediation f

[Open-scap] SCAP Security Guide 0.1.34

Hello folks, We have the pleasure to announce that SCAP Security Guide version 0.1.33 has been released. Highlights of this release: * Unification of where templates and csv reside * Optimization and clean up of build system * Lots of Ansible remediations added * Bash remediation functions file

[Open-scap] SCAP Security Guide 0.1.35

Hello folks, We have the pleasure to announce that SCAP Security Guide version 0.1.35 has been released. Highlights of this release: * Remove Red Hat Enterprise Linux 5 content due to being End-of-Life March 31, 2017 * Added several templates for OVAL checks * Removal of input directory *

[Open-scap] SCAP Security Guide 0.1.36

Hello folks, We have the pleasure to announce that SCAP Security Guide version 0.1.36 has been released. Highlights of this release:  * Introduction of SCAP Security Guide Test Suite  * Better alignment of RHEL6 and RHEL7 with DISA STIG  * Remove JBoss EAP5 content due to being End-of-Life  * N

[Open-scap] SCAP Security Guide 0.1.37

Hello folks, We have the pleasure to announce that SCAP Security Guide version 0.1.37 has been released. Highlights of this release: * New Profile DISA STIG for Apache HTTP for RHEL7 * Support for Ansible remediations in SSG Test Suite * Better content support for DISA STIG Viewer For a more d

Re: [Open-scap] Patches on Red Hat 6

On 10/01/18 18:24, Jordi Llorens wrote: Hello   I'm using a SCAP Workbench 1.1.5 (OpenScap 1.3.0)   I want to check in a remote  Red Hat Server 6 the level of patches installed.  I've tried several profiles with no luck. Can you tell me wich profile can I use for check this? Hello, Any Profil

Re: [Open-scap] Patches on Red Hat 6

On 10/01/18 19:40, Jordi Llorens wrote: Hi  I've received FAIL on the :  Ensure Software Patches Installed  I have Internet connection. You might have a package that is not updated, please make sure they are.  This is the result of a Yum  repolist command execution : Loaded plugins: refresh-p

Re: [Open-scap] SCAP workbench on Windows 7

On 11/01/18 13:44, Sachin Vyas wrote: Hello, Could someone please help how to set up Scap Workbench on Windows 7 to perform remote machine scan using public-private key. I have not been able to resolve the win-ssh-askpass prompt issue. Thanks, Sachin -

Re: [Open-scap] SCAP workbench on Windows 7

On 11/01/18 14:40, Watson Yuuma Sato wrote: But if you are going to setup a remote Linux machine, it might be easier to just use CLI oscap-ssh, which is what SCAP Workbench relies on. Sorry, SCAP Workbench does not rely on oscap-ssh. But you still can use it if on remote Linus machine

Re: [Open-scap] SCAP workbench on Windows 7

workbench on Windows 7 To: open-scap-list@redhat.com, "Watson Yuuma Sato" Date: Thursday, January 11, 2018, 4:23 PM Thank you for the response. SCAP workbench installed under C:\Program Files (x86)\scap-workbench on Windows 7( This is the dir which has ssh binary

Re: [Open-scap] RHEL 7 GRUB2 boot password

On 23/01/18 13:29, Dan White wrote: Scanning some RHEL 7 VM's with the latest/greatest, I am getting a finding against the Boot Loader Password. I set it according to this RHEL 7 System Administrator's Guide page

Re: [Open-scap] RHEL 7 GRUB2 boot password

On 23/01/18 20:56, Dan White wrote: Something is very wrong here [root@jump-linux7 ~]# cat /etc/grub.d/01_users # ORIGINAL #!/bin/sh -e cat << EOF if [ -f \${prefix}/user.cfg ]; then   source \${prefix}/user.cfg   if [ -n "\${GRUB2_PASSWORD}" ]; then     set superusers="root"     export superuse

Re: [Open-scap] RHEL 6 - rsyslog vs rsyslog7

On 23/01/18 13:42, Dan White wrote: Another head-scratcher: RHEL 6 scan brings up findings saying rsyslog is not installed or configured. We are using the rsyslog7 package for compatibility with things like Splunk and LogStash and such. Is there a workaround or should I create a bug/issue ab

Re: [Open-scap] RHEL 7 GRUB2 boot password

On 24/01/18 21:05, Dan White wrote: "superusers should be root, admin or administrator" Are you sure it shouldn't be "superusers should *NOT* be root, admin or administrator" ? You are correct, the superuser should not be root, admin nor administrator. I changed mine from "root" to "grub.ro

Re: [Open-scap] oscap-ssh use questions

On 26/01/18 19:39, Dan White wrote: Hello Dan, sorry for late response A two question head-scratcher: "admin" has sudo-NOPASSWD permissions and an ssh key pair in place. The scan works, but what do I need to change to get the results pulled back to the server sending the command ? This is a

Re: [Open-scap] oscap-ssh use questions

On 06/02/18 15:58, Watson Yuuma Sato wrote: Also, is there any way to push the oval file to the remote server being scanned rather than it trying to reach out to redhat.com and failing ? Currently, there is no way to do that via oscap-ssh. For the time being, a workaround that can work is

[Open-scap] SCAP Security Guide 0.1.38

Hello folks, We have the pleasure to announce that SCAP Security Guide version 0.1.38 has been released. Highlights of this release: * New License - BSD-3 Clause * New Profiles for development introduced:     * ANSSI     * HIPAA     * C2S-Docker * Adoption of CTest for schema validation * Sever

Re: [Open-scap] Open SCAP on Cray

On 15/03/18 22:58, Lamborn, Peter Craig wrote: I want to run openSCAP on my Cray system, which uses a SUSE based OS. > cat /etc/SuSE-release SUSE Linux Enterprise Server 12 (x86_64) VERSION = 12 PATCHLEVEL = 3 # This file is deprecated and will be removed in a future service pack or release.

Re: [Open-scap] Result Reference ID's not importing over

On 13/04/18 14:19, Donald, Jason E wrote: Greetings Thank you for the update on importing the STIG results into STIGviewer from a RHEL7 scan. I noticed that only some of the checks are imported over and it leaves at least 149 not reviewed. The result reference ID's were not found in the Checkl

[Open-scap] SCAP Security Guide 0.1.39

Hello folks, We have the pleasure to announce that SCAP Security Guide version 0.1.39 has been released. Highlights of this release: * XCCDF Rules moved to yaml format * Jinja2 templating for Rules, Checks and remediation introduced * Profile IDs simplified * Product Oracle Linux 7 added * Comm

[Open-scap] Fedora Updates for SCAP Security Guide

Hello, There are Fedora updates for SCAP Security Guides package updating it to latest upstream, version 0.1.39. Fedora 28 - https://bodhi.fedoraproject.org/updates/FEDORA-2018-3f713ee7a8 Fedora 27 - https://bodhi.fedoraproject.org/updates/FEDORA-2018-9516859f4b Fedora 26 - https://bodhi.fed

Re: [Open-scap] Scanning Ubuntu / Debian servers with openscap

Hello Dhanushka, On 23/08/18 15:43, Dhanushka Parakrama wrote: Hi Marek and All Thanks for the input , I downloaded https://github.com/OpenSCAP/scap-security-guide/releases  and  ran the scan on *Ubuntu 14.04.1 LTS *machine but got following error in the output  , Is there any reason for tha

Re: [Open-scap] syslog-ng setting issue in debian 8

On 29/08/18 11:05, Dhanushka Parakrama wrote: Hi  Team Hello Dhanushka, What version of SSG are you using? This looks like a bug on 0.1.40 release, the package and service names used in bash remediation for syslog-ng are different than your commands, we use "syslogng" for package and service

Re: [Open-scap] syslog-ng setting issue in debian 8

On 29/08/18 11:35, Dhanushka Parakrama wrote: Hi  Watson On Wed, 29 Aug 2018 at 14:51, Watson Yuuma Sato <mailto:ws...@redhat.com>> wrote: On 29/08/18 11:05, Dhanushka Parakrama wrote: Hi  Team Hello Dhanushka, What version of SSG are you using? This looks l

Re: [Open-scap] Set SSH Idle Timeout Interval Debian 8

On 29/08/18 19:00, Dhanushka Parakrama wrote: Guys Hello Dhanushka, The "anssi_np_nt28_high profile" extends "anssi_np_nt28_restrictive", which "extends anssi_np_nt28_average". And "average" Profile sets value "sshd_idle_timeout_value=5_minutes", i.e. 300. So value 400 for ClientAliveInterva

Re: [Open-scap] Ensure Log Files Are Owned By Appropriate Group setting Issue in Debian 8

On 29/08/18 18:34, Dhanushka Parakrama wrote: Hi  Team We have ran the scan for debian 8 using below command *oscap  xccdf eval   --profile xccdf_org.ssgproject.content_profile_anssi_np_nt28_high --report report.html  ssg-debian8-ds.xml* * * Got alerts as below , === * * image.pn

Re: [Open-scap] Ensure Log Files Are Owned By Appropriate Group setting Issue in Debian 8

n Fri, 31 Aug 2018 at 18:28, Watson Yuuma Sato <mailto:ws...@redhat.com>> wrote: On 29/08/18 18:34, Dhanushka Parakrama wrote: Hi  Team We have ran the scan for debian 8 using below command *oscap  xccdf eval   --profile xccdf_org.ssgproject.content_profile_anss

[Open-scap] SCAP Security Guide 0.1.41

Hello everybody, We have the pleasure to announce release of SCAP Security Guide 0.1.41. Although it is named SCAP Security Guide, the project is now under ComplianceAsCode organization (https://github.com/ComplianceAsCode/content). For more on this move, see https://lists.fedorahosted.org/arc

[Open-scap] Fedora updates for SCAP Security Guide 0.1.41

Hello, I've proposed updates to Fedora packages for scap-security-guide-0.1.41. If you can, please, test and provide karma. Fedora 29 - https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d60f79d06 Fedora 28 - https://bodhi.fedoraproject.org/updates/FEDORA-2018-bad4ea7d4f Thank you for your t