[Open-scap] OpenSCAP for embedded/network devices

Tue Jan 9 09:51:42 UTC 2018

On 01/08/2018 10:19 PM, Lee Wilson wrote:
> 
> Hi Watson,
> 
> 
> Thanks for your detailed reply and apologies for my delay in
> responding.  Went off to look for something else that may do the job.
> 
> 
> The link that Eric has provided was initially what got me thinking about
> using OpenSCAP to do this task, it's real shame the approach of needing
> an agent was taken.
> 

Thank You for your feedback, sir!

But, come on! :-)

I wouldn't call this "real shame". Many design decisions are just dumb,
I'll grant you that. However, in this particular case (to have
agent-less scanner or not), either decision wasn't particularly dumb.
So, please don't call it "real shame" (or explain).

I can hint that compromise had to be made between usability on things
like Cisco devices, versus resource consumption versus interoperability.
If you allow yourself to study SCAP standard more in depth, I am sure
you will comprehend.

I think we can celebrate that open-source world offers a choice in this
regard for the end user. We have openscap and joval!

Best,
~š.

> 
> Interestingly enough though, we've started looking into Ansible (another
> RedHat sponsored project) and that does have some support for appliance
> type devices (if not exactly perfect) as it principally agentless (as
> long as python exists somewhere).  My scope has also expanded from just
> Cisco to also include F5, Palo Alto and other network appliance vendors.
> 
> 
> In my original reply, I gave a rough list of tasks that perhaps could be
> run to achieve whats needed (and it looks very similar to a list of
> Plays).  Having reviewed Ansible I'm thinking could those "Plays" be put
> into an Ansible Playbook and have it go and gather all the required info
> for example running 'show version' or 'show run logging' against a
> network device, format this in the required results format that oscap
> expects and then invoke it to generate the report.
> 
> 
> Really keen to not reinvent the wheel here but I'm probably way out on a
> limb. If this isn't possible maybe us Network Engineers will just need
> to fork OpenSCAP and make it work without an agent.....something tells
> me this won't be happening any time soon 😉
> 
> 
> Thanks again
> 
> 
> Lee
> 
> 
> ------------------------------------------------------------------------
> *From:* Watson Yuuma Sato <wsato at redhat.com>
> *Sent:* 16 March 2017 13:14
> *To:* Eric Holtzclaw; Lee Wilson; open-scap-list at redhat.com
> *Subject:* Re: [Open-scap] OpenSCAP for embedded/network devices
>  
> On 15/03/17 17:24, Eric Holtzclaw wrote:
>>
>> You do have support for Cisco
>> http://www.cisco.com/c/en/us/about/security-center/oval-security-automation.html
>>
>> <http://www.cisco.com/c/en/us/about/security-center/oval-security-automation.html>
>> 	
>> Security Automation Using OVAL - Cisco
>> <http://www.cisco.com/c/en/us/about/security-center/oval-security-automation.html>
>> www.cisco.com
>> Most security and network administrators seek ways to leverage
>> standards and available tools to reduce the complexity and time
>> necessary to respond to security ...
>>
>>
> 
> I see that Cisco provides OVAL content to scan their devices, and even
> provides an example of how to do so, but using joval, which can perform
> remote scanning without installation of any agent.
> 
> I still don't see how to scan Cisco devices with OpenSCAP. Am I missing
> something?
> 
> -- 
> Watson Sato
> Security Technologies | Red Hat, Inc
> 
> 
> 
> _______________________________________________
> Open-scap-list mailing list
> Open-scap-list at redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list
> 

~š.