[Open-scap] project to process the results from Oval and Xccdf from many hosts into a "network status report"?
Haynes, Dan
dhaynes at mitre.org
Fri Feb 3 20:50:52 UTC 2012
Hi Tom,
This will not help you in terms of integration with some alerting database,
but, there is a way to trim down all of the information in the OVAL Results to
make it more manageable. You can do this using OVAL Directives which allow
you to specify the level of detail that should be included in your OVAL
Results
(http://oval.mitre.org/language/version5.10.1/ovaldir/documentation/oval-results-schema.html#DefaultDirectivesType).
For example, by setting the include_source_definitions property to "false",
you direct a tool to exclude the source OVAL Definitions in the OVAL Results.
You could also say that you only want to report on the OVAL Compliance
Definitions that do not have a result of "true". Finally, you could only
report thin results which would just report the OVAL Definitions, their IDs,
and their results leaving out all of the system data that was collected. The
OVAL Directives document would look as follows.
<oval_directives ...>
...
</generator>
<!-- The directives element includes the source definiton, but suppresses
all results -->
<directives include_source_definitions="true">
<oval-res:definition_true content="full" reported="false"/>
<oval-res:definition_false content="full" reported="false"/>
<oval-res:definition_unknown content="full" reported="false"/>
<oval-res:definition_error content="full" reported="false"/>
<oval-res:definition_not_evaluated content="full" reported="false"/>
<oval-res:definition_not_applicable content="full" reported="false"/>
</directives>
<!-- The class_directives element overrides the directives element for
compliance class definitions -->
<class_directives class="compliance">
<oval-res:definition_true content="thin" reported="false"/>
<oval-res:definition_false content="thin" reported="true"/>
<oval-res:definition_unknown content="thin" reported="true"/>
<oval-res:definition_error content="thin" reported="true"/>
<oval-res:definition_not_evaluated content="thin" reported="true"/>
<oval-res:definition_not_applicable content="thin" reported="true"/>
</class_directives>
</oval_directives>
I have also attached the results from running the USGCB settings with the
above OVAL Directives so that you could see difference in information reported
on.
Hopefully this is of some help to you.
Thanks,
Danny
>-----Original Message-----
>From: open-scap-list-bounces at redhat.com [mailto:open-scap-list-
>bounces at redhat.com] On Behalf Of Tom H
>Sent: Thursday, February 02, 2012 9:34 PM
>To: open-scap-list at redhat.com
>Subject: [Open-scap] project to process the results from Oval and Xccdf from
>many hosts into a "network status report"?
>
>
>Hi experts,
>
>So i have put some effort into deploying SCAP content to my nodes and
>running reports, and I now have many html reports on a per server
>instance basis. (which I am very pleased about, I was in a bad way this
>time last week ;-)
>
>However now its starting to become obvious that without some way of
>summarizing, or alerting on critical vulnerabilities over the whole 200
>servers, then the detail will be come lost in the data.
>
>are there any projects to integrate the report data with some alerting
>database, or central management tool?
>
>Thanks,
>Tom
>
>_______________________________________________
>Open-scap-list mailing list
>Open-scap-list at redhat.com
>https://www.redhat.com/mailman/listinfo/open-scap-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: results.xml
Type: text/xml
Size: 20911 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20120203/f4675abb/attachment.xml>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3582 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20120203/f4675abb/attachment.p7s>
More information about the Open-scap-list
mailing list