Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS

2019-02-04 Thread Boucher, William 
Thanks Gary! Got your other note. Will look into your comments there and will 
pursue going after RedHawk 6.5 (my other task) using RedHat 5.5 OpenScap and 
DISA xccdf, oval, etc. for that (as suggested by RedHawk folks), if I get stuck 
on Ubuntu, to validate the current oscap process and work out any other issues 
first. Not out of oxygen yet!

William B. Boucher, BSEE
Embedded Systems Software Engineer
Information Systems Security Manager
MZA Associates Corporation
4900 Lang Ave. NE, Suite 100
Albuquerque, NM 87109-9708
Phone: 505.245.9970 x166
Fax: 505.245.9971
Cell: 505.459.7620
william.bouc...@mza.com<mailto:william.bouc...@mza.com>

From: Gary Gapinski [mailto:gapin...@nasa.gov]
Sent: Monday, February 4, 2019 10:26 AM
To: Boucher, William 
Cc: open-scap-list@redhat.com
Subject: Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS

I can look but if your oxygen will run out before 48 hours you may wish to 
order out for extra.


On 2/4/19 11:05 AM, Boucher, William wrote:
Gary,

Is anybody looking at this on the development side (determining why so many 
rules end up nonapplicable and if the passes and fails are the result of an 
accurate evaluation)?

Thanks,

--Bill

William B. Boucher, BSEE
Embedded Systems Software Engineer
Information Systems Security Manager
MZA Associates Corporation
4900 Lang Ave. NE, Suite 100
Albuquerque, NM 87109-9708
Phone: 505.245.9970 x166
Fax: 505.245.9971
Cell: 505.459.7620
william.bouc...@mza.com<mailto:william.bouc...@mza.com>

From: 
open-scap-list-boun...@redhat.com<mailto:open-scap-list-boun...@redhat.com> 
[mailto:open-scap-list-boun...@redhat.com] On Behalf Of Boucher, William
Sent: Monday, February 4, 2019 9:04 AM
To: Gary Gapinski <mailto:gapin...@nasa.gov>
Cc: open-scap-list@redhat.com<mailto:open-scap-list@redhat.com>
Subject: Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS

Gary,

Similar results with Ububtu 16.04. Not all results were notapplicable, score 
was given as 25%.

After building openscap and ComplianceAsCode/content I ran:

sudo oscap xccdf eval –profile standard –results ./xccdf-results.xml –cpe 
/usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-cpe-dictionary.xml 
/usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml

sudo oscap oval eval –results ./oval-results.xml 
/usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-oval.xml

sudo oscap xccdf generate report –oval-template ./oval-results.xml 
./xccdf-results.xml > ./report-xccdf-oval.html

15 rules passed, 6 inconclusive (unknown) and all the rest (24) notapplicable.

Running:

sudo oscap xccdf eval –profile standard –results-arf ./results-arf.xml –report 
./report-ds.html –results ./results-ds.xml 
/usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml

produced the same numbers in the ds-generated report.

I see the value in using the data stream. But the “notapplicable” items are 
largely applicable and should be evaluated.

--Bill

William B. Boucher, BSEE
Embedded Systems Software Engineer
Information Systems Security Manager
MZA Associates Corporation
4900 Lang Ave. NE, Suite 100
Albuquerque, NM 87109-9708
Phone: 505.245.9970 x166
Fax: 505.245.9971
Cell: 505.459.7620
william.bouc...@mza.com<mailto:william.bouc...@mza.com>

From: Gary Gapinski [mailto:gapin...@nasa.gov]
Sent: Friday, January 25, 2019 9:50 AM
To: Boucher, William mailto:william.bouc...@mza.com>>
Cc: open-scap-list@redhat.com<mailto:open-scap-list@redhat.com>
Subject: Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS

On 1/25/19 10:33 AM, Boucher, William wrote:
Thank you, Gary! I will attempt next to duplicate your process with Ubuntu 1604.

I may as well but cannot guarantee timeliness.
If I am building OpenSCAP over my previous install of the libopenscap8 package, 
do I need to remove libopenscap8 first or can I just make-install over it?

I place the OpenSCAP install in /usr/local and ensure it is used separately and 
preferentially (via $PATH) rather than the one from the distro (or just not 
install from the distro). I use cmake-gui ../ from within the openscap/build 
directory and change CMAKE_INSTALL_PREFIX to /usr/local (cmake-gui, tweak, 
configure, generate; make; sudo make install). Installing on top of the distro 
version will likely cause undesirable results.

I do not typically install ComplianceAsCode but simply access the content from 
the cloned (and built) repo, but if you install it I think it best to choose 
the same installation target (e.g., /usr/local) as that of OpenSCAP.

A functional (and available) install of OpenSCAP is a pre-requisite for 
building ComplianceAsCode.

Regards,

Gary
--
Gary Gapinski — DB Consulting Group
NASA Glenn Research Center
℡ +1 216 433 3959 — office
℡ +1 216 820 1849 — mobile
gapin...@nasa.gov<mailto:gapin...@nasa.gov>


--

Gary Gapinski — DB Consulting Group
NASA Glenn Research Center
℡ +1 216 433 3959 — office
℡ +1 216 820

Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS

2019-02-04 Thread Gary Gapinski 

  
  
I can look but if your oxygen will run
  out before 48 hours you may wish to order out for extra.





On 2/4/19 11:05 AM, Boucher, William
  wrote:


  
  
  
  
Gary,
 
Is
anybody looking at this on the development side (determining
why so many rules end up nonapplicable and if the passes and
fails are the result of an accurate evaluation)?
 
Thanks,
 
   
--Bill
 

  William
  B. Boucher, BSEE
  Embedded
  Systems Software Engineer
  
  Information Systems Security Manager
  MZA
  Associates Corporation
  4900
  Lang Ave. NE, Suite 100
  Albuquerque,
  NM 87109-9708
  Phone:
  505.245.9970 x166
  Fax:
  505.245.9971
  Cell:
  505.459.7620
  william.bouc...@mza.com

 

  
From:
open-scap-list-boun...@redhat.com
[mailto:open-scap-list-boun...@redhat.com]
On Behalf Of Boucher, William
Sent: Monday, February 4, 2019 9:04 AM
To: Gary Gapinski 
Cc: open-scap-list@redhat.com
Subject: Re: [Open-scap] Benchmark for Canonical
Ubuntu 16.04 LTS
  

 
Gary,
 
Similar
results with Ububtu 16.04. Not all results were
notapplicable, score was given as 25%.
 
After
building openscap and ComplianceAsCode/content I ran:
 
sudo oscap xccdf eval –profile
standard –results ./xccdf-results.xml –cpe
/usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-cpe-dictionary.xml
/usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml
 
sudo oscap oval eval –results
./oval-results.xml
/usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-oval.xml
 
sudo oscap xccdf generate report
–oval-template ./oval-results.xml ./xccdf-results.xml >
./report-xccdf-oval.html
 
15
rules passed, 6 inconclusive (unknown) and all the rest (24)
notapplicable.
 
Running:
 
sudo oscap xccdf eval –profile
standard –results-arf ./results-arf.xml –report
./report-ds.html –results ./results-ds.xml
/usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml
 
produced
the same numbers in the ds-generated report.
 
I
see the value in using the data stream. But the
“notapplicable” items are largely applicable and should be
evaluated.
 
   
--Bill
 

  William
  B. Boucher, BSEE
  Embedded
  Systems Software Engineer
  
  Information Systems Security Manager
  MZA
  Associates Corporation
  4900
  Lang Ave. NE, Suite 100
  Albuquerque,
  NM 87109-9708
  Phone:
  505.245.9970 x166
  Fax:
  505.245.9971
  Cell:
  505.459.7620
  william.bouc...@mza.com

 

  
From:
Gary Gapinski [mailto:gapin...@nasa.gov]

Sent: Friday, January 25, 2019 9:50 AM
To: Boucher, William <william.bouc...@mza.com>
Cc: open-scap-list@redhat.com
Subject: Re: [Open-scap] Benchmark for Canonical
        Ubuntu 16.04 LTS
  

 

  On 1/25/19 10:33 AM, Boucher, William
wrote:


  Thank
  you, Gary! I will attempt next to duplicate your process
  with Ubuntu 1604.

I may as well but cannot guarantee timeliness.

  If
  I am building OpenSCAP over my previous install of the
  libopenscap8 package, do I need to remove libopenscap8
  first or can I just make-install over it?

I place the OpenSCAP install in /usr/local and ensure
  it is used separately and preferentially (via
  $PATH) rather
  than the one from the distro (or just not install from the
  distro). I use
  cmake-gui ../
  from within the 
openscap/build
  directory and change 
CMAKE_INSTALL_PREFIX
  to /usr/local
  (cmake-gui,
  tweak, configure, generate;
  make; sudo mak

Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS

2019-02-04 Thread Boucher, William 
Gary,

Is anybody looking at this on the development side (determining why so many 
rules end up nonapplicable and if the passes and fails are the result of an 
accurate evaluation)?

Thanks,

--Bill

William B. Boucher, BSEE
Embedded Systems Software Engineer
Information Systems Security Manager
MZA Associates Corporation
4900 Lang Ave. NE, Suite 100
Albuquerque, NM 87109-9708
Phone: 505.245.9970 x166
Fax: 505.245.9971
Cell: 505.459.7620
william.bouc...@mza.com<mailto:william.bouc...@mza.com>

From: open-scap-list-boun...@redhat.com 
[mailto:open-scap-list-boun...@redhat.com] On Behalf Of Boucher, William
Sent: Monday, February 4, 2019 9:04 AM
To: Gary Gapinski 
Cc: open-scap-list@redhat.com
Subject: Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS

Gary,

Similar results with Ububtu 16.04. Not all results were notapplicable, score 
was given as 25%.

After building openscap and ComplianceAsCode/content I ran:

sudo oscap xccdf eval –profile standard –results ./xccdf-results.xml –cpe 
/usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-cpe-dictionary.xml 
/usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml

sudo oscap oval eval –results ./oval-results.xml 
/usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-oval.xml

sudo oscap xccdf generate report –oval-template ./oval-results.xml 
./xccdf-results.xml > ./report-xccdf-oval.html

15 rules passed, 6 inconclusive (unknown) and all the rest (24) notapplicable.

Running:

sudo oscap xccdf eval –profile standard –results-arf ./results-arf.xml –report 
./report-ds.html –results ./results-ds.xml 
/usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml

produced the same numbers in the ds-generated report.

I see the value in using the data stream. But the “notapplicable” items are 
largely applicable and should be evaluated.

--Bill

William B. Boucher, BSEE
Embedded Systems Software Engineer
Information Systems Security Manager
MZA Associates Corporation
4900 Lang Ave. NE, Suite 100
Albuquerque, NM 87109-9708
Phone: 505.245.9970 x166
Fax: 505.245.9971
Cell: 505.459.7620
william.bouc...@mza.com<mailto:william.bouc...@mza.com>

From: Gary Gapinski [mailto:gapin...@nasa.gov]
Sent: Friday, January 25, 2019 9:50 AM
To: Boucher, William mailto:william.bouc...@mza.com>>
Cc: open-scap-list@redhat.com<mailto:open-scap-list@redhat.com>
Subject: Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS

On 1/25/19 10:33 AM, Boucher, William wrote:
Thank you, Gary! I will attempt next to duplicate your process with Ubuntu 1604.

I may as well but cannot guarantee timeliness.
If I am building OpenSCAP over my previous install of the libopenscap8 package, 
do I need to remove libopenscap8 first or can I just make-install over it?

I place the OpenSCAP install in /usr/local and ensure it is used separately and 
preferentially (via $PATH) rather than the one from the distro (or just not 
install from the distro). I use cmake-gui ../ from within the openscap/build 
directory and change CMAKE_INSTALL_PREFIX to /usr/local (cmake-gui, tweak, 
configure, generate; make; sudo make install). Installing on top of the distro 
version will likely cause undesirable results.

I do not typically install ComplianceAsCode but simply access the content from 
the cloned (and built) repo, but if you install it I think it best to choose 
the same installation target (e.g., /usr/local) as that of OpenSCAP.

A functional (and available) install of OpenSCAP is a pre-requisite for 
building ComplianceAsCode.

Regards,

Gary
--
Gary Gapinski — DB Consulting Group
NASA Glenn Research Center
℡ +1 216 433 3959 — office
℡ +1 216 820 1849 — mobile
gapin...@nasa.gov<mailto:gapin...@nasa.gov>
___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS

2019-02-04 Thread Boucher, William 
Gary,

Similar results with Ububtu 16.04. Not all results were notapplicable, score 
was given as 25%.

After building openscap and ComplianceAsCode/content I ran:

sudo oscap xccdf eval –profile standard –results ./xccdf-results.xml –cpe 
/usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-cpe-dictionary.xml 
/usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml

sudo oscap oval eval –results ./oval-results.xml 
/usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-oval.xml

sudo oscap xccdf generate report –oval-template ./oval-results.xml 
./xccdf-results.xml > ./report-xccdf-oval.html

15 rules passed, 6 inconclusive (unknown) and all the rest (24) notapplicable.

Running:

sudo oscap xccdf eval –profile standard –results-arf ./results-arf.xml –report 
./report-ds.html –results ./results-ds.xml 
/usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml

produced the same numbers in the ds-generated report.

I see the value in using the data stream. But the “notapplicable” items are 
largely applicable and should be evaluated.

--Bill

William B. Boucher, BSEE
Embedded Systems Software Engineer
Information Systems Security Manager
MZA Associates Corporation
4900 Lang Ave. NE, Suite 100
Albuquerque, NM 87109-9708
Phone: 505.245.9970 x166
Fax: 505.245.9971
Cell: 505.459.7620
william.bouc...@mza.com<mailto:william.bouc...@mza.com>

From: Gary Gapinski [mailto:gapin...@nasa.gov]
Sent: Friday, January 25, 2019 9:50 AM
To: Boucher, William 
Cc: open-scap-list@redhat.com
Subject: Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS

On 1/25/19 10:33 AM, Boucher, William wrote:
Thank you, Gary! I will attempt next to duplicate your process with Ubuntu 1604.

I may as well but cannot guarantee timeliness.
If I am building OpenSCAP over my previous install of the libopenscap8 package, 
do I need to remove libopenscap8 first or can I just make-install over it?

I place the OpenSCAP install in /usr/local and ensure it is used separately and 
preferentially (via $PATH) rather than the one from the distro (or just not 
install from the distro). I use cmake-gui ../ from within the openscap/build 
directory and change CMAKE_INSTALL_PREFIX to /usr/local (cmake-gui, tweak, 
configure, generate; make; sudo make install). Installing on top of the distro 
version will likely cause undesirable results.

I do not typically install ComplianceAsCode but simply access the content from 
the cloned (and built) repo, but if you install it I think it best to choose 
the same installation target (e.g., /usr/local) as that of OpenSCAP.

A functional (and available) install of OpenSCAP is a pre-requisite for 
building ComplianceAsCode.

Regards,

Gary
--

Gary Gapinski — DB Consulting Group
NASA Glenn Research Center
℡ +1 216 433 3959 — office
℡ +1 216 820 1849 — mobile
gapin...@nasa.gov<mailto:gapin...@nasa.gov>
___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS

2019-01-25 Thread Gary Gapinski 

  
  
On 1/25/19 10:33 AM, Boucher, William
  wrote:


  Thank
  you, Gary! I will attempt next to duplicate your process with
  Ubuntu 1604.

I may as well but cannot guarantee timeliness.
If
I am building OpenSCAP over my previous install of the
libopenscap8 package, do I need to remove libopenscap8 first or
can I just make-install over it?
I place the OpenSCAP install in /usr/local and ensure
  it is used separately and preferentially (via $PATH)
  rather than the one from the distro (or just not install from the
  distro). I use cmake-gui ../ from within the openscap/build
  directory and change CMAKE_INSTALL_PREFIX to /usr/local
  (cmake-gui, tweak, configure, generate; make; sudo
make install). Installing on top of the distro version will
  likely cause undesirable results.

I do not typically install ComplianceAsCode but simply access the
  content from the cloned (and built) repo, but if you install it I
  think it best to choose the same installation target (e.g., /usr/local)
  as that of OpenSCAP.
A functional (and available) install of OpenSCAP is a
  pre-requisite for building ComplianceAsCode.
Regards,
Gary

-- 
  
  Gary Gapinski — DB Consulting Group
NASA Glenn Research Center
℡ +1 216 433 3959
— office
℡ +1 216 820 1849
— mobile
gapin...@nasa.gov
  

  


___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS

2019-01-23 Thread Gary Gapinski 

  
  
I just took a look at OpenSCAP and
  ComplianceAsCode.


I obtained results that were at
  variance with yours, and which failed to attain Glorious Victory.



Some comments inline.



On 1/23/19 10:10 AM, Boucher, William
  wrote:


  OK!
  I downloaded the latest scap-security-guide source from Git
  and built it for Ubuntu 1604. It compiles and runs!

Using an Ubuntu 18.04 instance as a platform, I obtained, built,
  and installed https://github.com/OpenSCAP/openscap.
I also obtained and built https://github.com/ComplianceAsCode/content
  on the same system.


  
  Next
  challenge, during the compile it had trouble scanning the Oval
  file for controls it was to evaluate, and it marked all of
  those it didn’t find as “not applicable”. So I got a score of
  100%, but none of the challenging controls were evaluated. (I
  used an oval file I found in the source tree but I guess it
  was not complete.)

Using «oscap xccdf eval --profile
xccdf_org.ssgproject.content_profile_standard --results-arf
results-arf.xml --report report.html --results results.xml
ssg-ubuntu1804-ds.xml» all results were notapplicable.
I commented out line #10606 (the 
  designator) in ssg-ubuntu1804-ds.xml and ran the
  evaluation again. This time some of the rules were evaluated, some
  passed, some failed, some resulted in error, some were
  notapplicable (for no apparent reason).
I then ran the same evaluation as root («sudo oscap …»),
  and obtained passes, fails, and notapplicables, but no errors. The
  report was at variance with the input data stream with respect to
  rules selected in the data stream (the profile selects more rules
  than appear in the eval report — 45 vs 38 respectively).
Note that I am using the data stream (ssg-ubuntu1804-ds.xml)
  and not, directly, the related OVAL (ssg-ubuntu1804-oval.xml).
  I have a profound antipathy toward OVAL, and prefer to avoid close
  contact.


  
  Apparently
  I need more or better benchmark files for Ubuntu in the
  OpenSCAP “/usr/share/openscap” and “/usr/share/openscap/cpe”
  directories (openscap-cpe-dictionary.xml,
   openscap-cpe-oval.xml, openscap-ubuntu1604-cpe-dictionary.xml
  and  openscap-ubuntu1604-cpe-oval.xml
  in the openscap/cpe directory and scap-ubuntu1604-oval.xml,
  scap-ubuntu1604-ocil.xml and scap-ubuntu-1604-ds.xml in the
  openscap directory).

I used git head to build the content I used. The data stream
  encapsulates the related XCCDF and OVAL documents.


  
  These
  files do not appear to be in the source from Git and they were
  not installed with the libopenscap8 package. Google is not
  helping me with this challenge. Can you guys direct me to
  where I can find these files so I can build and run a complete
  scan of my system(s)?

I expect you would obtain similar results on 16.04. Determining
  why rules end up notapplicable, or seem to be skipped during
  evaluation, will require additional inspection, as will evaluating
  the veracity of the passes and fails.

Regards,
Gary

-- 
  
  Gary Gapinski — DB Consulting Group
NASA Glenn Research Center
℡ +1 216 433 3959
— office
℡ +1 216 820 1849
— mobile
gapin...@nasa.gov
  

  


___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS

2019-01-23 Thread Jan Cerny 
Hi,

You're correct that SCAP Security Guide was not shipped as a package in Ubuntu 
16.04, but it is
shipped in Ubuntu 18.04.

The file “U_Canonical_16-04_LTS_V1R1_STIG.zip" is a different content, which 
isn't provided by
SCAP Security Guide project, but is provided by DISA.


Regards

Jan Černý
Security Technologies | Red Hat, Inc.

- Original Message -
> From: "William Boucher" 
> To: "Watson Sato" 
> Cc: open-scap-list@redhat.com
> Sent: Monday, January 21, 2019 11:55:54 PM
> Subject: Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS
> 
> 
> 
> Stuart and Watson,
> 
> 
> 
> I found the packages for Ubuntu 18.04 (“cosmic”) but not for Ubuntu 16.04
> (“xenial”). The DISA STIG is written specifically for Ubuntu 16.04
> (“U_Canonical_16-04_LTS_V1R1_STIG.zip”). Am I not looking in the right place
> for the SSG?
> 
> 
> 
> I found the ssg packages for Ubuntu 18.04 at
> https://packages.ubuntu.com/search?suite=cosmic=names=ssg
> , but they are not in the 16.04 package listing at
> https://packages.ubuntu.com/search?suite=xenial=names=ssg
> .
> 
> 
> 
> Could they be in another repository for 16.04? (Note I am using the latest
> xenial, 16.04.5, which has the same Linux kernel as the latest cosmic
> release, 4.15.)
> 
> 
> 
> Thank you for your help and patience,
> 
> 
> 
> --Bill
> 
> 
> 
> William B. Boucher, BSEE
> 
> Embedded Systems Software Engineer
> Information Systems Security Manager
> 
> MZA Associates Corporation
> 
> 4900 Lang Ave. NE, Suite 100
> 
> Albuquerque, NM 87109-9708
> 
> Phone: 505.245.9970 x166
> 
> Fax: 505.245.9971
> 
> Cell: 505.459.7620
> 
> william.bouc...@mza.com
> 
> 
> 
> From: Watson Sato [mailto:ws...@redhat.com]
> Sent: Monday, January 7, 2019 7:58 AM
> To: Boucher, William 
> Cc: Newman, Stuart J. (GSFC-491.0)[KBRwyle] ;
> open-scap-list@redhat.com
> Subject: Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS
> 
> 
> 
> 
> Hello,
> 
> 
> 
> 
> 
> 
> 
> 
> On Wed, Nov 28, 2018 at 5:39 PM Boucher, William < william.bouc...@mza.com >
> wrote:
> 
> 
> 
> 
> 
> Stuart,
> 
> 
> 
> How do I get the current/latest scap security guide?
> 
> 
> 
> 
> Latest pre-built content can be grabbed at
> https://github.com/ComplianceAsCode/content/releases , just download the zip
> file.
> 
> 
> 
> 
> 
> 1) I went to https://www.open-scap.org/security-policies/scap-security-guide/
> and clicked on the Ubuntu symbol to get directions for installing it, but
> that gave message “The SCAP Security Guide package is not available on the
> Ubuntu distribution yet. Check for update.”
> 
> 
> The website needs to updated, there are SCAP Security Guide packages for
> Ubuntu and Debian.
> 
> 
> 
> 
> 
> 2) “apt-get install scap-security-guide” produced the error “Unable to locate
> package scap-security-guide.”
> 
> 
> 
> 
> 
> It seems that the packages are named slightly different in Ubuntu, see:
> https://packages.ubuntu.com/source/disco/scap-security-guide
> 
> 
> 
> 
> 
> 
> 
> I did successfully install libopenscap8 (“apt-get install libopenscap8”).
> 
> 
> 
> All help is appreciated.
> 
> 
> 
> 
> William B. Boucher, BSEE
> 
> Embedded Systems Software Engineer
> Information Systems Security Manager
> 
> MZA Associates Corporation
> 
> 2021 Girard Blvd., SE, Suite 150
> 
> Albuquerque, New Mexico 87106
> 
> Phone: 505.245.9970 x166
> 
> Fax: 505.245.9971
> 
> Cell: 505.459.7620
> 
> william.bouc...@mza.com
> 
> 
> 
> 
> 
> From: Newman, Stuart J. (GSFC-491.0)[KBRwyle] [mailto:
> stuart.j.new...@nasa.gov ]
> Sent: Wednesday, November 28, 2018 4:19 AM
> To: Boucher, William < william.bouc...@mza.com >; open-scap-list@redhat.com
> Subject: RE: Benchmark for Canonical Ubuntu 16.04 LTS
> 
> 
> 
> 
> The current (0.1.41) version of the scap security guide has Ubuntu
> benchmarks.
> 
> 
> 
> 
> Stuart J Newman
> 
> 
> 
> 
> 
> 
> 
> Engineer 4; Systems
> 
> NASA/Goddard Space Flight Center, Building 14 Room 252 | Greenbelt, Maryland
> 20771 | USA
> 
> Office: +1 301. 286.5145 | Mobile: +1443.878.6146 | stuart.j.new...@nasa.gov
> 
> 
> 
> 
> 
> 
> 
> This e-mail, including any attached files, may contain confidential and
> privileged information for the sole use of the intended recipient. Any
> review, use, distribution, or disclosure by others is strictly prohibited.
> If you are not the intended recipient (or authorized to receive inf

Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS

2019-01-07 Thread Watson Sato 
Hello,


On Wed, Nov 28, 2018 at 5:39 PM Boucher, William 
wrote:

> Stuart,
>
>
>
> How do I get the current/latest scap security guide?
>
>
>
Latest pre-built content can be grabbed at
https://github.com/ComplianceAsCode/content/releases, just download the zip
file.

> 1)  I went to
> https://www.open-scap.org/security-policies/scap-security-guide/ and
> clicked on the Ubuntu symbol to get directions for installing it, but that
> gave message “The SCAP Security Guide package is not available on the
> Ubuntu distribution yet. Check for update.”
>
The website needs to updated, there are SCAP Security Guide packages for
Ubuntu and Debian.

> 2)  “apt-get install scap-security-guide” produced the error “Unable
> to locate package scap-security-guide.”
>

It seems that the packages are named slightly different in Ubuntu, see:
https://packages.ubuntu.com/source/disco/scap-security-guide

>
>
> I did successfully install libopenscap8 (“apt-get install libopenscap8”).
>
>
>
> All help is appreciated.
>
>
>
> William B. Boucher, BSEE
>
> Embedded Systems Software Engineer
> Information Systems Security Manager
>
> MZA Associates Corporation
>
> 2021 Girard Blvd., SE, Suite 150
>
> Albuquerque, New Mexico 87106
>
> Phone: 505.245.9970 x166
>
> Fax: 505.245.9971
>
> Cell: 505.459.7620
>
> *william.bouc...@mza.com *
>
>
>
> *From:* Newman, Stuart J. (GSFC-491.0)[KBRwyle] [mailto:
> stuart.j.new...@nasa.gov]
> *Sent:* Wednesday, November 28, 2018 4:19 AM
> *To:* Boucher, William ;
> open-scap-list@redhat.com
> *Subject:* RE: Benchmark for Canonical Ubuntu 16.04 LTS
>
>
>
> The current (0.1.41) version of the scap security guide has Ubuntu
> benchmarks.
>
>
>
> *Stuart J Newman*
>
>
>
>
>
> Engineer 4; Systems
>
> NASA/Goddard Space Flight Center, Building 14 Room 252 |  Greenbelt,
> Maryland 20771 |  USA
>
> Office: +1 301. 286.5145 |  Mobile: +1443.878.6146  |
> stuart.j.new...@nasa.gov
>
>
>
>
> --
>
> This e-mail, including any attached files, may contain confidential and
> privileged information for the sole use of the intended recipient.  Any
> review, use, distribution, or disclosure by others is strictly prohibited.
> If you are not the intended recipient (or authorized to receive information
> for the intended recipient), please contact the sender by reply e-mail and
> delete all copies of this message.
>
>
>
> *From:* open-scap-list-boun...@redhat.com <
> open-scap-list-boun...@redhat.com> *On Behalf Of *Boucher, William
> *Sent:* November 27, 2018 18:23
> *To:* open-scap-list@redhat.com
> *Subject:* [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS
>
>
>
>
>
> Hi folks,
>
>
>
> I am currently hardening an Ubuntu embedded system for delivery to a
> customer.
>
>
>
> I have downloaded the “Canonical Ubuntu 16.04 LTS STIG Ver 1, Rel 1” from
> DISA, and I have obtained a copy of the SCAP Compliance checker tool “SCC
> 5.0.2 Ubuntu 16 AMD64”.
>
>
>
> What I am missing is an SCAP Benchmark file for Ubuntu 16.04. Does one
> exist?
>
>
>
> I would like to use OpenSCAP to harden then scan this IS. The Open-SCAP
> BASE page says that Ubuntu is supported, so I can get the tools installed.
> But without a benchmark how would I proceed from there?
>
>
>
> Thank you,
>
>
>
> --Bill
>
> William B. Boucher, BSEE
>
> Embedded Systems Software Engineer
> Information Systems Security Manager
>
> MZA Associates Corporation
>
> 2021 Girard Blvd., SE, Suite 150
>
> Albuquerque, New Mexico 87106
>
> Phone: 505.245.9970 x166
>
> Fax: 505.245.9971
>
> Cell: 505.459.7620
>
> *william.bouc...@mza.com *
>
>
> ___
> Open-scap-list mailing list
> Open-scap-list@redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list



-- 
Watson Sato
Security Technologies | Red Hat, Inc
___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS

2018-11-28 Thread Boucher, William 
Stuart,

How do I get the current/latest scap security guide?


1)  I went to 
https://www.open-scap.org/security-policies/scap-security-guide/ and clicked on 
the Ubuntu symbol to get directions for installing it, but that gave message 
"The SCAP Security Guide package is not available on the Ubuntu distribution 
yet. Check for update."

2)  "apt-get install scap-security-guide" produced the error "Unable to 
locate package scap-security-guide."

I did successfully install libopenscap8 ("apt-get install libopenscap8").

All help is appreciated.

William B. Boucher, BSEE
Embedded Systems Software Engineer
Information Systems Security Manager
MZA Associates Corporation
2021 Girard Blvd., SE, Suite 150
Albuquerque, New Mexico 87106
Phone: 505.245.9970 x166
Fax: 505.245.9971
Cell: 505.459.7620
william.bouc...@mza.com<mailto:william.bouc...@mza.com>

From: Newman, Stuart J. (GSFC-491.0)[KBRwyle] [mailto:stuart.j.new...@nasa.gov]
Sent: Wednesday, November 28, 2018 4:19 AM
To: Boucher, William ; open-scap-list@redhat.com
Subject: RE: Benchmark for Canonical Ubuntu 16.04 LTS

The current (0.1.41) version of the scap security guide has Ubuntu benchmarks.

Stuart J Newman

[cid:image001.png@01D486FB.CB9219D0]

Engineer 4; Systems
NASA/Goddard Space Flight Center, Building 14 Room 252 |  Greenbelt, Maryland 
20771 |  USA
Office: +1 301. 286.5145 |  Mobile: +1443.878.6146  |  
stuart.j.new...@nasa.gov<mailto:stuart.j.new...@nasa.gov>



This e-mail, including any attached files, may contain confidential and 
privileged information for the sole use of the intended recipient.  Any review, 
use, distribution, or disclosure by others is strictly prohibited.  If you are 
not the intended recipient (or authorized to receive information for the 
intended recipient), please contact the sender by reply e-mail and delete all 
copies of this message.

From: 
open-scap-list-boun...@redhat.com<mailto:open-scap-list-boun...@redhat.com> 
mailto:open-scap-list-boun...@redhat.com>> 
On Behalf Of Boucher, William
Sent: November 27, 2018 18:23
To: open-scap-list@redhat.com<mailto:open-scap-list@redhat.com>
Subject: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS


Hi folks,

I am currently hardening an Ubuntu embedded system for delivery to a customer.

I have downloaded the "Canonical Ubuntu 16.04 LTS STIG Ver 1, Rel 1" from DISA, 
and I have obtained a copy of the SCAP Compliance checker tool "SCC 5.0.2 
Ubuntu 16 AMD64".

What I am missing is an SCAP Benchmark file for Ubuntu 16.04. Does one exist?

I would like to use OpenSCAP to harden then scan this IS. The Open-SCAP BASE 
page says that Ubuntu is supported, so I can get the tools installed. But 
without a benchmark how would I proceed from there?

Thank you,

--Bill
William B. Boucher, BSEE
Embedded Systems Software Engineer
Information Systems Security Manager
MZA Associates Corporation
2021 Girard Blvd., SE, Suite 150
Albuquerque, New Mexico 87106
Phone: 505.245.9970 x166
Fax: 505.245.9971
Cell: 505.459.7620
william.bouc...@mza.com<mailto:william.bouc...@mza.com>

___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS

2018-11-28 Thread Newman, Stuart J. (GSFC-491.0)[KBRwyle] 
The current (0.1.41) version of the scap security guide has Ubuntu benchmarks.

Stuart J Newman

[cid:image001.png@01D486E2.3DCCA660]

Engineer 4; Systems
NASA/Goddard Space Flight Center, Building 14 Room 252 |  Greenbelt, Maryland 
20771 |  USA
Office: +1 301. 286.5145 |  Mobile: +1443.878.6146  |  stuart.j.new...@nasa.gov



This e-mail, including any attached files, may contain confidential and 
privileged information for the sole use of the intended recipient.  Any review, 
use, distribution, or disclosure by others is strictly prohibited.  If you are 
not the intended recipient (or authorized to receive information for the 
intended recipient), please contact the sender by reply e-mail and delete all 
copies of this message.

From: open-scap-list-boun...@redhat.com  On 
Behalf Of Boucher, William
Sent: November 27, 2018 18:23
To: open-scap-list@redhat.com
Subject: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS


Hi folks,

I am currently hardening an Ubuntu embedded system for delivery to a customer.

I have downloaded the "Canonical Ubuntu 16.04 LTS STIG Ver 1, Rel 1" from DISA, 
and I have obtained a copy of the SCAP Compliance checker tool "SCC 5.0.2 
Ubuntu 16 AMD64".

What I am missing is an SCAP Benchmark file for Ubuntu 16.04. Does one exist?

I would like to use OpenSCAP to harden then scan this IS. The Open-SCAP BASE 
page says that Ubuntu is supported, so I can get the tools installed. But 
without a benchmark how would I proceed from there?

Thank you,

--Bill
William B. Boucher, BSEE
Embedded Systems Software Engineer
Information Systems Security Manager
MZA Associates Corporation
2021 Girard Blvd., SE, Suite 150
Albuquerque, New Mexico 87106
Phone: 505.245.9970 x166
Fax: 505.245.9971
Cell: 505.459.7620
william.bouc...@mza.com<mailto:william.bouc...@mza.com>

___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS

2018-11-27 Thread Shawn Wells 



On 11/27/18 6:23 PM, Boucher, William wrote:


Hi folks,

I am currently hardening an Ubuntu embedded system for delivery to a 
customer.


I have downloaded the “Canonical Ubuntu 16.04 LTS STIG Ver 1, Rel 1” 
from DISA, and I have obtained a copy of the SCAP Compliance checker 
tool “SCC 5.0.2 Ubuntu 16 AMD64”.


What I am missing is an SCAP Benchmark file for Ubuntu 16.04. Does one 
exist?


I would like to use OpenSCAP to harden then scan this IS. The 
Open-SCAP BASE page says that Ubuntu is supported, so I can get the 
tools installed. But without a benchmark how would I proceed from there?




Looks like DISA does not publish SCAP content for their Ubuntu STIG:

https://iase.disa.mil/stigs/scap/Pages/index.aspx


___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

[Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS

2018-11-27 Thread Boucher, William 

Hi folks,

I am currently hardening an Ubuntu embedded system for delivery to a customer.

I have downloaded the "Canonical Ubuntu 16.04 LTS STIG Ver 1, Rel 1" from DISA, 
and I have obtained a copy of the SCAP Compliance checker tool "SCC 5.0.2 
Ubuntu 16 AMD64".

What I am missing is an SCAP Benchmark file for Ubuntu 16.04. Does one exist?

I would like to use OpenSCAP to harden then scan this IS. The Open-SCAP BASE 
page says that Ubuntu is supported, so I can get the tools installed. But 
without a benchmark how would I proceed from there?

Thank you,

--Bill
William B. Boucher, BSEE
Embedded Systems Software Engineer
Information Systems Security Manager
MZA Associates Corporation
2021 Girard Blvd., SE, Suite 150
Albuquerque, New Mexico 87106
Phone: 505.245.9970 x166
Fax: 505.245.9971
Cell: 505.459.7620
william.bouc...@mza.com

___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list