I've been playing with remediation code, and I've seen that remediation code for many checks fails due to undefined functions as "populate" (to populate defined variables) and "fix_audit_syscall_rule" (for audit checks)
I've seen that both functions (and many more) are defined inside the datasource, in group xccdf_org.ssgproject.content_group_remediation_functions
Since I'm a complete newbie in openSCAP, I'm not sure how it should work:
* Is remediation code supposed to be selt-contained in the data source? Or does it depend on the host having the security-guide package installed ir order to have that functions code?
* If it's self contained, how and where are the functions code file extracted and read by remediation code?
* If it's extracted, is there an option to keep the temp files around to take a look?
* Maybe I need a more recent openscap version? (I'm using 1.2.17-4.el7 in centos7)
* Should I file an issue on ComplianceAsCode GitHub repo? or am I doing something wrong?
Thanks a lot!
--
Miguel Armas
CanaryTek Consultoria y Sistemas SL
http://www.canarytek.com/
IIRC the ENS standard uses ISO 27001 which CentOS doesn't meet. In addition
if ISO/IEC 15408 is applied against ENS, CentOS does not meet this in any
way.
On Tue, Dec 10, 2019 at 3:33 AM Kuko Armas <kuko(a)canarytek.com> wrote:
>
> Hello, I'm starting to take a look at the SSG content repo in github, and
> I tried to create a new profile for rhel7 for the spanish ENS (National
> Security Scheme). But when I build the content, I get the new profile only
> on the rhel7 main product and not on the derivatives (centos7 and sl7)
>
> I also noticed that in the derivatives data source there are only two
> profiles: standard and pci-dss, none of the additional profiles are
> included. I guess it may be because in some profiles you really need rhel7
> and not a community release, because they are not certified, but as I
> understand in my case (ENS) centos is included in the hardening guides.
>
> What do I need to do if I wan't to include it in the derivatives?
>
> Salu2!
> --
> Miguel Armas
> CanaryTek Consultoria y Sistemas SL
> http://www.canarytek.com/
>
> _______________________________________________
> scap-security-guide mailing list --
> scap-security-guide(a)lists.fedorahosted.org
> To unsubscribe send an email to
> scap-security-guide-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedo…
>
Hi Miguel,
The CentOS 7 content is created from the RHEL 7 content by a script
that replaces some values and removes some profiles.
If you want to add new CentOS 7 profile, you need to add this profile
to RHEL 7 first by creating a profile file in `/rhel7/profiles/`
directory.
Then, add the profile ID to list in `standard_profiles` variable in
ssg/constants.py on line 74.
You're correct that some profiles can't exist on CentOS because they
require vendor supported and/or certified system. If ENS doesn't
require that, then it should be OK to enable ENS profile on CentOS.
Regards
On Tue, Dec 10, 2019 at 11:34 AM Kuko Armas <kuko(a)canarytek.com> wrote:
>
>
> Hello, I'm starting to take a look at the SSG content repo in github, and I tried to create a new profile for rhel7 for the spanish ENS (National Security Scheme). But when I build the content, I get the new profile only on the rhel7 main product and not on the derivatives (centos7 and sl7)
>
> I also noticed that in the derivatives data source there are only two profiles: standard and pci-dss, none of the additional profiles are included. I guess it may be because in some profiles you really need rhel7 and not a community release, because they are not certified, but as I understand in my case (ENS) centos is included in the hardening guides.
>
> What do I need to do if I wan't to include it in the derivatives?
>
> Salu2!
> --
> Miguel Armas
> CanaryTek Consultoria y Sistemas SL
> http://www.canarytek.com/
>
> _______________________________________________
> scap-security-guide mailing list -- scap-security-guide(a)lists.fedorahosted.org
> To unsubscribe send an email to scap-security-guide-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedo…
--
Jan Černý
Security Technologies | Red Hat, Inc.
Hello, I'm starting to take a look at the SSG content repo in github, and I tried to create a new profile for rhel7 for the spanish ENS (National Security Scheme). But when I build the content, I get the new profile only on the rhel7 main product and not on the derivatives (centos7 and sl7)
I also noticed that in the derivatives data source there are only two profiles: standard and pci-dss, none of the additional profiles are included. I guess it may be because in some profiles you really need rhel7 and not a community release, because they are not certified, but as I understand in my case (ENS) centos is included in the hardening guides.
What do I need to do if I wan't to include it in the derivatives?
Salu2!
--
Miguel Armas
CanaryTek Consultoria y Sistemas SL
http://www.canarytek.com/