[Open-scap] OpenSCAP for embedded/network devices
Shawn Wells
shawn at redhat.com
Mon Jan 8 23:08:33 UTC 2018
On 1/8/18 4:19 PM, Lee Wilson wrote:
>
>
> Hi Watson,
>
>
> Thanks for your detailed reply and apologies for my delay in
> responding. Went off to look for something else that may do the job.
>
>
> The link that Eric has provided was initially what got me thinking
> about using OpenSCAP to do this task, it's real shame the approach of
> needing an agent was taken.
>
>
> Interestingly enough though, we've started looking into Ansible
> (another RedHat sponsored project) and that does have some support for
> appliance type devices (if not exactly perfect) as it principally
> agentless (as long as python exists somewhere). My scope has also
> expanded from just Cisco to also include F5, Palo Alto and other
> network appliance vendors.
>
>
> In my original reply, I gave a rough list of tasks that perhaps could
> be run to achieve whats needed (and it looks very similar to a list of
> Plays). Having reviewed Ansible I'm thinking could those "Plays" be
> put into an Ansible Playbook and have it go and gather all the
> required info for example running 'show version' or 'show run logging'
> against a network device, format this in the required results format
> that oscap expects and then invoke it to generate the report.
>
>
> Really keen to not reinvent the wheel here but I'm probably way out on
> a limb. If this isn't possible maybe us Network Engineers will just
> need to fork OpenSCAP and make it work without an agent.....something
> tells me this won't be happening any time soon 😉
>
>
> Thanks again
>
OpenSCAP is a tool, SCAP is the content language.
Today OpenSCAP does not work on Cisco/networking devices, but there are
other SCAP tools that do. One of the better known ones is jOVAL:
https://jovalcm.com/
SCAP Security Guide could still house content for evaluating Cisco IOS
and JunOS... but you'd have to use something like jOVAL to scan your
endpoints.
Alternatively, there are new projects standing up that will ship Ansible
content that may be of interest to you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20180108/94fced21/attachment.htm>
More information about the Open-scap-list
mailing list