SCAP Security Guide 0.1.38

2018-03-02 Thread Watson Yuuma Sato 

Hello folks,

We have the pleasure to announce that SCAP Security Guide version 0.1.38
has been released.

Highlights of this release:

* New License - BSD-3 Clause
* New Profiles for development introduced:
    * ANSSI
    * HIPAA
    * C2S-Docker
* Adoption of CTest for schema validation
* Several remediation fixes


For a more detailed overview of changes (bug fixes, enhancements) 
implemented

in this release please have a look at more detailed changelog:
* https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.38

Full changelog at:
* 
https://github.com/OpenSCAP/scap-security-guide/issues?q=milestone%3A0.1.38


Zip archives with pre-built benchmarks in DataStream form:
* 
https://github.com/OpenSCAP/scap-security-guide/releases/download/v0.1.38/scap-security-guide-0.1.38.zip 


(Zip archive using OVAL-5.11.1 language version)
* 
https://github.com/OpenSCAP/scap-security-guide/releases/download/v0.1.38/scap-security-guide-0.1.38-oval-5.10.zip 


(Zip archive using OVAL-5.10 language version only)

Great thanks to everyone who contributed with issues, patches and 
discussion.


Happy hardening!

--
Watson Sato
Security Technologies | Red Hat, Inc
___
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org
To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org

Re: Disabling specific bash remediations

2018-03-02 Thread Gabe Alford 
Fen,

There is an RFE open in OpenSCAP for this very thing at
https://github.com/OpenSCAP/openscap/issues/633

Outside of tailoring a profile, nothing super easy from the OpenSCAP side
of the house.

Gabe

On Thu, Mar 1, 2018 at 8:59 PM, Fen Labalme 
wrote:

> The goal is to create a hardened EC2 server on AWS from scratch. After
> provisioning a new RHEL/7 instance on AWS, we run `yum -y update` followed
> by the bash remediations from SSG using:
>
>   command: 'oscap xccdf eval --profile {{ scapprofile }} --remediate \
> --results-arf /tmp/results-arf.xml --report /tmp/report.html \
> /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml'
>
> But there are some remediations I don't want to run for an EC2 server such
> as install_smartcard_packages.sh and dracut-fips. Is there a way to
> prevent certain remediations from running?
>
> Thanks,
> =Fen
>
>
> ___
> scap-security-guide mailing list -- scap-security-guide@lists.
> fedorahosted.org
> To unsubscribe send an email to scap-security-guide-leave@
> lists.fedorahosted.org
>
>
___
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org
To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org

Re: Disabling specific bash remediations

2018-03-02 Thread Trevor Vaughan 
It may be over the top for your use case, but you might want to also look
at the FOSS SIMP project https://simp-project.com (shamelss SSG-related
plug).

We target SSG compliance but it's imminently flexible and manages your
system state over time instead of just at one time.

You can spawn an AWS instance using our base 6.1 load from the Marketplace
to try it out.

Trevor

On Thu, Mar 1, 2018 at 10:59 PM, Fen Labalme 
wrote:

> The goal is to create a hardened EC2 server on AWS from scratch. After
> provisioning a new RHEL/7 instance on AWS, we run `yum -y update` followed
> by the bash remediations from SSG using:
>
>   command: 'oscap xccdf eval --profile {{ scapprofile }} --remediate \
> --results-arf /tmp/results-arf.xml --report /tmp/report.html \
> /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml'
>
> But there are some remediations I don't want to run for an EC2 server such
> as install_smartcard_packages.sh and dracut-fips. Is there a way to
> prevent certain remediations from running?
>
> Thanks,
> =Fen
>
>
> ___
> scap-security-guide mailing list -- scap-security-guide@lists.
> fedorahosted.org
> To unsubscribe send an email to scap-security-guide-leave@
> lists.fedorahosted.org
>
>


-- 
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788

-- This account not approved for unencrypted proprietary information --
___
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org
To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org

RE: Disabling specific bash remediations

2018-03-02 Thread Hayden,Robert 
Look into SCAP Workbench to help build a custom security profile for your 
application.
https://www.open-scap.org/tools/scap-workbench/


Robert

From: Fen Labalme [mailto:fen.laba...@civicactions.com]
Sent: Thursday, March 1, 2018 10:00 PM
To: SCAP Security Guide 
Subject: Disabling specific bash remediations

The goal is to create a hardened EC2 server on AWS from scratch. After 
provisioning a new RHEL/7 instance on AWS, we run `yum -y update` followed by 
the bash remediations from SSG using:

  command: 'oscap xccdf eval --profile {{ scapprofile }} --remediate \
--results-arf /tmp/results-arf.xml --report /tmp/report.html \
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml'

But there are some remediations I don't want to run for an EC2 server such as 
install_smartcard_packages.sh and dracut-fips. Is there a way to prevent 
certain remediations from running?

Thanks,
=Fen



CONFIDENTIALITY NOTICE This message and any included attachments are from 
Cerner Corporation and are intended only for the addressee. The information 
contained in this message is confidential and may constitute inside or 
non-public information under international, federal, or state securities laws. 
Unauthorized forwarding, printing, copying, distribution, or use of such 
information is strictly prohibited and may be unlawful. If you are not the 
addressee, please promptly delete this message and notify the sender of the 
delivery error by e-mail or you may call Cerner's corporate offices in Kansas 
City, Missouri, U.S.A at (+1) (816)221-1024.
___
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org
To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org