<html><body><div style="font-family: tahoma,new york,times,serif; font-size: 12pt; color: #000000"><div>> Matt pinged me offline re: the Red Hat CCP profile. I've now merged it into SSG:<br> <a class="moz-txt-link-freetext" href="https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=363324350a1c4efe4dceefa3e309865fc54913b6" target="_blank" data-mce-href="https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=363324350a1c4efe4dceefa3e309865fc54913b6">https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=363324350a1c4efe4dceefa3e309865fc54913b6</a><br data-mce-bogus="1"></div><div><br></div><div>Shawn, <br></div><div>Greatly appreciated. Since CCP will have RHEL5 instances as well, what is the backward compatibility of this profile? If none, could you describe the level-of-effort?<br></div><div><br></div><div>-Matt<br></div><div><br></div><hr id="zwchr"><div style="color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>From: </b>"Shawn Wells" <shawn@redhat.com><br><b>To: </b>open-scap-list@redhat.com<br><b>Sent: </b>Sunday, October 13, 2013 11:30:26 PM<br><b>Subject: </b>Re: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.<br><div><br></div>
<div class="moz-cite-prefix">On 10/10/13 4:44 PM, Matthew Mariani
wrote:<br>
</div>
<blockquote cite="mid:1735616932.116228.1381437845637.JavaMail.root@redhat.com">
<div class="moz-text-html" lang="x-unicode">
<div style="font-family: tahoma,new york,times,serif; font-size:
12pt; color: #000000">
<div>Danny, <br>
</div>
<div>Thanks, very helpful. <br>
</div>
<div>-Matt<br>
</div>
<div><br>
</div>
<hr id="zwchr">
<div style="color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>From:
</b>"Dan Haynes" <a class="moz-txt-link-rfc2396E" href="mailto:dhaynes@mitre.org" target="_blank"><dhaynes@mitre.org></a><br>
<b>To: </b>"Matthew Mariani" <a class="moz-txt-link-rfc2396E" href="mailto:mmariani@redhat.com" target="_blank"><mmariani@redhat.com></a>,
<a class="moz-txt-link-abbreviated" href="mailto:open-scap-list@redhat.com" target="_blank">open-scap-list@redhat.com</a><br>
<b>Sent: </b>Wednesday, October 9, 2013 2:45:35 PM<br>
<b>Subject: </b>RE: SCAP Newbie Questions for simple RHEL6
XCCDF example.<br>
<div><br>
</div>
<style><!--
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hi
Matthew,<br>
<br>
Comments inline below. Hope this helps.</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks,<br>
<br>
Danny</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span></p>
<div style="border:none;border-left:solid blue
1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a class="moz-txt-link-abbreviated" href="mailto:open-scap-list-bounces@redhat.com" target="_blank">open-scap-list-bounces@redhat.com</a>
[<a class="moz-txt-link-freetext" href="mailto:open-scap-list-bounces@redhat.com" target="_blank">mailto:open-scap-list-bounces@redhat.com</a>]
<b>On Behalf Of </b>Matthew Mariani<br>
<b>Sent:</b> Wednesday, October 09, 2013 1:11 PM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:open-scap-list@redhat.com" target="_blank">open-scap-list@redhat.com</a><br>
<b>Subject:</b> [Open-scap] SCAP Newbie
Questions for simple RHEL6 XCCDF example.</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal"><span style="font-family:"Tahoma","sans-serif";color:black">Hi
list,
</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Tahoma","sans-serif";color:black">'SCAP
newbie here. I'm working with the attached
XCCDF profile definition to be used with a RHEL6
system. The end goal is to define a standard
RHEL cloud image security profile. I have two
questions: </span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Tahoma","sans-serif";color:black"> </span></p>
</div>
<div>
<p class="MsoNormal"><strong><span style="font-family:"Tahoma","sans-serif";color:black">1. </span></strong><span style="font-family:"Tahoma","sans-serif";color:black">
I believe I need additional XML syntax in the
file to have valid XCCDF content. When I try
both testing with the 'info' function and
running an 'eval', I get an Unknown document
type error.
</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Tahoma","sans-serif";color:black"> [root@rhel6client
~]# oscap info rht-ccp.xml
<br>
OpenSCAP Error: Unknown document type:
'rht-ccp.xml' [oscapxml.c:554]</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Tahoma","sans-serif";color:black"> [root@rhel6client
~]# oscap xccdf eval --profile rht-ccp --results
/root/rht-ccp.results.xml --report
/root/rht-ccp.report.html rht-ccp.xml
<br>
Profile "rht-ccp" was not found.</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Tahoma","sans-serif";color:black"> </span></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-family:"Tahoma","sans-serif";color:black">Looking
at some of the xccdf examples referenced here
<a href="http://www.open-scap.org/page/Documentation" target="_blank">http://www.open-scap.org/page/Documentation</a>,
I'm thinking I need a <Benchmark> wrapper
around my profile. Am I on the right track, and
if so is there a basic <Benchmark> syntax
example available? I'm finding it difficult to
id what's required and what's not in examples
referenced on the Documentation page.<br>
<br>
</span><span style="font-family:"Tahoma","sans-serif";color:#1F497D"></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">[Danny]:
Yes, you will need to include the
<Benchmark> component. You may want to
look at the RHEL6 STIG SCAP content being
developed in the scap-security-guide project (<a href="https://fedorahosted.org/scap-security-guide/" target="_blank">https://fedorahosted.org/scap-security-guide/</a>).
It should serve as a good example and you may be
able to reuse some of the content. They also
have some tools that you could leverage to help
generate the content. </span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
Matt pinged me offline re: the Red Hat CCP profile. I've now merged
it into SSG:<br>
<a class="moz-txt-link-freetext" href="https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=363324350a1c4efe4dceefa3e309865fc54913b6" target="_blank">https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=363324350a1c4efe4dceefa3e309865fc54913b6</a><br>
<br>
You should now be able to clone the source and run a scan:<br>
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/scap-security-guide/wiki/downloads" target="_blank">https://fedorahosted.org/scap-security-guide/wiki/downloads</a><br>
<br>
aka<br>
$ sudo yum install git openscap-utils python-lxml<br>
$ cd /tmp ; git clone
git://git.fedorahosted.org/git/scap-security-guide.git ; cd
scap-security-guide/RHEL6<br>
$ make content <br>
$ sudo oscap xccdf eval --profile rht-ccp \<br>
--results /root/ssg-results-`date`.xml \<br>
--report /root/ssg-results-`date`.html \<br>
--cpe output/ssg-rhel6-cpe-dictionary.xml \<br>
output/ssg-rhel6-xccdf.xml<br>
<br>
<br>
<br>
<blockquote cite="mid:1735616932.116228.1381437845637.JavaMail.root@redhat.com">
<div class="moz-text-html" lang="x-unicode">
<div style="font-family: tahoma,new york,times,serif; font-size:
12pt; color: #000000">
<div style="color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;">
<div class="WordSection1">
<div style="border:none;border-left:solid blue
1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-family:"Tahoma","sans-serif";color:black"><br>
<strong><span style="font-family:"Tahoma","sans-serif"">2. </span></strong>
Looking forward, in addition to these XCCDF
checks, I have the need to detect non-RedHat
signed packaged installed on the system. Does
anyone have guidance on how/if I can do that
with SCAP tools. As example, suppose a cloud
image has a monitoring package or hypervisor
para-virt rpms install, I want to be made aware
and have those reported by the check.
</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">[Danny]:
Yes, you should be able to check for any
non-Red Hat signed packages using OVAL which is
an language for checking the state of an
endpoint. There is the linux-def:rpminfo_test (<a href="http://oval.mitre.org/language/version5.10.1/ovaldefinition/complete/linux-definitions-schema.xsd" target="_blank">http://oval.mitre.org/language/version5.10.1/ovaldefinition/complete/linux-definitions-schema.xsd</a>)
which you can use to check various metadata
about the packages installed on the system
including the signature key ID. With that in
mind, you should be able to collect all RPMs on
the system and filter out any RPMs that are
signed by Red Hat leaving only those that
haven’t been signed by Red Hat. I have attached
an OVAL definition which shows how you might do
this. Of course, you may need to modify it to
include the appropriate signature key IDs.</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-family:"Tahoma","sans-serif";color:black">Any
help is appreciated. Thanks,
</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Tahoma","sans-serif";color:black">-Matt</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Tahoma","sans-serif";color:black"> </span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
Since this is largely content related, feel free to kick over the
conversation to the SSG mailing list:<br>
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/scap-security-guide/" target="_blank">https://fedorahosted.org/scap-security-guide/</a><br>
<a class="moz-txt-link-freetext" href="https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide" target="_blank">https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide</a><br>
<br>
Our friends and allies within the OpenSCAP tooling community let us
content guys play here, but content questions (for SSG) should be
kicked over to the SSG community list :)<br>
<br>_______________________________________________<br>Open-scap-list mailing list<br>Open-scap-list@redhat.com<br>https://www.redhat.com/mailman/listinfo/open-scap-list</div><div><br></div></div></body></html>