[Open-scap] OpenSCAP integration in OSSEC

Martin Preisler mpreisle at redhat.com
Wed Sep 23 09:27:10 UTC 2015 

----- Original Message -----
> From: "theresa mic-snare" <rockprinzess at gmail.com>
> To: "ossec-dev" <ossec-dev at googlegroups.com>
> Cc: open-scap-list at redhat.com
> Sent: Monday, September 14, 2015 10:09:11 AM
> Subject: OpenSCAP integration in OSSEC
> 
> Hi OpenSCAP List & OSSEC Dev's,

Hi,
sorry about replying so late. Your email got dropped by our mailing list :-(

> Last week I've created a feature request on Github to ask for integration
> of OpenSCAP into OSSEC.
> Judging by the comments this has been welcomed by the OSSEC Dev community.
> https://github.com/ossec/ossec-hids/issues/664

That's great to see.

> Šimon Lukašík (Red Hat) offered to help us integrate OpenSCAP into the
> popular
> Host-IDS OSSEC.
> At the moment I know very little about OpenSCAP, only just installed in
> on my CentOS box, where I have also have OSSEC running.
> The way we have CIS-checks integrated into OSSEC at the moment is
> pretty incomplete and very static (only just a plain text file).
> So integrating a tool like OpenSCAP would come in handy and is very
> welcomed.
> 
> Judging from the sample reports, e.g
> https://mpreisle.fedorapeople.org/openscap/report-xccdf.html
> 
> I see that OpenSCAP also uses Rule-IDs and Timestamps.
> I'm not an expert but I think these reports could be also integrated
> into OSSEC??

It seems so. The reports can be customized to fit the OSSEC reports,
see http://martin.preisler.me/2015/06/customizing-html-reports-guides-openscap/

> at the moment I have not yet figured out what the basic commands are to
> run OpenSCAP periodically.
> >From what I understand the OpenSCAP modules/profiles are maintained
> through Red Hat, and therefore updated through yum?!

scap-security-guide is the SCAP content, it is packaged and updated
using yum. openscap is the tool and it is also updated using yum.

There are several options for running openscap periodically:
- cron job
- spacewalk / satellite 5
- foreman / satellite 6

We are working on a few more but those are not finished yet :-)

> maybe one of you can also post there, to tell us what would be
> necessary for the integration.
> Could these checks also be triggered remotely?

Check out oscap-ssh for scanning remote machines:
http://martin.preisler.me/2015/05/scanning-remote-machines-with-openscap/

-- 
Martin Preisler
Security Technologies | Red Hat, Inc.

More information about the Open-scap-list mailing list