[Open-scap] OpenSCAP for embedded/network devices

Watson Yuuma Sato wsato at redhat.com
Wed Mar 15 14:33:49 UTC 2017 

On 25/02/17 16:43, Lee Wilson wrote:
>
> Hi Everyone,
>
Hi Lee, sorry for delayed response.
>
>
> I've recently come across OpenSCAP after wasting my time with 
> openVAS as a means of improving the way my company does vulnerability 
> and configuration management of our network devices (e.g. Cisco, 
> Juniper, Palo Alto, etc).
>
>
> From an initial review though, it seems in it's current state to very 
> server focused. Would that be a fair assessment?
>
I wouldn't say so but I guess you can, OpenSCAP was designed with 
machines in mind. And recent efforts have been directed to container and 
container image.
>
>
> Back in January 2016 someone posted a similar query on this list where 
> it was suggested to use jovalcm but that is a propriatary product and 
> they have ceased all development on the open source variant.
>
> https://www.redhat.com/archives/open-scap-list/2016-January/msg00000.html
>
I'm think it is still true, we don't have support for Cisco.

> As far as I can tell there is nothing in the underlying architecture 
> that prevents this from working, the main issue being that it is 
> required for the various scripts to be copied to the device being 
> scanned. This is required even when using the remote SSH scanning 
> option according to the documentation:
>
> http://martin.preisler.me/2015/05/scanning-remote-machines-with-openscap/
>
I think that by script you mean the SCAP contents, or policies. Yes, 
even when using remote scanning the contents are copied into remote machine.
And the remote machine also needs to have oscap-scanner installed.

> I came across a presentation which pretty much covers what I'm trying 
> to do:
>
> https://scap.nist.gov/events/2011/itsac/presentations/day3/Nunez%20-%20SCAP%20for%20Inter-networking%20Devices.pdf
>
>
> The use of the Script Check Engine intriges me but I believe I'll 
> still be restricted as those scripts still need to be copied to the 
> server but it does mention that environment variables can be passed to 
> the script so that remote checks can be run and then the output saved 
> as check result files as documented:
>
> https://www.open-scap.org/features/other-standards/sce/
>
I'm not much familiar with SCE, but I'll try to explain.
What happens is that oscap will copy the SCAP contents to remote 
machine, along with checking scripts.
And where defined in this content, that instead of an OVAL check, the 
checking script should be used,
oscap will pass the checking script and environment variables defined in 
the content to SCE (Script Check Engine).
Then SCE, with scripts and environment variables will perform the check.

>
> In essence the steps would be:
>
> 1) Specify profile to run and the target(s) to run on
>
> 2) Pass target hostname/ip along with (perhaps) login credentials 
> (e.g. username/password or SNMP community) to the script
>
> 3) Script runs on the same device as the SCAP workbench, logging into 
> the device via the appropriate method (SSH or SNMP)
>
> 4) Results are saved as check-result files to be picked up by the 
> oscap tool forprocessing
>
The checking script doesn't need to know any credentials. Oscap will 
receive the credentials, login to the target machine and copy content 
and scripts.
If performing remote scan with SCAP workbench no content or script scan 
is performed in local machine.

>
> The only concern I have the moment with this approach is that it would 
> require multiple SSH logins (one for each script run) but I'm sure 
> improvements could be made in the future to batch them during a single 
> login session.
>
AFAIK It requires one SSH login per device/machine scanned.
>
>
> Alternatively would it be possible for all the above steps to be run 
> in advance and then just have the oscap tool look as the resulting 
> check-result files, in effect doing something similar to an offline 
> config audit? This would be considered a local scan I guess, no 
> different to a customer handing me a raw cisco cli output/config and 
> saying here audit this.
>
Whether performing local or remote scan, OpenSCAP can generate XCCDF 
results and HTML reports for someone to audit.
>
>
> I'd be interested in trying to get something like this working but if 
> anyone has got any experience and can tell me if I'm wasting my time 
> or not, it would be appreciated.
>
I think the major blocker here is that OpenSCAP needs an agent in the 
target machine being scanned, and we don't have such for Cisco.
I don't know what Cisco runs underneath nor the difficulty on making it 
run on it.
>
>
> Thanks in advance
>
Hope to have clarified your vision on what OpenSCAP is capable.
>
>
> Lee
>
>
>
> _______________________________________________
> Open-scap-list mailing list
> Open-scap-list at redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list


-- 
Watson Sato
Security Technologies | Red Hat, Inc

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20170315/4e2bed42/attachment.htm>

More information about the Open-scap-list mailing list