Hello all, Is there any way to load a set of customizations into scap-workbench, make some additional tweaks, and then output *only* the customizations themselves (old + new changes)? Everytime I’ve tried to do this I wind up with effectively the entire profile with my customizations overriding the original profile settings. To get around this I have my ‘gold’ customization file, and then for anything other than a trivial modification I create a branch new customization and manualy cut/paste my customization back into my gold file. Painful. And next - I’d posted a year or so ago in the ‘open-scap’ mailing list asking if there was a reliable/good way to compare baselines (example - C2S vs stig-rhel7-disa, or a tailoring file against the reference). Seems to be to be a glaring missing feature. I started to write a comparison tool for my own use and have a very clunky python script to do it. I’d planned (and received permission from management) to release that back to the community (under the BSD 3-clause to match scap-security-guide) but got very side-tracked at work. Had to revisit it and realized just how clunky it is. Unless there is an accepted way to do this I’ll try to find time to clean it up and post i.
-Rob
-- ROBERT SANDERS Sr. Secure Systems Engineer
FORCEPOINT T +1.703.896.4762 F +1.703.318.5041 www.forcepoint.com
FORWARD WITHOUT FEAR
On Tue, Sep 17, 2019 at 1:50 PM Sanders, Robert rsanders@forcepoint.com wrote:
Hello all,
Is there any way to load a set of customizations into scap-workbench, make some additional tweaks, and then output *only* the customizations themselves (old + new changes)? Everytime I’ve tried to do this I wind up with effectively the entire profile with my customizations overriding the original profile settings. To get around this I have my ‘gold’ customization file, and then for anything other than a trivial modification I create a branch new customization and manualy cut/paste my customization back into my gold file. Painful.
I think that the only way is to use a tailoring profile to keep what is in the original set.
And next - I’d posted a year or so ago in the ‘open-scap’ mailing list asking if there was a reliable/good way to compare baselines (example - C2S vs stig-rhel7-disa, or a tailoring file against the reference). Seems to be to be a glaring missing feature. I started to write a comparison tool for my own use and have a very clunky python script to do it. I’d planned (and received permission from management) to release that back to the community (under the BSD 3-clause to match scap-security-guide) but got very side-tracked at work. Had to revisit it and realized just how clunky it is. Unless there is an accepted way to do this I’ll try to find time to clean it up and post i.
There is a ticket https://github.com/OpenSCAP/openscap/issues/1302 to add this feature into OpenSCAP, but there hasn't been much traction on it unfortunately. Of course, contributions are always welcome!
-Rob
--
*ROBERT SANDERS*
Sr. Secure Systems Engineer
*FORCEPOINT*
T +1.703.896.4762
F +1.703.318.5041
www.forcepoint.com
*FORWARD WITHOUT FEAR*
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
Gabe, Sorry to be late with a thank you, been very busy on the day job. The ability to make serial edits to tailoring file seems like a very useful thing to have, although to be honest a real working diff would be much more useful to me. I’d been cleared to release what I have as a comparison tool, but in the time since I wrote it *something* changed, and I need to find some time to rework it. It is some of the ugliest XML parsing python I’ve ever written, and had the about the sole redeeming feature of ‘it more or less worked’. I does kinda hit some of the points that were mentioned in the github issue. Now to just find free time…..
-Rob
-- ROBERT SANDERS Sr. Secure Systems Engineer
FORCEPOINT T +1.703.896.4762 F +1.703.318.5041 www.forcepoint.com
FORWARD WITHOUT FEAR
From: Gabe Alford redhatrises@gmail.com Reply-To: SCAP Security Guide scap-security-guide@lists.fedorahosted.org Date: Thursday, October 3, 2019 at 6:29 PM To: SCAP Security Guide scap-security-guide@lists.fedorahosted.org Subject: EXTERNAL: Re: Scan-workbench - modifying customizations, and comparing profiles
On Tue, Sep 17, 2019 at 1:50 PM Sanders, Robert <rsanders@forcepoint.commailto:rsanders@forcepoint.com> wrote: Hello all, Is there any way to load a set of customizations into scap-workbench, make some additional tweaks, and then output *only* the customizations themselves (old + new changes)? Everytime I’ve tried to do this I wind up with effectively the entire profile with my customizations overriding the original profile settings. To get around this I have my ‘gold’ customization file, and then for anything other than a trivial modification I create a branch new customization and manualy cut/paste my customization back into my gold file. Painful.
I think that the only way is to use a tailoring profile to keep what is in the original set.
And next - I’d posted a year or so ago in the ‘open-scap’ mailing list asking if there was a reliable/good way to compare baselines (example - C2S vs stig-rhel7-disa, or a tailoring file against the reference). Seems to be to be a glaring missing feature. I started to write a comparison tool for my own use and have a very clunky python script to do it. I’d planned (and received permission from management) to release that back to the community (under the BSD 3-clause to match scap-security-guide) but got very side-tracked at work. Had to revisit it and realized just how clunky it is. Unless there is an accepted way to do this I’ll try to find time to clean it up and post i.
There is a ticket https://github.com/OpenSCAP/openscap/issues/1302 to add this feature into OpenSCAP, but there hasn't been much traction on it unfortunately. Of course, contributions are always welcome!
-Rob
-- ROBERT SANDERS Sr. Secure Systems Engineer
FORCEPOINT T +1.703.896.4762 F +1.703.318.5041 www.forcepoint.comhttp://www.forcepoint.com
FORWARD WITHOUT FEAR
_______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.orgmailto:scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.orgmailto:scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
Hi,
We have a tool in upstream in https://github.com/ComplianceAsCode/content/blob/master/utils/compare_ds.py that can compare 2 datastreams. It can compare: - Contents of Bash and Ansible remediations - OVAL <definition> and <criteria> elements Extending this tool to compare also profiles feels like a natural step.
Regards
On Tue, Oct 8, 2019 at 8:16 PM Sanders, Robert rsanders@forcepoint.com wrote:
Gabe,
Sorry to be late with a thank you, been very busy on the day job.
The ability to make serial edits to tailoring file seems like a very useful thing to have, although to be honest a real working diff would be much more useful to me.
I’d been cleared to release what I have as a comparison tool, but in the time since I wrote it *something* changed, and I need to find some time to rework it. It is some of the ugliest XML parsing python I’ve ever written, and had the about the sole redeeming feature of ‘it more or less worked’. I does kinda hit some of the points that were mentioned in the github issue. Now to just find free time…..
-Rob
--
ROBERT SANDERS
Sr. Secure Systems Engineer
FORCEPOINT
T +1.703.896.4762
F +1.703.318.5041
www.forcepoint.com
FORWARD WITHOUT FEAR
From: Gabe Alford redhatrises@gmail.com Reply-To: SCAP Security Guide scap-security-guide@lists.fedorahosted.org Date: Thursday, October 3, 2019 at 6:29 PM To: SCAP Security Guide scap-security-guide@lists.fedorahosted.org Subject: EXTERNAL: Re: Scan-workbench - modifying customizations, and comparing profiles
On Tue, Sep 17, 2019 at 1:50 PM Sanders, Robert rsanders@forcepoint.com wrote:
Hello all,
Is there any way to load a set of customizations into scap-workbench, make some additional tweaks, and then output *only* the customizations themselves (old + new changes)? Everytime I’ve tried to do this I wind up with effectively the entire profile with my customizations overriding the original profile settings. To get around this I have my ‘gold’ customization file, and then for anything other than a trivial modification I create a branch new customization and manualy cut/paste my customization back into my gold file. Painful.
I think that the only way is to use a tailoring profile to keep what is in the original set.
And next - I’d posted a year or so ago in the ‘open-scap’ mailing list asking if there was a reliable/good way to compare baselines (example - C2S vs stig-rhel7-disa, or a tailoring file against the reference). Seems to be to be a glaring missing feature. I started to write a comparison tool for my own use and have a very clunky python script to do it. I’d planned (and received permission from management) to release that back to the community (under the BSD 3-clause to match scap-security-guide) but got very side-tracked at work. Had to revisit it and realized just how clunky it is. Unless there is an accepted way to do this I’ll try to find time to clean it up and post i.
There is a ticket https://github.com/OpenSCAP/openscap/issues/1302 to add this feature into OpenSCAP, but there hasn't been much traction on it unfortunately. Of course, contributions are always welcome!
-Rob
--
ROBERT SANDERS
Sr. Secure Systems Engineer
FORCEPOINT
T +1.703.896.4762
F +1.703.318.5041
www.forcepoint.com
FORWARD WITHOUT FEAR
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
scap-security-guide@lists.fedorahosted.org