[Open-scap] Query on evidence details for SCAP tests

Martin Preisler mpreisle at redhat.com
Thu Jan 15 11:22:54 UTC 2015 

----- Original Message -----
> From: "Hrisheekesh Kale" <hrisheekesh.kale27 at gmail.com>
> To: open-scap-list at redhat.com
> Sent: Wednesday, January 14, 2015 7:04:07 AM
> Subject: [Open-scap] Query on evidence details for SCAP tests
> 
> Hi All,
> 
> I am in process of understanding and evaluating OpenScap tool and have a
> question about evidence details for tests executed.
> 
> Does the tool have an option that will generate more detailed evidence
> about the tests executed on the unix machine? Let me elaborate what I mean
> by "evidence".

--results-arf or --oval-results.

> Hypothetically, lets assume that there is an OVAL test which "checks if all
> passwords on the target machine are longer than 6 chars". The test is
> supposed to check passwords for all the users on the target. Assuming that
> the check fails for one user, a good evidence detail could be - a. The name
> of the user for which the test failed b. actual length of the password
> found. etc. This is the kind of data that will help unix administrators in
> remediation.

Keep in mind that this example is unrealistic. Responsible people would never
store passwords in a way that exposes their length.

We check that the system configuration is in such a way that requires users
to choose passwords of length at least X characters. So as evidence we will
give the configuration file and what was there at the time that the check
didn't like.

> I tried executing some SCAP/OVAL standards and were able to generate
> results and reports which have pass/fail results. However, I was not able
> to get any evidence details. Is there a way by which OpenScap tool will
> provide such evidence detail? Am I missing any switch/option/configuration?
> Any audit log kind of thing that can be used for this purpose?

Check out --results-arf. Consider also trying scap-workbench that does all
of this for you.

> If there is no direct way of getting that data from the tool, is there a
> way to hook an external script/program that will grab the details while any
> test is getting executed?

Right now there is no support for partial results except the high-level
pass/fail for rules. This could be implemented but as of now there were no
requests for this feature AFAIK.

-- 
Martin Preisler

More information about the Open-scap-list mailing list