SCAP Security Guide 0.1.38
Hello folks, We have the pleasure to announce that SCAP Security Guide version 0.1.38 has been released. Highlights of this release: * New License - BSD-3 Clause * New Profiles for development introduced: * ANSSI * HIPAA * C2S-Docker * Adoption of CTest for schema validation * Several remediation fixes For a more detailed overview of changes (bug fixes, enhancements) implemented in this release please have a look at more detailed changelog: * https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.38 Full changelog at: * https://github.com/OpenSCAP/scap-security-guide/issues?q=milestone%3A0.1.38 Zip archives with pre-built benchmarks in DataStream form: * https://github.com/OpenSCAP/scap-security-guide/releases/download/v0.1.38/scap-security-guide-0.1.38.zip (Zip archive using OVAL-5.11.1 language version) * https://github.com/OpenSCAP/scap-security-guide/releases/download/v0.1.38/scap-security-guide-0.1.38-oval-5.10.zip (Zip archive using OVAL-5.10 language version only) Great thanks to everyone who contributed with issues, patches and discussion. Happy hardening! -- Watson Sato Security Technologies | Red Hat, Inc ___ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org
Re: Disabling specific bash remediations
Fen, There is an RFE open in OpenSCAP for this very thing at https://github.com/OpenSCAP/openscap/issues/633 Outside of tailoring a profile, nothing super easy from the OpenSCAP side of the house. Gabe On Thu, Mar 1, 2018 at 8:59 PM, Fen Labalmewrote: > The goal is to create a hardened EC2 server on AWS from scratch. After > provisioning a new RHEL/7 instance on AWS, we run `yum -y update` followed > by the bash remediations from SSG using: > > command: 'oscap xccdf eval --profile {{ scapprofile }} --remediate \ > --results-arf /tmp/results-arf.xml --report /tmp/report.html \ > /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml' > > But there are some remediations I don't want to run for an EC2 server such > as install_smartcard_packages.sh and dracut-fips. Is there a way to > prevent certain remediations from running? > > Thanks, > =Fen > > > ___ > scap-security-guide mailing list -- scap-security-guide@lists. > fedorahosted.org > To unsubscribe send an email to scap-security-guide-leave@ > lists.fedorahosted.org > > ___ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org
Re: Disabling specific bash remediations
It may be over the top for your use case, but you might want to also look at the FOSS SIMP project https://simp-project.com (shamelss SSG-related plug). We target SSG compliance but it's imminently flexible and manages your system state over time instead of just at one time. You can spawn an AWS instance using our base 6.1 load from the Marketplace to try it out. Trevor On Thu, Mar 1, 2018 at 10:59 PM, Fen Labalmewrote: > The goal is to create a hardened EC2 server on AWS from scratch. After > provisioning a new RHEL/7 instance on AWS, we run `yum -y update` followed > by the bash remediations from SSG using: > > command: 'oscap xccdf eval --profile {{ scapprofile }} --remediate \ > --results-arf /tmp/results-arf.xml --report /tmp/report.html \ > /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml' > > But there are some remediations I don't want to run for an EC2 server such > as install_smartcard_packages.sh and dracut-fips. Is there a way to > prevent certain remediations from running? > > Thanks, > =Fen > > > ___ > scap-security-guide mailing list -- scap-security-guide@lists. > fedorahosted.org > To unsubscribe send an email to scap-security-guide-leave@ > lists.fedorahosted.org > > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 -- This account not approved for unencrypted proprietary information -- ___ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org
RE: Disabling specific bash remediations
Look into SCAP Workbench to help build a custom security profile for your application. https://www.open-scap.org/tools/scap-workbench/ Robert From: Fen Labalme [mailto:fen.laba...@civicactions.com] Sent: Thursday, March 1, 2018 10:00 PM To: SCAP Security GuideSubject: Disabling specific bash remediations The goal is to create a hardened EC2 server on AWS from scratch. After provisioning a new RHEL/7 instance on AWS, we run `yum -y update` followed by the bash remediations from SSG using: command: 'oscap xccdf eval --profile {{ scapprofile }} --remediate \ --results-arf /tmp/results-arf.xml --report /tmp/report.html \ /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml' But there are some remediations I don't want to run for an EC2 server such as install_smartcard_packages.sh and dracut-fips. Is there a way to prevent certain remediations from running? Thanks, =Fen CONFIDENTIALITY NOTICE This message and any included attachments are from Cerner Corporation and are intended only for the addressee. The information contained in this message is confidential and may constitute inside or non-public information under international, federal, or state securities laws. Unauthorized forwarding, printing, copying, distribution, or use of such information is strictly prohibited and may be unlawful. If you are not the addressee, please promptly delete this message and notify the sender of the delivery error by e-mail or you may call Cerner's corporate offices in Kansas City, Missouri, U.S.A at (+1) (816)221-1024. ___ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org