From ml+openscap at kcore.org Wed Apr 11 14:10:14 2018
From: ml+openscap at kcore.org (ml+openscap at kcore.org)
Date: Wed, 11 Apr 2018 16:10:14 +0200
Subject: [Open-scap] OVAL filtering on directories?
Message-ID: <1523455814.682237.1334345176.13056AB4@webmail.messagingengine.com>
Hello list,
I'm fairly new to OVAL, and for a project I'm documenting several of our configuration rules into XCCDF, and adding OVAL rules to them to be able to have automated testing afterwards.
For most it's fairly straightforward, but for one I'm stumped and can't seem to get it right.
I want to scan /usr/foo and check that all directories in that directory have the correct permissions (0755).
(Also same but check that all files have the right selinux context.)
For some reason, I can't seem to get it to filter the way I want. The oval collector always returns
Collected: "oval:com.foobar:obj:24" : does not exist
OVAL content:
/usr/foo permissions/usr/foo directory (and subdirectories) should have permissions 0755 (rwx r-x r-x)Red Hat Enterprise Linux 7/usr/foooval:com.foobar:obj:25oval:com.foobar:ste:21/usr/foo^.*$falsefalsefalsetruetruetruetruefalsetruetruefalsetruedirectoryfalsefalsefalsetruetruetruetruefalsetruetruefalsetrue
It seems that the include action filter on ste:21 is the problem - if i remove this, i get a bunch of files returned. If i change this to eg. an exclude filter on "regular", i'll just get all the other files. But an include on "directory" seems to not work?
I also tried using two exclude filters, but that also returned no results.
Any ideas?
Thanks in advance.
From jcerny at redhat.com Fri Apr 13 08:36:06 2018
From: jcerny at redhat.com (Jan Cerny)
Date: Fri, 13 Apr 2018 04:36:06 -0400 (EDT)
Subject: [Open-scap] OVAL filtering on directories?
In-Reply-To: <1523455814.682237.1334345176.13056AB4@webmail.messagingengine.com>
References: <1523455814.682237.1334345176.13056AB4@webmail.messagingengine.com>
Message-ID: <414059530.20698185.1523608566544.JavaMail.zimbra@redhat.com>
Hi,
I'm afraid you have discovered a bug in OpenSCAP.
The problem isn't with the filters, but the problem is that OpenSCAP completely ignores directories.
I have reduced your OVAL to just collect everything under /usr/foo, I removed the filters. See the attachement.
I run following commands:
sudo mkdir -p /usr/foo/bar
sudo oscap oval eval --verbose INFO --results results.xml directory_reproducer.xml
The results.xml does not contain any collected object, which shouldn't happen,
there should be the "bar" directory collected.
This needs to be fixed in OpenSCAP source code.
Regards
Jan ?ern?
Security Technologies | Red Hat, Inc.
----- Original Message -----
> From: ml+openscap at kcore.org
> To: open-scap-list at redhat.com
> Sent: Wednesday, April 11, 2018 4:10:14 PM
> Subject: [Open-scap] OVAL filtering on directories?
>
> Hello list,
>
> I'm fairly new to OVAL, and for a project I'm documenting several of our
> configuration rules into XCCDF, and adding OVAL rules to them to be able to
> have automated testing afterwards.
>
> For most it's fairly straightforward, but for one I'm stumped and can't seem
> to get it right.
>
> I want to scan /usr/foo and check that all directories in that directory have
> the correct permissions (0755).
> (Also same but check that all files have the right selinux context.)
>
> For some reason, I can't seem to get it to filter the way I want. The oval
> collector always returns
> Collected: "oval:com.foobar:obj:24" : does not exist
>
>
> OVAL content:
>
>
> /usr/foo permissions
> /usr/foo directory (and subdirectories) should have
> permissions 0755 (rwx r-x r-x)
>
>
> Red Hat Enterprise Linux 7
>
>
>
> test_ref="oval:com.foobar:tst:23"/>
> test_ref="oval:com.foobar:tst:24"/>
>
>
>
> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix">
>
>
>
>
> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix">
>
>
>
>
> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix">
> /usr/foo
>
>
> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix">
> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5">
> oval:com.foobar:obj:25
> oval:com.foobar:ste:21
>
>
>
> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix">
>
> /usr/foo
> ^.*$
>
>
> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix">
> false
> false
> false
> true
> true
> true
> true
> false
> true
> true
> false
> true
>
>
> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix">
> directory
>
>
> xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix">
> false
> false
> false
> true
> true
> true
> true
> false
> true
> true
> false
> true
>
>
>
> It seems that the include action filter on ste:21 is the problem - if i
> remove this, i get a bunch of files returned. If i change this to eg. an
> exclude filter on "regular", i'll just get all the other files. But an
> include on "directory" seems to not work?
>
> I also tried using two exclude filters, but that also returned no results.
>
> Any ideas?
>
> Thanks in advance.
>
>
> _______________________________________________
> Open-scap-list mailing list
> Open-scap-list at redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: directory_reproducer.xml
Type: application/xml
Size: 2266 bytes
Desc: not available
URL:
From Jason.Donald at mantech.com Fri Apr 13 12:19:08 2018
From: Jason.Donald at mantech.com (Donald, Jason E)
Date: Fri, 13 Apr 2018 12:19:08 +0000
Subject: [Open-scap] Result Reference ID's not importing over
Message-ID:
Greetings
Thank you for the update on importing the STIG results into STIGviewer from a RHEL7 scan.
I noticed that only some of the checks are imported over and it leaves at least 149 not reviewed. The result reference ID's were not found in the Checklist STIG. Is there action to mitigate this?
This capability is so needed.
Thank you
-----Original Message-----
From: open-scap-list-bounces at redhat.com [mailto:open-scap-list-bounces at redhat.com] On Behalf Of open-scap-list-request at redhat.com
Sent: Thursday, April 12, 2018 12:00 PM
To: open-scap-list at redhat.com
Subject: Open-scap-list Digest, Vol 108, Issue 1
Send Open-scap-list mailing list submissions to
open-scap-list at redhat.com
To subscribe or unsubscribe via the World Wide Web, visit
https://www.redhat.com/mailman/listinfo/open-scap-list
or, via email, send a message with subject or body 'help' to
open-scap-list-request at redhat.com
You can reach the person managing the list at
open-scap-list-owner at redhat.com
When replying, please edit your Subject line so it is more specific than "Re: Contents of Open-scap-list digest..."
Today's Topics:
1. OVAL filtering on directories? (ml+openscap at kcore.org)
----------------------------------------------------------------------
Message: 1
Date: Wed, 11 Apr 2018 16:10:14 +0200
From: ml+openscap at kcore.org
To: open-scap-list at redhat.com
Subject: [Open-scap] OVAL filtering on directories?
Message-ID:
<1523455814.682237.1334345176.13056AB4 at webmail.messagingengine.com>
Content-Type: text/plain; charset="utf-8"
Hello list,
I'm fairly new to OVAL, and for a project I'm documenting several of our configuration rules into XCCDF, and adding OVAL rules to them to be able to have automated testing afterwards.
For most it's fairly straightforward, but for one I'm stumped and can't seem to get it right.
I want to scan /usr/foo and check that all directories in that directory have the correct permissions (0755).
(Also same but check that all files have the right selinux context.)
For some reason, I can't seem to get it to filter the way I want. The oval collector always returns
Collected: "oval:com.foobar:obj:24" : does not exist
OVAL content:
/usr/foo permissions/usr/foo directory (and subdirectories) should have permissions 0755 (rwx r-x r-x)Red Hat Enterprise Linux 7/usr/foooval:com.foobar:obj:25oval:com.foobar:ste:21/usr/foo^.*$falsefalsefalsetruetruetruetruefalsetruetruefalsetruedirectoryfalsefalsefalsetruetruetruetruefalsetruetruefalsetrue
It seems that the include action filter on ste:21 is the problem - if i remove this, i get a bunch of files returned. If i change this to eg. an exclude filter on "regular", i'll just get all the other files. But an include on "directory" seems to not work?
I also tried using two exclude filters, but that also returned no results.
Any ideas?
Thanks in advance.
------------------------------
_______________________________________________
Open-scap-list mailing list
Open-scap-list at redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list
End of Open-scap-list Digest, Vol 108, Issue 1
**********************************************
________________________________
This e-mail and any attachments are intended only for the use of the addressee(s) named herein and may contain proprietary information. If you are not the intended recipient of this e-mail or believe that you received this email in error, please take immediate action to notify the sender of the apparent error by reply e-mail; permanently delete the e-mail and any attachments from your computer; and do not disseminate, distribute, use, or copy this message and any attachments.
From wsato at redhat.com Mon Apr 16 15:41:29 2018
From: wsato at redhat.com (Watson Yuuma Sato)
Date: Mon, 16 Apr 2018 17:41:29 +0200
Subject: [Open-scap] Result Reference ID's not importing over
In-Reply-To:
References:
Message-ID: <7ac11098-7117-504f-c423-f46f13ad74d2@redhat.com>
On 13/04/18 14:19, Donald, Jason E wrote:
> Greetings
>
> Thank you for the update on importing the STIG results into STIGviewer from a RHEL7 scan.
> I noticed that only some of the checks are imported over and it leaves at least 149 not reviewed. The result reference ID's were not found in the Checklist STIG. Is there action to mitigate this?
Hello,
May I ask what version of STIG content you have loaded in STIGViewer,
and what version of SSG you used for scan?
Did you get errors about unknown ID's?
For optimal matching of ID's, the version of STIG content loaded and
version of STIG Profile in SSG need to match.
Current STIG Profile in SSG is aligned to v1r1, in latest upstream there
have been patches to aligned with v1r4.
Also, another reason that can add to the number of Rules "not reviewed"
is that not all Rules have checks?.
> This capability is so needed.
> Thank you
>
--
Watson Sato
Security Technologies | Red Hat, Inc
From joy.latten at canonical.com Wed Apr 18 23:07:14 2018
From: joy.latten at canonical.com (Joy Latten)
Date: Wed, 18 Apr 2018 18:07:14 -0500
Subject: [Open-scap] Debugging xinetd_probe
Message-ID:
Hi,
I am new to OVAL, so my apologies if I make a few incorrect
statements.?? I get weird results when I scan some OVAL that I and a
colleague wrote for xinetd. I would like to dig a bit deeper to get an
understanding of what is going on and see if the problem is in the oval
or the xinetd_probe. I took a look at the OpenSCAP User Manual in the
section about Debugging. I would like to run gdb on the xinetd_probe, so
did
./run gdb src/OVAL/probes/.libs/probe_xinetd
within gdb I entered the following that I cut-and-paste from my logfile,
run ("seap.msg" ":id" 0 (("xinetd_object" ":id" "oval:com.myubuntu:obj:5536" ":oval_version" "5.11.1" ) (("protocol" ":operation" 5 ":var_check" 1 ) "tcp" ) (("service_name" ":operation" 5 ":var_check" 1 ) "chargen" ) ) )
but I get the error message,
/bin/bash: -c: line 0: syntax error near unexpected token `('
During startup program exited with code 1.
(gdb)
What is the correct way to enter input to debug a probe in gdb?
Thanks!
regards,
Joy
From slukasik at redhat.com Thu Apr 19 05:52:36 2018
From: slukasik at redhat.com (=?UTF-8?B?xaBpbW9uIEx1a2HFocOtaw==?=)
Date: Thu, 19 Apr 2018 07:52:36 +0200
Subject: [Open-scap] Debugging xinetd_probe
In-Reply-To:
References:
Message-ID: <3cd57de1-4fe0-c2c6-5037-195f194666bb@redhat.com>
On 04/19/2018 01:07 AM, Joy Latten wrote:
> Hi,
>
> I am new to OVAL, so my apologies if I make a few incorrect
> statements.?? I get weird results when I scan some OVAL that I and a
> colleague wrote for xinetd. I would like to dig a bit deeper to get an
> understanding of what is going on and see if the problem is in the oval
> or the xinetd_probe. I took a look at the OpenSCAP User Manual in the
> section about Debugging. I would like to run gdb on the xinetd_probe, so
> did
>
> ./run gdb src/OVAL/probes/.libs/probe_xinetd
>
> within gdb I entered the following that I cut-and-paste from my logfile,
>
> run ("seap.msg" ":id" 0 (("xinetd_object" ":id" "oval:com.myubuntu:obj:5536" ":oval_version" "5.11.1" ) (("protocol" ":operation" 5 ":var_check" 1 ) "tcp" ) (("service_name" ":operation" 5 ":var_check" 1 ) "chargen" ) ) )
>
> but I get the error message,
>
> /bin/bash: -c: line 0: syntax error near unexpected token `('
> During startup program exited with code 1.
> (gdb)
>
> What is the correct way to enter input to debug a probe in gdb?
>
I wish I had remembered. :-)
I think the SEXP (the input you pass in) needs to go to stdin of probe
(but it has been while since I have been there).
I think i replaced the probe with a shell script that runs the probe and
logs inputs and outputs and this way I learned to debug it.
Good luck,
~?.
From jcerny at redhat.com Thu Apr 19 12:47:12 2018
From: jcerny at redhat.com (Jan Cerny)
Date: Thu, 19 Apr 2018 08:47:12 -0400 (EDT)
Subject: [Open-scap] Debugging xinetd_probe
In-Reply-To: <3cd57de1-4fe0-c2c6-5037-195f194666bb@redhat.com>
References:
<3cd57de1-4fe0-c2c6-5037-195f194666bb@redhat.com>
Message-ID: <1242325943.22512747.1524142032265.JavaMail.zimbra@redhat.com>
Hi,
it could be easier to debug the probe in 'master' branch, where probes are not separate processes,
but are included in the oscap process.
Regards
Jan ?ern?
Security Technologies | Red Hat, Inc.
----- Original Message -----
> From: "?imon Luka??k"
> To: open-scap-list at redhat.com
> Sent: Thursday, April 19, 2018 7:52:36 AM
> Subject: Re: [Open-scap] Debugging xinetd_probe
>
> On 04/19/2018 01:07 AM, Joy Latten wrote:
> > Hi,
> >
> > I am new to OVAL, so my apologies if I make a few incorrect
> > statements.?? I get weird results when I scan some OVAL that I and a
> > colleague wrote for xinetd. I would like to dig a bit deeper to get an
> > understanding of what is going on and see if the problem is in the oval
> > or the xinetd_probe. I took a look at the OpenSCAP User Manual in the
> > section about Debugging. I would like to run gdb on the xinetd_probe, so
> > did
> >
> > ./run gdb src/OVAL/probes/.libs/probe_xinetd
> >
> > within gdb I entered the following that I cut-and-paste from my logfile,
> >
> > run ("seap.msg" ":id" 0 (("xinetd_object" ":id"
> > "oval:com.myubuntu:obj:5536" ":oval_version" "5.11.1" ) (("protocol"
> > ":operation" 5 ":var_check" 1 ) "tcp" ) (("service_name" ":operation" 5
> > ":var_check" 1 ) "chargen" ) ) )
> >
> > but I get the error message,
> >
> > /bin/bash: -c: line 0: syntax error near unexpected token `('
> > During startup program exited with code 1.
> > (gdb)
> >
> > What is the correct way to enter input to debug a probe in gdb?
> >
>
> I wish I had remembered. :-)
>
> I think the SEXP (the input you pass in) needs to go to stdin of probe
> (but it has been while since I have been there).
>
> I think i replaced the probe with a shell script that runs the probe and
> logs inputs and outputs and this way I learned to debug it.
>
> Good luck,
> ~?.
>
> _______________________________________________
> Open-scap-list mailing list
> Open-scap-list at redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list
From bharath_mohanraj_tp at bmc.com Tue Apr 24 15:32:06 2018
From: bharath_mohanraj_tp at bmc.com (Mohanraj, Bharath)
Date: Tue, 24 Apr 2018 15:32:06 +0000
Subject: [Open-scap] OSCAP Scanner Binaries
Message-ID:
Hi All,
I?m new to OpenSCAP and Unix world, but I?m very interested in trying out the Open SCAP solution?
I have a RHEL 7 machine for testing this out? From documentation, I see the first step is to get the oscap scanner available in my machine. In order to get that, I need to run ?yum install openscap-scanner?
My question here is, though I understand that the scanner comes a rpm bundle here, is there a way I can just get the binaries directly rather than using ?yum?? so that I can place the oscap binaries in a folder and run the commands by using the files in this folder.
Is this possible? Any thoughts?
Thanks in advance.
Regards,
Bharath M
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From mharris at redhat.com Tue Apr 24 16:07:59 2018
From: mharris at redhat.com (Mike Harris)
Date: Tue, 24 Apr 2018 12:07:59 -0400
Subject: [Open-scap] OSCAP Scanner Binaries
In-Reply-To:
References:
Message-ID:
I may be misunderstanding, BUT, are you talking about, using something like
downloading rpms without installing them:
https://access.redhat.com/solutions/10154
On Tue, Apr 24, 2018 at 11:32 AM, Mohanraj, Bharath <
bharath_mohanraj_tp at bmc.com> wrote:
> Hi All,
>
>
>
> I?m new to OpenSCAP and Unix world, but I?m very interested in trying out
> the Open SCAP solution?
>
>
>
> I have a RHEL 7 machine for testing this out? From documentation, I see
> the first step is to get the oscap scanner available in my machine. In
> order to get that, I need to run ?*yum install openscap-scanner*?
>
>
>
> My question here is, though I understand that the scanner comes a rpm
> bundle here, is there a way I can just get the binaries directly rather
> than using ?yum?? so that I can place the oscap binaries in a folder and
> run the commands by using the files in this folder.
>
>
>
> Is this possible? Any thoughts?
>
>
>
> Thanks in advance.
>
>
>
> Regards,
>
> Bharath M
>
> _______________________________________________
> Open-scap-list mailing list
> Open-scap-list at redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list
>
--
MIKE HARRIS
CONSULTANT, RHCE, CISSP
Red Hat
mharris at redhat.com M: (702)518-7467
gpg keyid: 4096R/48550583 gpg fingerprint: B358 9572 B772 ECF6 643D 3EF5
D10C 3012 4855 0583
TRIED. TESTED. TRUSTED.
@redhatnews Red Hat
Red Hat
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bharath_mohanraj_tp at bmc.com Tue Apr 24 16:50:26 2018
From: bharath_mohanraj_tp at bmc.com (Mohanraj, Bharath)
Date: Tue, 24 Apr 2018 16:50:26 +0000
Subject: [Open-scap] OSCAP Scanner Binaries
In-Reply-To:
References:
Message-ID: <249d9e710f8c4d7aab38b7b8ce62649d@phx-exmbprd-02.adprod.bmc.com>
No? Let me try to give more details?
In my environment, it is not guaranteed that all machines will have ?yum? in them?
So, I was thinking of an alternative for ?yum?? something like, I get the files that will be deployed by yum as raw binaries, and just place them in a and trigger ?oscap? scan command using the same?
From: Mike Harris [mailto:mharris at redhat.com]
Sent: Tuesday, April 24, 2018 9:38 PM
To: Mohanraj, Bharath
Cc: open-scap-list at redhat.com
Subject: Re: [Open-scap] OSCAP Scanner Binaries
I may be misunderstanding, BUT, are you talking about, using something like downloading rpms without installing them: https://access.redhat.com/solutions/10154
On Tue, Apr 24, 2018 at 11:32 AM, Mohanraj, Bharath > wrote:
Hi All,
I?m new to OpenSCAP and Unix world, but I?m very interested in trying out the Open SCAP solution?
I have a RHEL 7 machine for testing this out? From documentation, I see the first step is to get the oscap scanner available in my machine. In order to get that, I need to run ?yum install openscap-scanner?
My question here is, though I understand that the scanner comes a rpm bundle here, is there a way I can just get the binaries directly rather than using ?yum?? so that I can place the oscap binaries in a folder and run the commands by using the files in this folder.
Is this possible? Any thoughts?
Thanks in advance.
Regards,
Bharath M
_______________________________________________
Open-scap-list mailing list
Open-scap-list at redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list
--
MIKE HARRIS
CONSULTANT, RHCE, CISSP
Red Hat
mharris at redhat.com M: (702)518-7467
gpg keyid: 4096R/48550583 gpg fingerprint: B358 9572 B772 ECF6 643D 3EF5 D10C 3012 4855 0583
[https://www.redhat.com/files/brand/email/sig-redhat.png]
TRIED. TESTED. TRUSTED.
@redhatnews Red Hat Red Hat
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From gapinski at nasa.gov Tue Apr 24 17:07:45 2018
From: gapinski at nasa.gov (Gary Gapinski)
Date: Tue, 24 Apr 2018 13:07:45 -0400
Subject: [Open-scap] OSCAP Scanner Binaries
In-Reply-To: <249d9e710f8c4d7aab38b7b8ce62649d@phx-exmbprd-02.adprod.bmc.com>
References:
<249d9e710f8c4d7aab38b7b8ce62649d@phx-exmbprd-02.adprod.bmc.com>
Message-ID:
An HTML attachment was scrubbed...
URL:
From bharath_mohanraj_tp at bmc.com Tue Apr 24 17:12:32 2018
From: bharath_mohanraj_tp at bmc.com (Mohanraj, Bharath)
Date: Tue, 24 Apr 2018 17:12:32 +0000
Subject: [Open-scap] [Suspected Spam] Re: OSCAP Scanner Binaries
In-Reply-To:
References:
<249d9e710f8c4d7aab38b7b8ce62649d@phx-exmbprd-02.adprod.bmc.com>
Message-ID: <8d42dcbbf58342a88f30dd8db0dce728@phx-exmbprd-02.adprod.bmc.com>
Thanks for the info?
The first thing I want to avoid is my enduser machines hitting the internet for downloading packages? So, I prefer having them as RPM files locally and trigger installation of the same? But, in case the RPM installation fails for some reason, then just placing the files at required locations will be my fallback?
Do you see any problems with this approach, that might affect oscap functionality?
From: Gary Gapinski [mailto:gapinski at nasa.gov]
Sent: Tuesday, April 24, 2018 10:38 PM
To: Mohanraj, Bharath ; Mike Harris
Cc: open-scap-list at redhat.com
Subject: [Suspected Spam] Re: [Open-scap] OSCAP Scanner Binaries
In addition to executable binaries (and libraries), there are ancillary files that must accompany the binaries.
These could be extracted from an RPM and manually deployed.
But: why not just use the rpm command to install the related RPMs?
Regards,
Gary
On 04/24/2018 12:50 PM, Mohanraj, Bharath wrote:
No? Let me try to give more details?
In my environment, it is not guaranteed that all machines will have ?yum? in them?
So, I was thinking of an alternative for ?yum?? something like, I get the files that will be deployed by yum as raw binaries, and just place them in a and trigger ?oscap? scan command using the same?
From: Mike Harris [mailto:mharris at redhat.com]
Sent: Tuesday, April 24, 2018 9:38 PM
To: Mohanraj, Bharath
Cc: open-scap-list at redhat.com
Subject: Re: [Open-scap] OSCAP Scanner Binaries
I may be misunderstanding, BUT, are you talking about, using something like downloading rpms without installing them: https://access.redhat.com/solutions/10154
On Tue, Apr 24, 2018 at 11:32 AM, Mohanraj, Bharath > wrote:
Hi All,
I?m new to OpenSCAP and Unix world, but I?m very interested in trying out the Open SCAP solution?
I have a RHEL 7 machine for testing this out? From documentation, I see the first step is to get the oscap scanner available in my machine. In order to get that, I need to run ?yum install openscap-scanner?
My question here is, though I understand that the scanner comes a rpm bundle here, is there a way I can just get the binaries directly rather than using ?yum?? so that I can place the oscap binaries in a folder and run the commands by using the files in this folder.
Is this possible? Any thoughts?
Thanks in advance.
Regards,
Bharath M
_______________________________________________
Open-scap-list mailing list
Open-scap-list at redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list
--
MIKE HARRIS
CONSULTANT, RHCE, CISSP
Red Hat
mharris at redhat.com M: (702)518-7467
gpg keyid: 4096R/48550583 gpg fingerprint: B358 9572 B772 ECF6 643D 3EF5 D10C 3012 4855 0583
[https://www.redhat.com/files/brand/email/sig-redhat.png]
TRIED. TESTED. TRUSTED.
@redhatnews Red Hat Red Hat
_______________________________________________
Open-scap-list mailing list
Open-scap-list at redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list
--
Gary Gapinski ? DB Consulting Group
ETADS ? Enterprise Technology Assessments & Digital Standards
NASA Glenn Research Center
? +1?216?433?3959 ? office
? +1?216?820?1849 ? mobile
gapinski at nasa.gov
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From shawn at redhat.com Tue Apr 24 17:55:21 2018
From: shawn at redhat.com (Shawn Wells)
Date: Tue, 24 Apr 2018 13:55:21 -0400
Subject: [Open-scap] [Suspected Spam] Re: OSCAP Scanner Binaries
In-Reply-To: <8d42dcbbf58342a88f30dd8db0dce728@phx-exmbprd-02.adprod.bmc.com>
References:
<249d9e710f8c4d7aab38b7b8ce62649d@phx-exmbprd-02.adprod.bmc.com>
<8d42dcbbf58342a88f30dd8db0dce728@phx-exmbprd-02.adprod.bmc.com>
Message-ID: <235783a7-8812-cf65-6190-9670b8121fa8@redhat.com>
On 4/24/18 1:12 PM, Mohanraj, Bharath wrote:
>
> Thanks for the info??
>
> The first thing I want to avoid is my enduser machines hitting the
> internet for downloading packages? So, I prefer having them as RPM
> files locally and trigger installation of the same? But, in case the
> RPM installation fails for some reason, then just placing the files at
> required locations will be my fallback?
>
> Do you see any problems with this approach, that might affect oscap
> functionality?
>
While technically possible, using the operating systems native package
manager is generally recommended.
You can download the RPM file from Red Hat using the links/instructions
Mike Harris sent.
>From there a "yum localinstall " could be used.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From slukasik at redhat.com Wed Apr 25 07:38:41 2018
From: slukasik at redhat.com (=?UTF-8?B?xaBpbW9uIEx1a2HFocOtaw==?=)
Date: Wed, 25 Apr 2018 09:38:41 +0200
Subject: [Open-scap] [Suspected Spam] Re: OSCAP Scanner Binaries
In-Reply-To: <8d42dcbbf58342a88f30dd8db0dce728@phx-exmbprd-02.adprod.bmc.com>
References:
<249d9e710f8c4d7aab38b7b8ce62649d@phx-exmbprd-02.adprod.bmc.com>
<8d42dcbbf58342a88f30dd8db0dce728@phx-exmbprd-02.adprod.bmc.com>
Message-ID: <0d9b119a-69ca-06e9-0426-54664a543c5a@redhat.com>
On 04/24/2018 07:12 PM, Mohanraj, Bharath wrote:
> Thanks for the info?
>
> ?
>
> The first thing I want to avoid is my enduser machines hitting the
> internet for downloading packages? So, I prefer having them as RPM files
> locally and trigger installation of the same? But, in case the RPM
> installation fails for some reason, then just placing the files at
> required locations will be my fallback?
>
> ?
>
> Do you see any problems with this approach, that might affect oscap
> functionality?
>
Well the problem is that if you used the tools that are available you
could have more time for barbecue, philately, beach volleyball or even
civic engagement. [*]
I appreciate your point about some systems won't have yum and some
systems would prefer not to hit internet randomly. However, I would try
to analyze the situation more broadly to asses whether there could be
some other solution. Copying content of RPMS sound like too much work
for poor humans. Perhaps, there is not too many of non yum systems?
In the last two decades open source world tried to reinvent the software
deployment multiple times. Each iteration was different, brought
different sets of issues and solutions, but each moved us forward.
Forward towards more controlled and automated deployment, further away
from copying binaries to all systems by hand.
I don't know what would be the best for your particular use-case.
However, I believe there has to be better way than copying the contents
of RPMs (not one, but all the dependencies).
Very kind regards and good luck!
~?.
[*] I recommend philately. See this one:
https://www.sbiram.cz/soubory/produkty/3h-1k-serie-michane-typy-nr.33-47-razitkovane.jpg
> ?
>
> *From:*Gary Gapinski [mailto:gapinski at nasa.gov]
> *Sent:* Tuesday, April 24, 2018 10:38 PM
> *To:* Mohanraj, Bharath ; Mike Harris
>
> *Cc:* open-scap-list at redhat.com
> *Subject:* [Suspected Spam] Re: [Open-scap] OSCAP Scanner Binaries
>
> ?
>
> In addition to executable binaries (and libraries), there are ancillary
> files that must accompany the binaries.
>
> These could be extracted from an RPM and manually deployed.
>
> But: why not just use the rpm command to install the related RPMs?
>
> Regards,
>
> Gary
>
>
>
> On 04/24/2018 12:50 PM, Mohanraj, Bharath wrote:
>
> No? Let me try to give more details?
>
> ?
>
> In my environment, it is not guaranteed that all machines will have
> ?yum? in them?
>
> ?
>
> So, I was thinking of an alternative for ?yum?? something like, I
> get the files that will be deployed by yum as raw binaries, and just
> place them in a and trigger ?oscap? scan command using the same?
>
> ?
>
> *From:*Mike Harris [mailto:mharris at redhat.com]
> *Sent:* Tuesday, April 24, 2018 9:38 PM
> *To:* Mohanraj, Bharath
>
> *Cc:* open-scap-list at redhat.com
> *Subject:* Re: [Open-scap] OSCAP Scanner Binaries
>
> ?
>
> I may be misunderstanding, BUT, are you talking about, using
> something like downloading rpms without installing
> them:??https://access.redhat.com/solutions/10154
>
>
> ?
>
> On Tue, Apr 24, 2018 at 11:32 AM, Mohanraj, Bharath
> >
> wrote:
>
> Hi All,
>
> ?
>
> I?m new to OpenSCAP and Unix world, but I?m very interested in
> trying out the Open SCAP solution?
>
> ?
>
> I have a RHEL 7 machine for testing this out? From
> documentation, I see the first step is to get the oscap scanner
> available in my machine. In order to get that, I need to run
> ?*yum install openscap-scanner*?
>
> ?
>
> My question here is, though I understand that the scanner comes
> a rpm bundle here, is there a way I can just get the binaries
> directly rather than using ?yum?? so that I can place the oscap
> binaries in a folder and run the commands by using the files in
> this folder.
>
> ?
>
> Is this possible? Any thoughts?
>
> ?
>
> Thanks in advance.
>
> ?
>
> Regards,
>
> Bharath M
>
>
> _______________________________________________
> Open-scap-list mailing list
> Open-scap-list at redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list
>
>
>
>
> ?
>
> --
>
> *MIKE?HARRIS*
>
> CONSULTANT,?RHCE, CISSP
>
> Red Hat?
>
>
>
> mharris at redhat.com ? ??M:?(702)518-7467
> ?? ?
>
> gpg keyid: 4096R/48550583 gpg fingerprint: B358 9572 B772 ECF6 643D
> 3EF5 D10C 3012 4855 0583
>
>
>
>
>
> *TRIED. TESTED. TRUSTED.*
>
>
> @redhatnews
> ???Red
> Hat ???Red Hat
>
>
>
>
>
> _______________________________________________
>
> Open-scap-list mailing list
>
> Open-scap-list at redhat.com
>
> https://www.redhat.com/mailman/listinfo/open-scap-list
>
>
> ?
>
> --
>
> Gary Gapinski ? DB Consulting Group
> ETADS
>
> ? Enterprise Technology Assessments & Digital Standards
> NASA Glenn Research Center
> ? +1?216?433?3959 ? office
> ? +1?216?820?1849 ? mobile
> gapinski at nasa.gov
>
>
>
> _______________________________________________
> Open-scap-list mailing list
> Open-scap-list at redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list
>
~?.
From raymond.rm.mercier at gmail.com Wed Apr 25 07:47:31 2018
From: raymond.rm.mercier at gmail.com (Raymond Mercier)
Date: Wed, 25 Apr 2018 09:47:31 +0200
Subject: [Open-scap] Not able to make SCE script working
Message-ID:
Hi all,
I'm trying to use SCE script in openscap ds file and all I get is
"notchecked" status
my ds file is attached
The command I start is:
[root]# oscap xccdf eval --profile xccdf_1_profile_1 rm-ds.xml
the result I get is:
Title selinux
Rule xccdf_1_rule_1402
Result notchecked
I think something is wrong around "Rule id="xccdf_1_rule_1402" but I don't
understand the problem
The script file to execute (scap_1402.sh) is in the same directory as xml
file, and has valid syntax and correct rights. In standalone mode, it works
but it seems to never be called by oscap
The OS is centos
[root]# uname -a
Linux ip-127.0.0.1.compute.internal 3.10.0-693.21.1.el7.x86_64 #1 SMP
Wed Mar 7 19:03:37 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
The scap installed packages are:
[root]# yum list installed | grep scap
openscap.x86_64 1.2.14-3.el7_4 @updates
openscap-engine-sce.x86_64 1.2.14-3.el7_4 @updates
openscap-scanner.x86_64 1.2.14-3.el7_4 @updates
scap-security-guide.noarch 0.1.33-6.el7.centos @updates
Can somebody help me ? BTW, excuse my english, it is not my natural language
Raymond
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rm-ds.xml
Type: text/xml
Size: 8038 bytes
Desc: not available
URL:
From slukasik at redhat.com Wed Apr 25 08:12:41 2018
From: slukasik at redhat.com (=?UTF-8?B?xaBpbW9uIEx1a2HFocOtaw==?=)
Date: Wed, 25 Apr 2018 10:12:41 +0200
Subject: [Open-scap] Not able to make SCE script working
In-Reply-To:
References:
Message-ID: <7ce926aa-fd15-5211-3bb3-e9f894c3ffa4@redhat.com>
On 04/25/2018 09:47 AM, Raymond Mercier wrote:
>
> selinux
> Checks if you have SELinux enabled
>
This check/system doesn't feel right. :)
The usage at https://www.open-scap.org/features/other-standards/sce/ say
we should use http://open-scap.org/page/SCE instead.
Audit, Fix and Be Merry,
~?.
>
>
>
>
From raymond.rm.mercier at gmail.com Wed Apr 25 08:24:54 2018
From: raymond.rm.mercier at gmail.com (Raymond Mercier)
Date: Wed, 25 Apr 2018 10:24:54 +0200
Subject: [Open-scap] Not able to make SCE script working
In-Reply-To: <7ce926aa-fd15-5211-3bb3-e9f894c3ffa4@redhat.com>
References:
<7ce926aa-fd15-5211-3bb3-e9f894c3ffa4@redhat.com>
Message-ID:
Hi Simon
I updated, the error message is different (but still present)
xml file:
selinuxChecks if you have SELinux
enabled
output:
[root]# oscap xccdf eval --profile xccdf_1_profile_1 rm-ds.xml
Title selinux
Rule xccdf_1_rule_1402
Result notchecked
OpenSCAP Error: SCE couldn't find script file 'scap_1402.sh'. Expected
location: '/tmp/oscap.3sSrgD/scap_1402.sh'. [sce_engine.c:387]
Same kind of error message if I set absolute path /root/scap_1402.sh
Thank you for help
Raymond
2018-04-25 10:12 GMT+02:00 ?imon Luka??k :
> On 04/25/2018 09:47 AM, Raymond Mercier wrote:
> > selected="true" severity="medium">
> > selinux
> > Checks if you have
> SELinux enabled
> >
>
> This check/system doesn't feel right. :)
>
> The usage at https://www.open-scap.org/features/other-standards/sce/ say
> we should use http://open-scap.org/page/SCE instead.
>
> Audit, Fix and Be Merry,
> ~?.
>
>
> > import-name="stdout" />
> > href="scap_1402.sh" />
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From slukasik at redhat.com Wed Apr 25 12:05:57 2018
From: slukasik at redhat.com (=?UTF-8?B?xaBpbW9uIEx1a2HFocOtaw==?=)
Date: Wed, 25 Apr 2018 14:05:57 +0200
Subject: [Open-scap] Not able to make SCE script working
In-Reply-To:
References:
<7ce926aa-fd15-5211-3bb3-e9f894c3ffa4@redhat.com>
Message-ID:
On 04/25/2018 10:24 AM, Raymond Mercier wrote:
> Hi Simon
>
> I updated, the error message is different (but still present)
>
> xml file:
> ??????????? severity="medium">
> ?????????????? selinux
> ?????????????? Checks if you have SELinux
> enabled
> ?????????????????
> ????????????????????
> ????????????????????
> ?????????????????
> ???????????
>
> output:
> [root]# oscap xccdf eval --profile xccdf_1_profile_1? rm-ds.xml
> Title?? selinux
> Rule??? xccdf_1_rule_1402
> Result? notchecked
>
> OpenSCAP Error: SCE couldn't find script file 'scap_1402.sh'. Expected
> location: '/tmp/oscap.3sSrgD/scap_1402.sh'. [sce_engine.c:387]
>
I couldn't find the SCE script in your datastream as well.
OpenSCAP just unpacks the Datastream XML into tmp dir like
/tmp/oscap.3sSrgD/ and executes the scan. There is no scap_1402.sh in
the xml you provided.
Best,
~?.
> Same kind of error message if I set absolute path /root/scap_1402.sh
>
> Thank you for help
> Raymond
>
>
> 2018-04-25 10:12 GMT+02:00 ?imon Luka??k >:
>
> On 04/25/2018 09:47 AM, Raymond Mercier wrote:
> >? ? ? ? ? ? ? ? ? ? ? ? ? ? ? selected="true" severity="medium">
> >? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?selinux
> >? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?Checks if
> you have SELinux enabled
> >? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? system="http://wordpress-www-open-scap-org.b9ad.pro-us-east-1.openshiftapps.com/page/SCE
> ">
>
> This check/system doesn't feel right. :)
>
> The usage at https://www.open-scap.org/features/other-standards/sce/
> say
> we should use http://open-scap.org/page/SCE instead.
>
> Audit, Fix and Be Merry,
> ~?.
>
>
> >? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? import-name="stdout" />
> >? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
> ?
> >? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
> >? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
>
>
~?.
From raymond.rm.mercier at gmail.com Wed Apr 25 12:10:31 2018
From: raymond.rm.mercier at gmail.com (Raymond Mercier)
Date: Wed, 25 Apr 2018 14:10:31 +0200
Subject: [Open-scap] Not able to make SCE script working
In-Reply-To:
References:
<7ce926aa-fd15-5211-3bb3-e9f894c3ffa4@redhat.com>
Message-ID:
Yes, because scap_1402.sh is an external script in the same folder as
ds.xml file. I (badly) supposed that oscap program would directly call the
external file but this is not the case.
How can I pack my script in ds.xml file, is there some resource than can
explain ?
2018-04-25 14:05 GMT+02:00 ?imon Luka??k :
> On 04/25/2018 10:24 AM, Raymond Mercier wrote:
> > Hi Simon
> >
> > I updated, the error message is different (but still present)
> >
> > xml file:
> > > severity="medium">
> > selinux
> > Checks if you have SELinux
> > enabled
> >
> >
> >
> >
> >
> >
> > output:
> > [root]# oscap xccdf eval --profile xccdf_1_profile_1 rm-ds.xml
> > Title selinux
> > Rule xccdf_1_rule_1402
> > Result notchecked
> >
> > OpenSCAP Error: SCE couldn't find script file 'scap_1402.sh'. Expected
> > location: '/tmp/oscap.3sSrgD/scap_1402.sh'. [sce_engine.c:387]
> >
>
> I couldn't find the SCE script in your datastream as well.
>
> OpenSCAP just unpacks the Datastream XML into tmp dir like
> /tmp/oscap.3sSrgD/ and executes the scan. There is no scap_1402.sh in
> the xml you provided.
>
> Best,
> ~?.
>
> > Same kind of error message if I set absolute path /root/scap_1402.sh
> >
> > Thank you for help
> > Raymond
> >
> >
> > 2018-04-25 10:12 GMT+02:00 ?imon Luka??k > >:
> >
> > On 04/25/2018 09:47 AM, Raymond Mercier wrote:
> > > > selected="true" severity="medium">
> > > selinux title>
> > > Checks if
> > you have SELinux enabled
> > > > system="http://wordpress-www-open-scap-org.b9ad.pro-us-
> east-1.openshiftapps.com/page/SCE
> > openshiftapps.com/page/SCE>">
> >
> > This check/system doesn't feel right. :)
> >
> > The usage at https://www.open-scap.org/features/other-standards/sce/
> > say
> > we should use http://open-scap.org/page/SCE instead.
> >
> > Audit, Fix and Be Merry,
> > ~?.
> >
> >
> > > > import-name="stdout" />
> > >
> >
> > >
> > >
> >
> >
>
>
> ~?.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From slukasik at redhat.com Wed Apr 25 14:32:53 2018
From: slukasik at redhat.com (=?UTF-8?B?xaBpbW9uIEx1a2HFocOtaw==?=)
Date: Wed, 25 Apr 2018 16:32:53 +0200
Subject: [Open-scap] Not able to make SCE script working
In-Reply-To:
References:
<7ce926aa-fd15-5211-3bb3-e9f894c3ffa4@redhat.com>
Message-ID: <1fb97115-d65f-15a9-1d87-47490cbe209f@redhat.com>
On 04/25/2018 02:10 PM, Raymond Mercier wrote:
> Yes, because scap_1402.sh is an external script in the same folder as
> ds.xml file. I (badly) supposed that oscap program would directly call
> the external file but this is not the case.
>
I think when you pick the XCCDF file and run
oscap ds sds-compose SOMETHING SOMETHING [*]
it will compose new DS file for you with the script inside.
[*] I don't remember the operands, but `oscap ds sds-compose --help`
should help.
Best,
~?.
> How can I pack my script in ds.xml file, is there some resource than can
> explain ?
>
> 2018-04-25 14:05 GMT+02:00 ?imon Luka??k >:
>
> On 04/25/2018 10:24 AM, Raymond Mercier wrote:
> > Hi Simon
> >
> > I updated, the error message is different (but still present)
> >
> > xml file:
> > ??????????? > severity="medium">
> > ?????????????? selinux
> > ?????????????? Checks if you have SELinux
> > enabled
> > ?????????????????
> > ????????????????????
> > ????????????????????
> > ?????????????????
> > ???????????
> >
> > output:
> > [root]# oscap xccdf eval --profile xccdf_1_profile_1? rm-ds.xml
> > Title?? selinux
> > Rule??? xccdf_1_rule_1402
> > Result? notchecked
> >
> > OpenSCAP Error: SCE couldn't find script file 'scap_1402.sh'. Expected
> > location: '/tmp/oscap.3sSrgD/scap_1402.sh'. [sce_engine.c:387]
> >
>
> I couldn't find the SCE script in your datastream as well.
>
> OpenSCAP just unpacks the Datastream XML into tmp dir like
> /tmp/oscap.3sSrgD/ and executes the scan. There is no scap_1402.sh in
> the xml you provided.
>
> Best,
> ~?.
>
> > Same kind of error message if I set absolute path /root/scap_1402.sh
> >
> > Thank you for help
> > Raymond
> >
> >
> > 2018-04-25 10:12 GMT+02:00 ?imon Luka??k
> > >>:
> >
> >? ? ?On 04/25/2018 09:47 AM, Raymond Mercier wrote:
> >? ? ?>? ? ? ? ? ? ? ? ? ? ? ? ? ? ? >? ? ?selected="true" severity="medium">
> >? ? ?>? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
> ?selinux
> >? ? ?>? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?Checks if
> >? ? ?you have SELinux enabled
> >? ? ?>? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? >? ?
> ?system="http://wordpress-www-open-scap-org.b9ad.pro-us-east-1.openshiftapps.com/page/SCE
>
> >? ?
> ?>">
> >
> >? ? ?This check/system doesn't feel right. :)
> >
> >? ? ?The usage at
> https://www.open-scap.org/features/other-standards/sce/
>
> >? ? ?> say
> >? ? ?we should use http://open-scap.org/page/SCE instead.
> >
> >? ? ?Audit, Fix and Be Merry,
> >? ? ?~?.
> >
> >
> >? ? ?>? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? >? ? ?import-name="stdout" />
> >? ? ?>? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
> >? ? ??
> >? ? ?>? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
> >? ? ?>? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
> >
> >
>
>
> ~?.
>
>
~?.
From ml+openscap at kcore.org Thu Apr 26 11:00:22 2018
From: ml+openscap at kcore.org (Jan De Luyck)
Date: Thu, 26 Apr 2018 13:00:22 +0200
Subject: [Open-scap] XCCDF / OVAL eval?
Message-ID: <1524740422.2873796.1351469976.49979628@webmail.messagingengine.com>
Hey list,
I'm probably looking at this from the wrong way, but I thought that if one would include oval statements in the XCCDF rules, you'd be able to use "oscap xccdf eval" - but that just returns a bunch of notchecked statements.
Or am I doing something wrong?
$ oscap xccdf eval test_xccdf.xml
Title Test 12345
Rule xccdf_test_rule_RULE-001001
Ident RULE-001001
Result notchecked
$ oscap oval eval test_oval.xml
Definition oval:com.test:def:1: true
Evaluation done.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test_xccdf.xml
Type: text/xml
Size: 3705 bytes
Desc: not available
URL:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test_oval.xml
Type: text/xml
Size: 2216 bytes
Desc: not available
URL:
From abergmann at suse.com Thu Apr 26 14:08:10 2018
From: abergmann at suse.com (Alexander Bergmann)
Date: Thu, 26 Apr 2018 16:08:10 +0200
Subject: [Open-scap] XCCDF / OVAL eval?
In-Reply-To: <1524740422.2873796.1351469976.49979628@webmail.messagingengine.com>
References: <1524740422.2873796.1351469976.49979628@webmail.messagingengine.com>
Message-ID: <20180426140810.bkpo72nq5b6v5uxk@intrepid>
Hi Jan,
if I'm not mistaken the problem lies inside the check system reference.
You have to point to the oval-definitions-5 and not to oval-common-5.
Furthermore the