Bash remediations failing due to missing functions
by Kuko Armas
I've been playing with remediation code, and I've seen that remediation code for many checks fails due to undefined functions as "populate" (to populate defined variables) and "fix_audit_syscall_rule" (for audit checks)
I've seen that both functions (and many more) are defined inside the datasource, in group xccdf_org.ssgproject.content_group_remediation_functions
Since I'm a complete newbie in openSCAP, I'm not sure how it should work:
* Is remediation code supposed to be selt-contained in the data source? Or does it depend on the host having the security-guide package installed ir order to have that functions code?
* If it's self contained, how and where are the functions code file extracted and read by remediation code?
* If it's extracted, is there an option to keep the temp files around to take a look?
* Maybe I need a more recent openscap version? (I'm using 1.2.17-4.el7 in centos7)
* Should I file an issue on ComplianceAsCode GitHub repo? or am I doing something wrong?
Thanks a lot!
--
Miguel Armas
CanaryTek Consultoria y Sistemas SL
http://www.canarytek.com/
4 years, 4 months
Re: Define profile for centos7 derivative
by Gabe Alford
IIRC the ENS standard uses ISO 27001 which CentOS doesn't meet. In addition
if ISO/IEC 15408 is applied against ENS, CentOS does not meet this in any
way.
On Tue, Dec 10, 2019 at 3:33 AM Kuko Armas <kuko(a)canarytek.com> wrote:
>
> Hello, I'm starting to take a look at the SSG content repo in github, and
> I tried to create a new profile for rhel7 for the spanish ENS (National
> Security Scheme). But when I build the content, I get the new profile only
> on the rhel7 main product and not on the derivatives (centos7 and sl7)
>
> I also noticed that in the derivatives data source there are only two
> profiles: standard and pci-dss, none of the additional profiles are
> included. I guess it may be because in some profiles you really need rhel7
> and not a community release, because they are not certified, but as I
> understand in my case (ENS) centos is included in the hardening guides.
>
> What do I need to do if I wan't to include it in the derivatives?
>
> Salu2!
> --
> Miguel Armas
> CanaryTek Consultoria y Sistemas SL
> http://www.canarytek.com/
>
> _______________________________________________
> scap-security-guide mailing list --
> scap-security-guide(a)lists.fedorahosted.org
> To unsubscribe send an email to
> scap-security-guide-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
>
4 years, 4 months
Re: Define profile for centos7 derivative
by Jan Cerny
Hi Miguel,
The CentOS 7 content is created from the RHEL 7 content by a script
that replaces some values and removes some profiles.
If you want to add new CentOS 7 profile, you need to add this profile
to RHEL 7 first by creating a profile file in `/rhel7/profiles/`
directory.
Then, add the profile ID to list in `standard_profiles` variable in
ssg/constants.py on line 74.
You're correct that some profiles can't exist on CentOS because they
require vendor supported and/or certified system. If ENS doesn't
require that, then it should be OK to enable ENS profile on CentOS.
Regards
On Tue, Dec 10, 2019 at 11:34 AM Kuko Armas <kuko(a)canarytek.com> wrote:
>
>
> Hello, I'm starting to take a look at the SSG content repo in github, and I tried to create a new profile for rhel7 for the spanish ENS (National Security Scheme). But when I build the content, I get the new profile only on the rhel7 main product and not on the derivatives (centos7 and sl7)
>
> I also noticed that in the derivatives data source there are only two profiles: standard and pci-dss, none of the additional profiles are included. I guess it may be because in some profiles you really need rhel7 and not a community release, because they are not certified, but as I understand in my case (ENS) centos is included in the hardening guides.
>
> What do I need to do if I wan't to include it in the derivatives?
>
> Salu2!
> --
> Miguel Armas
> CanaryTek Consultoria y Sistemas SL
> http://www.canarytek.com/
>
> _______________________________________________
> scap-security-guide mailing list -- scap-security-guide(a)lists.fedorahosted.org
> To unsubscribe send an email to scap-security-guide-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
--
Jan Černý
Security Technologies | Red Hat, Inc.
4 years, 4 months
Define profile for centos7 derivative
by Kuko Armas
Hello, I'm starting to take a look at the SSG content repo in github, and I tried to create a new profile for rhel7 for the spanish ENS (National Security Scheme). But when I build the content, I get the new profile only on the rhel7 main product and not on the derivatives (centos7 and sl7)
I also noticed that in the derivatives data source there are only two profiles: standard and pci-dss, none of the additional profiles are included. I guess it may be because in some profiles you really need rhel7 and not a community release, because they are not certified, but as I understand in my case (ENS) centos is included in the hardening guides.
What do I need to do if I wan't to include it in the derivatives?
Salu2!
--
Miguel Armas
CanaryTek Consultoria y Sistemas SL
http://www.canarytek.com/
4 years, 4 months