[Open-scap] Open SCAP for Windows

Mohanraj, Bharath bharath_mohanraj_tp at bmc.com
Thu Feb 9 09:02:37 UTC 2017 

Thankyou for the detailed explanation, Jan. I will discuss this with my team here and will get back to you.

Regards,
Bharath M

-----Original Message-----
From: Jan Cerny [mailto:jcerny at redhat.com] 
Sent: Thursday, February 09, 2017 1:55 PM
To: Mohanraj, Bharath
Cc: open-scap-list at redhat.com
Subject: Re: [Open-scap] Open SCAP for Windows

Hi Bharath,

We're very pleased that you're interested in OpenSCAP project.

Indeed, OpenSCAP is a great tool for evaluating compliance with a given
security policy for bare-metal machines, virtual machines and also containers.

Actually, OpenSCAP was designed to be able to integrate with other products,
and it already is integrated with system management solutions like ManageIQ,
Red Hat Satellite, and Project Atomic.

I will try to answer your questions.

ad 1) Define a security policy (SCAP Content):

First of all, I'd like to mention that our project "SCAP Security Guide" [1]
provides tested and verified SCAP Content for various systems.
It implements popular security benchmarks like PCI-DSS, STIG or USGCB.
Windows is not currently supported by SCAP Security Guide, but that's
just because nobody started implementing it. It's an open-source project,
so any contributions are welcome :-)

Secondly, if the content provided by "SCAP Security Guide" doesn't exactly
fit user's needs, it can be easily customized by a GUI tool called
SCAP Workbench.

Also, we in OpenSCAP strongly focus on compliance with SCAP standards
as defined by specification. That means OpenSCAP is able to evaluate any
SCAP content that you can obtain from third-party sources (there are many
available) our create yourself.

Unfortunately, we don't provide any "SCAP editor" that would enable
to create security policies from scratch for people with any knowledge
of respective SCAP standards. That's mainly because of complexity of 
the standards, so people rather prefer to have SCAP content written
by security experts than spending weeks by struggling with SCAP languages.


ad 2) Scan a Windows machine:

We can't scan Windows machines now, because we don't have implemented
Windows checks yet.

Fortunately, our developer Raphael Sanchez Prudencio started to work
on Windows scanning last week. He is in design phase now, and he has
started a discussion on the mailing list recently [2].
If you have any comments or if you are able to help him somehow,
please don't hesitate to contact him.


ad 3) Get the results from Open SCAP on whether the Windows machine is compliant

This requirement obviously needs to have Windows scanning implemented
first :-) as I mentioned above.

On Linux, it is possible to get the results either in machine-readable form
of XML documents or as a very nice detailed HTML report that user can display
in his web browser. If Windows will be supported in future, reporting should
work in the same way as on Linux.



[1] https://urldefense.proofpoint.com/v2/url?u=https-3A__www.open-2Dscap.org_security-2Dpolicies_scap-2Dsecurity-2Dguide_&d=CwIFaQ&c=UrUhmHsiTVT5qkaA4d_oSzcamb9hmamiCDMzBAEwC7E&r=AUaowh4kDgwmfFF8B9dpIGVcrfeOZDaHu6Di1CZTnp4&m=6wh69S7-VLPd67PefRgUWaRDngvqyBGwloUIiu1ULIk&s=QC_FyHkeZSYVA_RXoHaPl4jFZoZjPVnQd8fkg5lyqKY&e= 
[2] https://urldefense.proofpoint.com/v2/url?u=https-3A__www.redhat.com_archives_open-2Dscap-2Dlist_2017-2DFebruary_msg00001.html&d=CwIFaQ&c=UrUhmHsiTVT5qkaA4d_oSzcamb9hmamiCDMzBAEwC7E&r=AUaowh4kDgwmfFF8B9dpIGVcrfeOZDaHu6Di1CZTnp4&m=6wh69S7-VLPd67PefRgUWaRDngvqyBGwloUIiu1ULIk&s=Xnyuu2a6RIG98NTFRr_UsUjTVoaSGK_7LPS4DN6UDqg&e= 


I hope that I helped you a little and I'm looking forward to hear from you again.

Best regards

Jan Černý
Security Technologies | Red Hat, Inc.



----- Original Message -----
> From: "Bharath Mohanraj" <bharath_mohanraj_tp at bmc.com>
> To: open-scap-list at redhat.com
> Sent: Wednesday, February 8, 2017 7:34:19 AM
> Subject: [Open-scap] Open SCAP for Windows
> 
> 
> 
> Hi Team,
> 
> 
> 
> I work for a client management product, and I see Open SCAP to be a promising
> solution for validating compliance of machines based on a defined policy.
> 
> 
> 
> I’m more interested in making use of Open SCAP in the product I work for, but
> however I need some assistance from you.
> 
> 
> 
> Please let me know if this can be achieved,
> 
> - Define a security policy (SCAP Content)
> 
> - Scan a Windows machine
> 
> - Get the results from Open SCAP on whether the Windows machine is compliant
> 
> 
> 
> Please let me know if this can be achieved.
> 
> 
> 
> Regards,
> 
> Bharath M
> 
> _______________________________________________
> Open-scap-list mailing list
> Open-scap-list at redhat.com
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.redhat.com_mailman_listinfo_open-2Dscap-2Dlist&d=CwIFaQ&c=UrUhmHsiTVT5qkaA4d_oSzcamb9hmamiCDMzBAEwC7E&r=AUaowh4kDgwmfFF8B9dpIGVcrfeOZDaHu6Di1CZTnp4&m=6wh69S7-VLPd67PefRgUWaRDngvqyBGwloUIiu1ULIk&s=On5li6cvuSS9drcI1cgw5VT5hUgcCgJFj5t76juvBwc&e=

More information about the Open-scap-list mailing list