SCAP Platform Applicability
by Lesley Kimmel
I just downloaded the RHEL7 SCAP content and was 'playing' with it on a CentOS 6 system. I found that in order to make the checks run I needed to add 'cpe:/o:centos:centos:6' in a <platform> tag near the beginning of the XCCDF component. I found this, in part, from various posts on the interwebs. I'm really curious how this validation occurs and where the information comes from on the target OS. Can anyone give me insight to this issue?
Thanks,
-Les
9 years, 4 months
RHEL7 Content Status
by Lesley Kimmel
I noticed, in running the RHEL7 data stream, that there were many checks with status 'notchecked'. Inspecting the data stream document I see that several of the check references in the XCCDF refer to checks that do not exist in the OVAL. Is this a known deficiency? I assume that the RHEL7 content is still being refined.
PS- I'd love to get involved in this project but I'm really just getting exposed to SCAP and trying to really understand the interrelationships between the various SCAP components. Does anyone have a really concise reference to get me started?
Thanks,
Les
9 years, 4 months
Running RHEL checks on CentOS
by Nathanael D. Noblet
Hello,
I've been looking at how to run the rhel checks against centos
machines and as I'm very much new to the SCAP world not making much
progress. I've been on IRC as gnat42 and have received quite a bit of
help there. Ultimately I have two goals.
#1) Become more proficient at setting up servers in a secure manner that
can be easily audited. I'm looking at a few different tools for this
openscap / scap-workbench being in the mix.
#2) Run the checks against Centos the same as RHEL.
#3) Be able to test a system against "approved security standards".
There are the guides from scap-security-guide. However there's PCI,HIPAA
and various others that would be nice to be able to use if possible. I'm
guessing I need to be better at #1 before I can do this. As I'm still
learning all the different file formats.
So for now #1 & #2 are my focus. How can I run the SSG basic profiles
against a Centos (v6 or v7) machine? I'm fine running them directly on
the machines or through scap-workbench via a Fedora 21 workstation. I'm
proficient at rebuilding packages if that will help. I'm fairly well
experienced with linux but not with high-end enterprise certifications /
infrastructure requirements etc...
Thanks in advance for any help!
--
Nathanael
9 years, 4 months
Configuration testing vs Forensic testing
by Steve Grubb
Hello,
I think there is a problem in the SSG content. I think that the current
content is intended to check the system configuration. This would be done by
examining the files on disk to warn about changes or thing that are
misconfigured. There is also another category of testing that is forensics
which checks the ephemeral / current values being enforced. Both are necessary
and useful, but they should not be mixed.
Some examples to illustrate the point:
Forensic Configuration
-----------------------------------------------------------------
auditctl -l vs cat /etc/audit/audit.rules
mount vs cat /etc/fstab
sysctl -a vs cat/etc/sysctl.conf
service ip6tables status vs chkconfig ip6tables --list
All these need to be changed in the prose to better express what the SCAP tool
is actually checking. IOW, you can get different results by hand than the tool
itself would report.
This really needs to be addressed before anyone else uses SSG as the basis of
their own recommendations. Again, forensic checking is useful and I would say
content should be specifically designed with that in mind. But it is not what
should be in a baseline.
Thanks,
-Steve
9 years, 4 months