[Open-scap] Using the 'STIG ID' value to identify a rule

Lemons, Terry Terry.Lemons at dell.com
Fri May 21 18:18:53 UTC 2021 

Internal Use - Confidential

Hi

Wow, this is a great resource! Thank you very much for sharing it! This will be a huge help to my team, and will save us a lot of manual mapping time.

My first question is about format. What you attached is delivered to me as an html file with this format. I'm wondering if this is what you sent, or if it was changed by my company's email protection system. What say you?

[cid:image001.jpg at 01D74E4C.39434570]

Second, are you planning to make this file available as a routine download, available for everyone?

Thanks again!
tl

From: open-scap-list-bounces at redhat.com<mailto:open-scap-list-bounces at redhat.com> <open-scap-list-bounces at redhat.com<mailto:open-scap-list-bounces at redhat.com>> On Behalf Of Vojtech Polasek
Sent: Tuesday, May 18, 2021 3:35 AM
To: open-scap-list at redhat.com<mailto:open-scap-list at redhat.com>
Subject: Re: [Open-scap] Using the 'STIG ID' value to identify a rule


[EXTERNAL EMAIL]

Hello Terry,

Alex is probably right. This is afaik not supported in Openscap. But maybe I can help you with the mapping. We are generating a table which I attach during the build process of the content  for each product. It shows mapping of references to rules. Maybe this is something you can start with.

I hope it helps,

Vojta


Dne 18. 05. 21 v 9:20 Alexander Bergmann napsal(a):

Hi Terry,



>From what I see inside the 'oscap-xccdf.c' functions [1] there is no way

to select anything else than the rule itself. So yes, your team would

need to implement a mapping between the STIG ID and the rule name

outside of the scap-security-guide profile.



Regards,

Alex~



[1] https://github.com/OpenSCAP/openscap/blob/maint-1.3/utils/oscap-xccdf.c [github.com]<https://urldefense.com/v3/__https:/github.com/OpenSCAP/openscap/blob/maint-1.3/utils/oscap-xccdf.c__;!!LpKI!0KlfNz5teRWcCGukU3oNEOoO4R4cOEUJHDLcz3nDa2XEcOVSP7OGQaXjqUWEEK7z$>



On Mon, May 17, 2021 at 07:39:21PM +0000, Lemons, Terry wrote:

Internal Use - Confidential



Hi Alex



Thanks very much for this informative reply!



So, am I correct in understanding that it is not possible to select a rule via any mechanism other than the rule's 'Rule ID' value, as in below:



oscap xccdf eval --rule xccdf_org.ssgproject.content_rule_ftp_present_banner --profile xccdf_org.ssgproject.content_profile_stig /tmp/scap-security-guide-0.1.55/ssg-sle12-ds.xml

WARNING: Datastream component 'scap_org.open-scap_cref_pub-projects-security-oval-suse.linux.enterprise.12.xml' points out to the remote 'https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.12.xml [ftp.suse.com]<https://urldefense.com/v3/__https:/ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.12.xml__;!!LpKI!0KlfNz5teRWcCGukU3oNEOoO4R4cOEUJHDLcz3nDa2XEcOVSP7OGQaXjqaQUV511$>'. Use '--fetch-remote-resources' option to download it.

WARNING: Skipping 'https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.12.xml [ftp.suse.com]<https://urldefense.com/v3/__https:/ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.12.xml__;!!LpKI!0KlfNz5teRWcCGukU3oNEOoO4R4cOEUJHDLcz3nDa2XEcOVSP7OGQaXjqaQUV511$>' file which is referenced from datastream

WARNING: Skipping ./pub-projects-security-oval-suse.linux.enterprise.12.xml file which is referenced from XCCDF content

Title   Create Warning Banners for All FTP Users

Rule    xccdf_org.ssgproject.content_rule_ftp_present_banner

Ident   CCE-83059-6

Result  pass



If so, then to meet my team's needs, we'll need to create a manual mapping between the SLES 12 STIG ID values that we know and the OpenSCAP 'Rule ID' value that implements the check and fix for that rule; true?



Thanks!

tl





-----Original Message-----

From: Alexander Bergmann <abergmann at suse.com><mailto:abergmann at suse.com>

Sent: Monday, May 17, 2021 11:58 AM

To: Lemons, Terry

Cc: open-scap-list at redhat.com<mailto:open-scap-list at redhat.com>

Subject: Re: [Open-scap] Using the 'STIG ID' value to identify a rule



Hi Terry,



I haven't checked the code in detail (yet), but as far as I can tell there is now way to select a rule via a present reference.



The STIG ID is listed as a reference inside the Rule statement itself.

>From the technical point it should be possible to implement such a feature inside OpenSCAP, but I'm not sure if this is desirable. A reference is simply not a clear identifier. Some references will also be used several times in different rules.



<xccdf-1.2:Rule id="xccdf_org.ssgproject.content_rule_installed_OS_is_vendor_supported" selected="false" severity="high"> ...

  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux" [public.cyber.mil]<https://urldefense.com/v3/__https:/public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems*2Cunix-linux__;JQ!!LpKI!0KlfNz5teRWcCGukU3oNEOoO4R4cOEUJHDLcz3nDa2XEcOVSP7OGQaXjqdpbuoLq$>>SLES-12-010000</xccdf-1.2:reference>

...

</xccdf-1.2:Rule>



>From the SCAP point of view, STIG is only one profile of many.



Maybe one way to explore would be the use of CCEs as a direct rule identifier. We assign CCEs to each STIG requirement 1:1 and they are listed inside the OpenSCAP output.



Title   The Installed Operating System Is Vendor Supported

Rule xccdf_org.ssgproject.content_rule_installed_OS_is_vendor_supported

Ident   CCE-83001-8

Result  pass



So may that would be something for a future release.





Regards,

Alex~



On Fri, May 14, 2021 at 05:45:59PM +0000, Lemons, Terry wrote:

Internal Use - Confidential



Hi



I recently learned about OpenSCAP, and it seems to fill a need in my team. My team needs to address (close) all of the rules in the SLES 12 STIG on our product. It seems that using oscap, along with the most-recent 'scap-security-guide' (which appears to cover 146 SLES 12 STIG rules), will allow me to see which rules are open ('oscap xccdf eval') and to implement changes to close those rules ('oscap xccdf eval -remediate').



I know that I can use the '-rule' option to specify the name of a single rule to evaluate or remediate.



Our group identifies rules to be fixed, in our work management system and other systems, by the SLES 12 STIG 'STIG ID' value (ex., SLES-12-010000). I tried to use this value in the '-rule' option, and it failed to identify/find that rule.



How can I make oscap operate on a rule identified by 'STIG ID' value (or, even better, on a file containing a list of 'STIG ID' rules?



Thanks!

tl



Terry Lemons



[DellEMC_Logo_Hz_Blue_rgb_10percent]

Data Management

Infrastructure Solutions Group



176 South Street, MS 2/B-34

Hopkinton MA 01748

terry.lemons at dell.com<mailto:terry.lemons at dell.com><mailto:terry.lemons at dell.com><mailto:terry.lemons at dell.com>









_______________________________________________

Open-scap-list mailing list

Open-scap-list at redhat.com<mailto:Open-scap-list at redhat.com>

https://listman.redhat.com/mailman/listinfo/open-scap-list [listman.redhat.com]<https://urldefense.com/v3/__https:/listman.redhat.com/mailman/listinfo/open-scap-list__;!!LpKI!0KlfNz5teRWcCGukU3oNEOoO4R4cOEUJHDLcz3nDa2XEcOVSP7OGQaXjqSHI2E-R$>





--

Alexander Bergmann <abergmann at suse.com><mailto:abergmann at suse.com>

Security Engineer, GPG: E30A 65A4 0F50 0066 B2B5  F614 DE54 E875 9FFA 4886 SUSE Software Solutions Germany GmbH Maxfeldstr. 5, 90409 Nuremberg, Germany (HRB 36809, AG Nürnberg) Managing Director: Felix Imendörffer






_______________________________________________

Open-scap-list mailing list

Open-scap-list at redhat.com<mailto:Open-scap-list at redhat.com>

https://listman.redhat.com/mailman/listinfo/open-scap-list [listman.redhat.com]<https://urldefense.com/v3/__https:/listman.redhat.com/mailman/listinfo/open-scap-list__;!!LpKI!0KlfNz5teRWcCGukU3oNEOoO4R4cOEUJHDLcz3nDa2XEcOVSP7OGQaXjqSHI2E-R$>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20210521/140ebe41/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 83228 bytes
Desc: image001.jpg
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20210521/140ebe41/attachment.jpg>

More information about the Open-scap-list mailing list