<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 25/02/17 16:43, Lee Wilson wrote:<br>
</div>
<blockquote
cite="mid:AM5PR1001MB1074BEC15D175AF3EA2D9405D4550@AM5PR1001MB1074.EURPRD10.PROD.OUTLOOK.COM"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;"
dir="ltr">
<p>Hi Everyone,</p>
</div>
</blockquote>
Hi Lee, sorry for delayed response.<br>
<blockquote
cite="mid:AM5PR1001MB1074BEC15D175AF3EA2D9405D4550@AM5PR1001MB1074.EURPRD10.PROD.OUTLOOK.COM"
type="cite">
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;"
dir="ltr">
<p><br>
</p>
<p>I've recently come across OpenSCAP after wasting my time with
openVAS as a means of improving the way my company does
vulnerability and configuration management of our network
devices (e.g. Cisco, Juniper, Palo Alto, etc).</p>
<p><br>
</p>
<p>From an initial review though, it seems in it's current state
to very server focused. Would that be a fair assessment?</p>
</div>
</blockquote>
I wouldn't say so but I guess you can, OpenSCAP was designed with
machines in mind. And recent efforts have been directed to container
and container image.<br>
<blockquote
cite="mid:AM5PR1001MB1074BEC15D175AF3EA2D9405D4550@AM5PR1001MB1074.EURPRD10.PROD.OUTLOOK.COM"
type="cite">
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;"
dir="ltr">
<p><br>
</p>
<p>Back in January 2016 someone posted a similar query on this
list where it was suggested to use jovalcm but that is a
propriatary product and they have ceased all development on
the open source variant.</p>
<p><a moz-do-not-send="true"
href="https://www.redhat.com/archives/open-scap-list/2016-January/msg00000.html"
class="OWAAutoLink" id="LPlnk750885" previewremoved="true">https://www.redhat.com/archives/open-scap-list/2016-January/msg00000.html</a><br>
</p>
</div>
</blockquote>
I'm think it is still true, we don't have support for Cisco.<br>
<br>
<blockquote
cite="mid:AM5PR1001MB1074BEC15D175AF3EA2D9405D4550@AM5PR1001MB1074.EURPRD10.PROD.OUTLOOK.COM"
type="cite">
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;"
dir="ltr">
<p>
</p>
<p>As far as I can tell there is nothing in the underlying
architecture that prevents this from working, the main issue
being that it is required for the various scripts to be copied
to the device being scanned. This is required even when using
the remote SSH scanning option according to the documentation:</p>
<p><a moz-do-not-send="true"
href="http://martin.preisler.me/2015/05/scanning-remote-machines-with-openscap/"
class="OWAAutoLink" id="LPlnk57148" previewremoved="true">http://martin.preisler.me/2015/05/scanning-remote-machines-with-openscap/</a><br>
</p>
</div>
</blockquote>
I think that by script you mean the SCAP contents, or policies. Yes,
even when using remote scanning the contents are copied into remote
machine.<br>
And the remote machine also needs to have oscap-scanner installed.<br>
<br>
<blockquote
cite="mid:AM5PR1001MB1074BEC15D175AF3EA2D9405D4550@AM5PR1001MB1074.EURPRD10.PROD.OUTLOOK.COM"
type="cite">
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;"
dir="ltr">
<p>
</p>
<p>I came across a presentation which pretty much covers what
I'm trying to do:</p>
<p><a moz-do-not-send="true"
href="https://scap.nist.gov/events/2011/itsac/presentations/day3/Nunez%20-%20SCAP%20for%20Inter-networking%20Devices.pdf"
class="OWAAutoLink" id="LPlnk479759" previewremoved="true">https://scap.nist.gov/events/2011/itsac/presentations/day3/Nunez%20-%20SCAP%20for%20Inter-networking%20Devices.pdf</a></p>
<p><br>
</p>
<p>The use of the Script Check Engine intriges me but I believe
I'll still be restricted as those scripts still need to be
copied to the server but it does mention that environment
variables can be passed to the script so that remote checks
can be run and then the output saved as check result files as
documented:</p>
<p><a moz-do-not-send="true"
href="https://www.open-scap.org/features/other-standards/sce/"
class="OWAAutoLink" id="LPlnk961428" previewremoved="true">https://www.open-scap.org/features/other-standards/sce/</a></p>
</div>
</blockquote>
I'm not much familiar with SCE, but I'll try to explain.<br>
What happens is that oscap will copy the SCAP contents to remote
machine, along with checking scripts.<br>
And where defined in this content, that instead of an OVAL check,
the checking script should be used, <br>
oscap will pass the checking script and environment variables
defined in the content to SCE (Script Check Engine).<br>
Then SCE, with scripts and environment variables will perform the
check.<br>
<br>
<blockquote
cite="mid:AM5PR1001MB1074BEC15D175AF3EA2D9405D4550@AM5PR1001MB1074.EURPRD10.PROD.OUTLOOK.COM"
type="cite">
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;"
dir="ltr">
<p><br>
</p>
<p>In essence the steps would be:</p>
<p>1) Specify profile to run and the target(s) to run on</p>
<p>2) Pass target hostname/ip along with (perhaps) login
credentials (e.g. username/password or SNMP community) to the
script</p>
<p>3) Script runs on the same device as the SCAP workbench,
logging into the device via the appropriate method (SSH or
SNMP)</p>
<p>4) Results are saved as check-result files to be picked up by
the oscap tool forprocessing</p>
</div>
</blockquote>
The checking script doesn't need to know any credentials. Oscap will
receive the credentials, login to the target machine and copy
content and scripts.<br>
If performing remote scan with SCAP workbench no content or script
scan is performed in local machine.<br>
<br>
<blockquote
cite="mid:AM5PR1001MB1074BEC15D175AF3EA2D9405D4550@AM5PR1001MB1074.EURPRD10.PROD.OUTLOOK.COM"
type="cite">
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;"
dir="ltr">
<p><br>
</p>
<p>The only concern I have the moment with this approach is that
it would require multiple SSH logins (one for each script run)
but I'm sure improvements could be made in the future to batch
them during a single login session.</p>
</div>
</blockquote>
AFAIK It requires one SSH login per device/machine scanned.<br>
<blockquote
cite="mid:AM5PR1001MB1074BEC15D175AF3EA2D9405D4550@AM5PR1001MB1074.EURPRD10.PROD.OUTLOOK.COM"
type="cite">
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;"
dir="ltr">
<p><br>
</p>
<p>Alternatively would it be possible for all the above steps to
be run in advance and then just have the oscap tool look as
the resulting check-result files, in effect doing something
similar to an offline config audit? This would be considered a
local scan I guess, no different to a customer handing me a
raw cisco cli output/config and saying here audit this.</p>
</div>
</blockquote>
Whether performing local or remote scan, OpenSCAP can generate XCCDF
results and HTML reports for someone to audit.<br>
<blockquote
cite="mid:AM5PR1001MB1074BEC15D175AF3EA2D9405D4550@AM5PR1001MB1074.EURPRD10.PROD.OUTLOOK.COM"
type="cite">
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;"
dir="ltr">
<p><br>
</p>
<p>I'd be interested in trying to get something like this
working but if anyone has got any experience and can tell me
if I'm wasting my time or not, it would be appreciated.</p>
</div>
</blockquote>
I think the major blocker here is that OpenSCAP needs an agent in
the target machine being scanned, and we don't have such for Cisco.<br>
I don't know what Cisco runs underneath nor the difficulty on making
it run on it.<br>
<blockquote
cite="mid:AM5PR1001MB1074BEC15D175AF3EA2D9405D4550@AM5PR1001MB1074.EURPRD10.PROD.OUTLOOK.COM"
type="cite">
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;"
dir="ltr">
<p><br>
</p>
<p>Thanks in advance</p>
</div>
</blockquote>
Hope to have clarified your vision on what OpenSCAP is capable.<br>
<blockquote
cite="mid:AM5PR1001MB1074BEC15D175AF3EA2D9405D4550@AM5PR1001MB1074.EURPRD10.PROD.OUTLOOK.COM"
type="cite">
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;"
dir="ltr">
<p><br>
</p>
<p>Lee</p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Open-scap-list mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Open-scap-list@redhat.com">Open-scap-list@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/open-scap-list">https://www.redhat.com/mailman/listinfo/open-scap-list</a></pre>
</blockquote>
<br>
<p><br>
</p>
<pre class="moz-signature" cols="72">--
Watson Sato
Security Technologies | Red Hat, Inc</pre>
</body>
</html>