[Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
Haynes, Dan
dhaynes at mitre.org
Wed Oct 9 18:45:35 UTC 2013
Hi Matthew,
Comments inline below. Hope this helps.
Thanks,
Danny
From: open-scap-list-bounces at redhat.com [mailto:open-scap-list-bounces at redhat.com] On Behalf Of Matthew Mariani
Sent: Wednesday, October 09, 2013 1:11 PM
To: open-scap-list at redhat.com
Subject: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.
Hi list,
'SCAP newbie here. I'm working with the attached XCCDF profile definition to be used with a RHEL6 system. The end goal is to define a standard RHEL cloud image security profile. I have two questions:
1. I believe I need additional XML syntax in the file to have valid XCCDF content. When I try both testing with the 'info' function and running an 'eval', I get an Unknown document type error.
[root at rhel6client ~]# oscap info rht-ccp.xml
OpenSCAP Error: Unknown document type: 'rht-ccp.xml' [oscapxml.c:554]
[root at rhel6client ~]# oscap xccdf eval --profile rht-ccp --results /root/rht-ccp.results.xml --report /root/rht-ccp.report.html rht-ccp.xml
Profile "rht-ccp" was not found.
Looking at some of the xccdf examples referenced here http://www.open-scap.org/page/Documentation, I'm thinking I need a <Benchmark> wrapper around my profile. Am I on the right track, and if so is there a basic <Benchmark> syntax example available? I'm finding it difficult to id what's required and what's not in examples referenced on the Documentation page.
[Danny]: Yes, you will need to include the <Benchmark> component. You may want to look at the RHEL6 STIG SCAP content being developed in the scap-security-guide project (https://fedorahosted.org/scap-security-guide/). It should serve as a good example and you may be able to reuse some of the content. They also have some tools that you could leverage to help generate the content.
2. Looking forward, in addition to these XCCDF checks, I have the need to detect non-RedHat signed packaged installed on the system. Does anyone have guidance on how/if I can do that with SCAP tools. As example, suppose a cloud image has a monitoring package or hypervisor para-virt rpms install, I want to be made aware and have those reported by the check.
[Danny]: Yes, you should be able to check for any non-Red Hat signed packages using OVAL which is an language for checking the state of an endpoint. There is the linux-def:rpminfo_test (http://oval.mitre.org/language/version5.10.1/ovaldefinition/complete/linux-definitions-schema.xsd) which you can use to check various metadata about the packages installed on the system including the signature key ID. With that in mind, you should be able to collect all RPMs on the system and filter out any RPMs that are signed by Red Hat leaving only those that haven’t been signed by Red Hat. I have attached an OVAL definition which shows how you might do this. Of course, you may need to modify it to include the appropriate signature key IDs.
Any help is appreciated. Thanks,
-Matt
Matthew Mariani
Partner Solution Architect
M: +1-717-756-6834
mmariani at redhat.com<mailto:mmariani at redhat.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20131009/942fffc7/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: linux-def_rpminfo_test.xml
Type: text/xml
Size: 2916 bytes
Desc: linux-def_rpminfo_test.xml
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20131009/942fffc7/attachment.xml>
More information about the Open-scap-list
mailing list