[Open-scap] Query on evidence details for SCAP tests
Martin Preisler
mpreisle at redhat.com
Thu Jan 15 11:22:54 UTC 2015
----- Original Message -----
> From: "Hrisheekesh Kale" <hrisheekesh.kale27 at gmail.com>
> To: open-scap-list at redhat.com
> Sent: Wednesday, January 14, 2015 7:04:07 AM
> Subject: [Open-scap] Query on evidence details for SCAP tests
>
> Hi All,
>
> I am in process of understanding and evaluating OpenScap tool and have a
> question about evidence details for tests executed.
>
> Does the tool have an option that will generate more detailed evidence
> about the tests executed on the unix machine? Let me elaborate what I mean
> by "evidence".
--results-arf or --oval-results.
> Hypothetically, lets assume that there is an OVAL test which "checks if all
> passwords on the target machine are longer than 6 chars". The test is
> supposed to check passwords for all the users on the target. Assuming that
> the check fails for one user, a good evidence detail could be - a. The name
> of the user for which the test failed b. actual length of the password
> found. etc. This is the kind of data that will help unix administrators in
> remediation.
Keep in mind that this example is unrealistic. Responsible people would never
store passwords in a way that exposes their length.
We check that the system configuration is in such a way that requires users
to choose passwords of length at least X characters. So as evidence we will
give the configuration file and what was there at the time that the check
didn't like.
> I tried executing some SCAP/OVAL standards and were able to generate
> results and reports which have pass/fail results. However, I was not able
> to get any evidence details. Is there a way by which OpenScap tool will
> provide such evidence detail? Am I missing any switch/option/configuration?
> Any audit log kind of thing that can be used for this purpose?
Check out --results-arf. Consider also trying scap-workbench that does all
of this for you.
> If there is no direct way of getting that data from the tool, is there a
> way to hook an external script/program that will grab the details while any
> test is getting executed?
Right now there is no support for partial results except the high-level
pass/fail for rules. This could be implemented but as of now there were no
requests for this feature AFAIK.
--
Martin Preisler
More information about the Open-scap-list
mailing list