<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<br>
<div class="moz-cite-prefix">On 1/8/18 4:19 PM, Lee Wilson wrote:<br>
</div>
<blockquote type="cite"
cite="mid:AM5PR1001MB1124E1C19BAA490D23706B90D4130@AM5PR1001MB1124.EURPRD10.PROD.OUTLOOK.COM">
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<div>
<p style="margin-top:0; margin-bottom:0">Hi Watson,</p>
<p style="margin-top:0; margin-bottom:0"><br>
</p>
<p style="margin-top:0; margin-bottom:0">Thanks for your
detailed reply and apologies for my delay in responding. Went
off to look for something else that may do the job.</p>
<p style="margin-top:0; margin-bottom:0"><br>
</p>
<p style="margin-top:0; margin-bottom:0">The link that Eric has
provided was initially what got me thinking about using
OpenSCAP to do this task, it's real shame the approach of
needing an agent was taken.</p>
<p style="margin-top:0; margin-bottom:0"><br>
</p>
<p style="margin-top:0; margin-bottom:0">Interestingly enough
though, we've started looking into Ansible (another RedHat
sponsored project) and that does have some support for
appliance type devices (if not exactly perfect) as it
principally agentless (as long as python exists somewhere).
My scope has also expanded from just Cisco to also include F5,
Palo Alto and other network appliance vendors.</p>
<p style="margin-top:0; margin-bottom:0"><br>
</p>
<p style="margin-top:0; margin-bottom:0">In my original reply, I
gave a rough list of tasks that perhaps could be run to
achieve whats needed (and it looks very similar to a list of
Plays). Having reviewed Ansible I'm thinking could those
"Plays" be put into an Ansible Playbook and have it go and
gather all the required info for example running 'show
version' or 'show run logging' against a network device,
format this in the required results format that oscap expects
and then invoke it to generate the report.</p>
<p style="margin-top:0; margin-bottom:0"><br>
</p>
<p style="margin-top:0; margin-bottom:0">Really keen to not
reinvent the wheel here but I'm probably way out on a limb. If
this isn't possible maybe us Network Engineers will just need
to fork OpenSCAP and make it work without an
agent.....something tells me this won't be happening any time
soon <span>😉</span></p>
<p style="margin-top:0; margin-bottom:0"><br>
</p>
<p style="margin-top:0; margin-bottom:0">Thanks again</p>
</div>
</blockquote>
<br>
OpenSCAP is a tool, SCAP is the content language.<br>
<br>
Today OpenSCAP does not work on Cisco/networking devices, but there
are other SCAP tools that do. One of the better known ones is jOVAL:<br>
<a class="moz-txt-link-freetext" href="https://jovalcm.com/">https://jovalcm.com/</a><br>
<br>
SCAP Security Guide could still house content for evaluating Cisco
IOS and JunOS... but you'd have to use something like jOVAL to scan
your endpoints.<br>
<br>
Alternatively, there are new projects standing up that will ship
Ansible content that may be of interest to you.<br>
</body>
</html>