Re: [Open-scap] When to expect OVAL probes for OpenShift?

2019-02-15 Thread Steve Grubb 
Hello Shawn,

On Wednesday, February 13, 2019 3:59:30 PM EST Shawn Wells wrote:
> On 2/11/19 7:38 PM, Steve Grubb wrote:
> > On Thursday, February 7, 2019 1:23:58 PM EST Shawn Wells wrote:
> >> So then, to rephrase the question, when will there be OVAL
> >> tests/subjects/states/items for OpenShift, akin to how there are for
> >> systemd and SELinux?
> > 
> > Those were created specifically to address problems in drafting content
> > for the USGCB settings a long time ago. They were created because there
> > was no other good way of getting the information.
> > 
> >> Would be extremely surprising to learn this process hasn't been started
> >> already, but getting the sense it hasn't been. Not really sure who to
> >> direct the question to likely Marek and Matej?
> > 
> > Things aren't created until there's a demonstrated need. What are the
> > underlying configuration that you are trying to read? What parts of the
> > config are needed? Where is this information kept?
> 
> Seems like there is a ever growing backlog of probes that need creation.

Maybe and maybe not. OVAL tests fall into 2 categories, static and dynamic. 
The static tests are preferred because they scamper across a hard drive and 
gather information. These probes work even if you are examining the hard 
drive from another system. And they do not affect system state in any way. 
This safety of use has been something the OVAL editorial board liked. And 
this is also the reason why a scripting option has never been approved.

The dynamic probes require that the system is booted and operational. In this 
mode it queries interfaces, makes various system calls to query internal 
information the kernel has, or maybe even dbus calls to systemd. These probes 
are problematic because you cannot assess a system that is "down". You cannot 
check processes, mounts, or network interfaces unless the system is up. There 
is also a danger that somehow this can be abused and cause a change of system 
state. Checking a mount point can cause the automounter to do a mount. In 
that case scanning changed the system.

So, it all depends on what you want to check. Generally what is expected is 
to check the file system for configuration. I realize now that there is a 
mistake in the systemd probe because it actually calls systemd. What I had 
intended it to do is parse the file just like systemd does with shipped config 
in /usr/lib and overrides in /etc. This would have made it generic enough to 
use for other daemons that are using that same scheme. But it was more 
expeditious to just call systemctl and parse its output.

In any event, checking the files for configuration should be do-able today. Are 
there some kind of dynamic tests that you are thinking of? Generally dynamic 
tests are used for CyBox where static tests are used for XCCDF.

> Quick examples of polling dconf db, and parsing "oc get" commands for
> OpenShift settings. Neither keeps their state in config files so need to
> use those commands specifically.

dconf db probably would have used the parser I thought we were getting. As 
for "oc get", typically content should check what the config would be for next 
boot. Dynamic tests are not suited to that because what's on disk may not 
match how the system is running right now. And this causes content to be 
written where it mixes checking current state vs what it would be for next 
boot with people not realizing these two things are getting mixed together. 
For example, you can check if sshd is configured to spit out a banner. That is 
a next boot check. You have no idea what its currently doing. You can also 
check what services are running now. You have no idea what it will be on next 
boot because the content checks systemd and not the files.

> At this point, getting the impression there's been zero work on creating
> OpenShift probes though.

If there's no content that needs them, they won't get created just in case 
they're needed one day. To specify a new test means asking 20 or so companies 
to implement the code and take it through certification. So normally things 
are only asked for when they are truly needed.

HTH...

-Steve


___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] When to expect OVAL probes for OpenShift?

2019-02-13 Thread Shawn Wells 



On 2/11/19 7:38 PM, Steve Grubb wrote:

On Thursday, February 7, 2019 1:23:58 PM EST Shawn Wells wrote:

So then, to rephrase the question, when will there be OVAL
tests/subjects/states/items for OpenShift, akin to how there are for
systemd and SELinux?

Those were created specifically to address problems in drafting content for
the USGCB settings a long time ago. They were created because there was no
other good way of getting the information.


Would be extremely surprising to learn this process hasn't been started
already, but getting the sense it hasn't been. Not really sure who to
direct the question to likely Marek and Matej?

Things aren't created until there's a demonstrated need. What are the
underlying configuration that you are trying to read? What parts of the config
are needed? Where is this information kept?


Seems like there is a ever growing backlog of probes that need creation.

Quick examples of polling dconf db, and parsing "oc get" commands for 
OpenShift settings. Neither keeps their state in config files so need to 
use those commands specifically.




Just wanted to show how the systemd tests were created:
http://making-security-measurable.1364806.n2.nabble.com/Proposal-for-OVAL-5-11-systemd-test-td7583274.html

There was some discussion about what the intended use would be. What
questions would the test answer? Then some discussion about syntax and
attribute vs elements, etc. Right now, I think anyone that could help needs a
little better definition of the problem you are seeing.



Excellent. Thank you -- will review to help me learn the correct 
vernacular.


At this point, getting the impression there's been zero work on creating 
OpenShift probes though.


___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] When to expect OVAL probes for OpenShift?

2019-02-11 Thread Steve Grubb 
On Thursday, February 7, 2019 1:23:58 PM EST Shawn Wells wrote:
> So then, to rephrase the question, when will there be OVAL
> tests/subjects/states/items for OpenShift, akin to how there are for
> systemd and SELinux?

Those were created specifically to address problems in drafting content for 
the USGCB settings a long time ago. They were created because there was no 
other good way of getting the information.

> Would be extremely surprising to learn this process hasn't been started
> already, but getting the sense it hasn't been. Not really sure who to
> direct the question to likely Marek and Matej?

Things aren't created until there's a demonstrated need. What are the 
underlying configuration that you are trying to read? What parts of the config 
are needed? Where is this information kept?

Just wanted to show how the systemd tests were created:
http://making-security-measurable.1364806.n2.nabble.com/Proposal-for-OVAL-5-11-systemd-test-td7583274.html

There was some discussion about what the intended use would be. What 
questions would the test answer? Then some discussion about syntax and 
attribute vs elements, etc. Right now, I think anyone that could help needs a 
little better definition of the problem you are seeing.

-Steve


___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] When to expect OVAL probes for OpenShift?

2019-02-07 Thread Shawn Wells 


On 2/4/19 2:27 PM, William Munyan wrote:


Hey Shawn,

I’ll add to Steve’s point that if there is not current OVAL support 
for the constructs you need, then the new OVAL 
tests/objects/states/items would need to be created in either a new 
OVAL schema or (more likely) as additions to the existing Linux 
schema.  Once created a proposal can be made to the OVAL language team 
through an issue and pull request to the official OVAL Language GitHub 
.  The newly released proposal 
process can be found here 
.


Once proposed, the OVAL community can provide feedback and 
implementations to prove the concept and progress the proposal along 
towards adoption.  Ultimately, the area supervisor for the Linux 
schemas will need to be involved as well.  The supervisor for Linux is 
currently Simon Lukasik.


I’m happy to help out with any schema development, and potential 
implementation of proposed updates as well (although I’ll freely admit 
negligible knowledge of OpenShift).  The language governance, proposal 
and adoption process are all recently “released” so if you find 
yourself needing help with the process, don’t hesitate to reach out.




Thanks Bill & Steve.

So then, to rephrase the question, when will there be OVAL 
tests/subjects/states/items for OpenShift, akin to how there are for 
systemd and SELinux?


Would be extremely surprising to learn this process hasn't been started 
already, but getting the sense it hasn't been. Not really sure who to 
direct the question to likely Marek and Matej?


___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] When to expect OVAL probes for OpenShift?

2019-02-04 Thread William Munyan 
Hey Shawn,
I’ll add to Steve’s point that if there is not current OVAL support for the 
constructs you need, then the new OVAL tests/objects/states/items would need to 
be created in either a new OVAL schema or (more likely) as additions to the 
existing Linux schema.  Once created a proposal can be made to the OVAL 
language team through an issue and pull request to the official OVAL Language 
GitHub<https://github.com/OVAL-Community/OVAL>.  The newly released proposal 
process can be found 
here<https://oval-community-guidelines.readthedocs.io/en/latest/proposal-process/index.html>.

Once proposed, the OVAL community can provide feedback and implementations to 
prove the concept and progress the proposal along towards adoption.  
Ultimately, the area supervisor for the Linux schemas will need to be involved 
as well.  The supervisor for Linux is currently Simon Lukasik.

I’m happy to help out with any schema development, and potential implementation 
of proposed updates as well (although I’ll freely admit negligible knowledge of 
OpenShift).  The language governance, proposal and adoption process are all 
recently “released” so if you find yourself needing help with the process, 
don’t hesitate to reach out.

Cheers,
-Bill M.

Bill Munyan
Solutions Architect; Security Best Practices
31 Tech Valley Drive
East Greenbush, NY 12061

william.mun...@cisecurity.org<mailto:william.mun...@cisecurity.org>
518 466-1160 (cell)
[CIS_WEB_Logo_Type_RGB_Flat]<https://www.cisecurity.org/>
   [CIS Email Icons 01_23-02] 
<https://www.facebook.com/CenterforIntSec> [CIS Email Icons 01_23-03] 
<https://twitter.com/CISecurity>[CIS Email Icons 01_23-04] 
<https://www.youtube.com/user/TheCISecurity> [CIS Email Icons 01_23-05] 
<https://www.linkedin.com/company/the-center-for-internet-security>

From: open-scap-list-boun...@redhat.com  On 
Behalf Of Steve Grubb
Sent: Monday, February 4, 2019 1:16 PM
To: Shawn Wells 
Cc: open-scap-list@redhat.com
Subject: Re: [Open-scap] When to expect OVAL probes for OpenShift?




On Mon, 4 Feb 2019 12:11:32 -0500
Shawn Wells mailto:sh...@redhat.com>> wrote:

> On 2/4/19 6:08 PM, Steve Grubb wrote:
> > On Mon, 4 Feb 2019 11:06:00 -0500
> > Shawn Wellsmailto:sh...@redhat.com>> wrote:
> >
> >> When can OpenSCAP probes be expected for OpenShift?
>
> > Are you talking about new OVAL tests?
>
> Probes so that OVAL tests could be created. Akin to the systemd
> probes.

OK. I think we are mismatching terminology here. OVAL defines tests
and states. OpnSCAP, an implementation, chooses to convert the
required test into a probe. This is an implementation detail.

So, the first thing is, do we need a new OVAL test? If so, why does no
other test currently work? What is the file format? You will need to
state this to someone that is on the OVAL editorial board. They will
need to propose the changes to the language and get it reviewed
and approved. This could take a little time.

-Steve

___
Open-scap-list mailing list
Open-scap-list@redhat.com<mailto:Open-scap-list@redhat.com>
https://www.redhat.com/mailman/listinfo/open-scap-list<https://www.redhat.com/mailman/listinfo/open-scap-list>

.
This message and attachments may contain confidential information. If it 
appears that this message was sent to you by mistake, any retention, 
dissemination, distribution or copying of this message and attachments is 
strictly prohibited. Please notify the sender immediately and permanently 
delete the message and any attachments.

. . . . .
___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] When to expect OVAL probes for OpenShift?

2019-02-04 Thread Steve Grubb 
On Mon, 4 Feb 2019 12:11:32 -0500
Shawn Wells  wrote:

> On 2/4/19 6:08 PM, Steve Grubb wrote:
> > On Mon, 4 Feb 2019 11:06:00 -0500
> > Shawn Wells  wrote:
> >  
> >> When can OpenSCAP probes be expected for OpenShift?  
>
> > Are you talking about new OVAL tests?  
> 
> Probes so that OVAL tests could be created. Akin to the systemd
> probes.

OK. I think we are mismatching terminology here. OVAL defines tests
and states. OpnSCAP, an implementation, chooses to convert the
required test into a probe. This is an implementation detail.

So, the first thing is, do we need a new OVAL test? If so, why does no
other test currently work? What is the file format? You will need to
state this to someone that is on the OVAL editorial board. They will
need to propose the changes to the language and get it reviewed
and approved. This could take a little time.

-Steve

___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] When to expect OVAL probes for OpenShift?

2019-02-04 Thread Shawn Wells 


On 2/4/19 6:08 PM, Steve Grubb wrote:

On Mon, 4 Feb 2019 11:06:00 -0500
Shawn Wells  wrote:


When can OpenSCAP probes be expected for OpenShift?

Are you talking about new OVAL tests?




Probes so that OVAL tests could be created. Akin to the systemd probes.

___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] When to expect OVAL probes for OpenShift?

2019-02-04 Thread Steve Grubb 
On Mon, 4 Feb 2019 11:06:00 -0500
Shawn Wells  wrote:

> When can OpenSCAP probes be expected for OpenShift?

Are you talking about new OVAL tests?

-Steve

> Need ability to parse configuration data that would be returned by
> "oc get" style commands.
> 
> Thanks!
> 
> ___
> Open-scap-list mailing list
> Open-scap-list@redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list

___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

[Open-scap] When to expect OVAL probes for OpenShift?

2019-02-04 Thread Shawn Wells 

When can OpenSCAP probes be expected for OpenShift?

Need ability to parse configuration data that would be returned by "oc 
get" style commands.


Thanks!

___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list