scap-security-guide January 2015

scap-security-guide@lists.fedorahosted.org

13 participants
14 discussions

SCAP Platform Applicability
by Lesley Kimmel 10 Jan '15

10 Jan '15

I just downloaded the RHEL7 SCAP content and was 'playing' with it on a CentOS 6 system. I found that in order to make the checks run I needed to add 'cpe:/o:centos:centos:6' in a <platform> tag near the beginning of the XCCDF component. I found this, in part, from various posts on the interwebs. I'm really curious how this validation occurs and where the information comes from on the target OS. Can anyone give me insight to this issue? Thanks, -Les

3 3

RHEL7 Content Status
by Lesley Kimmel 09 Jan '15

09 Jan '15

I noticed, in running the RHEL7 data stream, that there were many checks with status 'notchecked'. Inspecting the data stream document I see that several of the check references in the XCCDF refer to checks that do not exist in the OVAL. Is this a known deficiency? I assume that the RHEL7 content is still being refined. PS- I'd love to get involved in this project but I'm really just getting exposed to SCAP and trying to really understand the interrelationships between the various SCAP components. Does anyone have a really concise reference to get me started? Thanks, Les

2 1

Running RHEL checks on CentOS
by Nathanael D. Noblet 08 Jan '15

08 Jan '15

Hello, I've been looking at how to run the rhel checks against centos machines and as I'm very much new to the SCAP world not making much progress. I've been on IRC as gnat42 and have received quite a bit of help there. Ultimately I have two goals. #1) Become more proficient at setting up servers in a secure manner that can be easily audited. I'm looking at a few different tools for this openscap / scap-workbench being in the mix. #2) Run the checks against Centos the same as RHEL. #3) Be able to test a system against "approved security standards". There are the guides from scap-security-guide. However there's PCI,HIPAA and various others that would be nice to be able to use if possible. I'm guessing I need to be better at #1 before I can do this. As I'm still learning all the different file formats. So for now #1 & #2 are my focus. How can I run the SSG basic profiles against a Centos (v6 or v7) machine? I'm fine running them directly on the machines or through scap-workbench via a Fedora 21 workstation. I'm proficient at rebuilding packages if that will help. I'm fairly well experienced with linux but not with high-end enterprise certifications / infrastructure requirements etc... Thanks in advance for any help! -- Nathanael

2 1

Configuration testing vs Forensic testing
by Steve Grubb 07 Jan '15

07 Jan '15

Hello, I think there is a problem in the SSG content. I think that the current content is intended to check the system configuration. This would be done by examining the files on disk to warn about changes or thing that are misconfigured. There is also another category of testing that is forensics which checks the ephemeral / current values being enforced. Both are necessary and useful, but they should not be mixed. Some examples to illustrate the point: Forensic Configuration ----------------------------------------------------------------- auditctl -l vs cat /etc/audit/audit.rules mount vs cat /etc/fstab sysctl -a vs cat/etc/sysctl.conf service ip6tables status vs chkconfig ip6tables --list All these need to be changed in the prose to better express what the SCAP tool is actually checking. IOW, you can get different results by hand than the tool itself would report. This really needs to be addressed before anyone else uses SSG as the basis of their own recommendations. Again, forensic checking is useful and I would say content should be specifically designed with that in mind. But it is not what should be in a baseline. Thanks, -Steve

5 15

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

scap-security-guide January 2015