Heh, no offense taken. I just needed to turn the little lights green with a .ckl file...and I did :-D
On Wed, Nov 28, 2018 at 11:37 AM Brent Kimberley Brent.Kimberley@durham.ca wrote:
No disrespect intended. That’s exactly what I would do under the circumstances.
*From:* Brent Kimberley *Sent:* Wednesday, November 28, 2018 11:36 AM *To:* SCAP Security Guide scap-security-guide@lists.fedorahosted.org *Subject:* RE: alternatives to STIG Viewer once Oracle JDK 8 / JavaFX 8 is EOL in January 2019?
That speaks volumes.
http://www.crosstalkonline.org/back-issues/
*From:* Trevor Vaughan [mailto:tvaughan@onyxpoint.com tvaughan@onyxpoint.com] *Sent:* Wednesday, November 28, 2018 11:31 AM *To:* SCAP Security Guide scap-security-guide@lists.fedorahosted.org *Subject:* Re: alternatives to STIG Viewer once Oracle JDK 8 / JavaFX 8 is EOL in January 2019?
Brent, that may be the funniest message I've ever read.
There isn't one, I just reverse engineered it from the pseudo-XML that it outputs.
On Wed, Nov 28, 2018 at 9:42 AM Brent Kimberley Brent.Kimberley@durham.ca wrote:
Where can I find the controlled schema / ICD / metadata for the checklist file format?
*From:* Trevor Vaughan [mailto:tvaughan@onyxpoint.com] *Sent:* Wednesday, November 28, 2018 9:02 AM *To:* SCAP Security Guide scap-security-guide@lists.fedorahosted.org *Subject:* Re: alternatives to STIG Viewer once Oracle JDK 8 / JavaFX 8 is EOL in January 2019?
Yep, this is the one.
That said, if you dig through the archives of this mailing list, I figured out how to create the bare minimum .ckl file that you need for reporting so that should give people a head start.
On Wed, Nov 28, 2018 at 1:31 AM Matthew simontek@gmail.com wrote:
The .ckl issue is the answer to why use. I know not everyone works for gov't entities, but they typically require it, with very little options for other products. Management likes graphs and charts.
On Tue, Nov 27, 2018, 8:22 PM James Cassell <fedoraproject@cyberpear.com wrote:
On Tue, Nov 27, 2018, at 6:21 PM, Shawn Wells wrote:
On 11/27/18 2:06 PM, James Ralston wrote:
I apologize if this is a little off-topic for this list, but a question: what are others who use STIG Viewer planning to do once Oracle JDK 8 / JavaFX go EOL in January 2019?
[...]
Ideally, I'd like to find a Linux replacement for STIG Viewer—something that can read, annotate, and write STIG Viewer checklist (*.ckl) files. But although SCAP Workbench can load and check STIGs, unless I'm missing something, it has no support for STIG Viewer checklist files.
Not being snide, should this come across wrongly.... genuine question: Why use STIG Viewer in the first place?
The STIG Viewer produces *.ckl checklist files, which some auditors and many security departments want.
V/r, James Cassell _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
--
Trevor Vaughan Vice President, Onyx Point, Inc
(410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --
THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege have been waived. If you are not the intended recipient, you are hereby notified that any review, re-transmission, dissemination, distribution, copying, conversion to hard copy, taking of action in reliance on or other use of this communication is strictly prohibited. If you are not the intended recipient and have received this message in error, please notify me by return e-mail and delete or destroy all copies of this message.
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
--
Trevor Vaughan Vice President, Onyx Point, Inc
(410) 541-6699 x788
-- This account not approved for unencrypted proprietary information -- THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege have been waived. If you are not the intended recipient, you are hereby notified that any review, re-transmission, dissemination, distribution, copying, conversion to hard copy, taking of action in reliance on or other use of this communication is strictly prohibited. If you are not the intended recipient and have received this message in error, please notify me by return e-mail and delete or destroy all copies of this message. _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
On 11/28/18 12:51 PM, Trevor Vaughan wrote:
Heh, no offense taken. I just needed to turn the little lights green with a .ckl file...and I did :-D
What are the .ckl files imported into? How are they used?
For example if OpenSCAP or Satellite could evaluate a system and output a properly formatted .ckl file... would that provide value? What happens with .ckl files?
STIG Viewer Version 2.8
http://iasecontent.disa.mil/stigs/zip/U_STIGViewer_2-8.zip
CAC not required.
On Thu, Nov 29, 2018, 2:14 PM Shawn Wells <shawn@redhat.com wrote:
On 11/28/18 12:51 PM, Trevor Vaughan wrote:
Heh, no offense taken. I just needed to turn the little lights green with a .ckl file...and I did :-D
What are the .ckl files imported into? How are they used?
For example if OpenSCAP or Satellite could evaluate a system and output a properly formatted .ckl file... would that provide value? What happens with .ckl files? _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
Probably should included this part.
https://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx
On Thu, Nov 29, 2018, 2:14 PM Shawn Wells <shawn@redhat.com wrote:
On 11/28/18 12:51 PM, Trevor Vaughan wrote:
Heh, no offense taken. I just needed to turn the little lights green with a .ckl file...and I did :-D
What are the .ckl files imported into? How are they used?
For example if OpenSCAP or Satellite could evaluate a system and output a properly formatted .ckl file... would that provide value? What happens with .ckl files? _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
.ckl files are the manual checklists that are used to import the automated XCCDF content. For example on RHEL6 you import the XCCDF content from the scan and then you have 85 manual controls to review. You use the Java STIG viewer (JavaFX required) as the GUI to provide comments and choose from a drop down menu (open, not a finding, not applicable) for each manual control. The auditors typcially request results from each host in .ckl format I believe because it shows you've done the manual review as opposed to providing an SCC or openscap HTML report which would only cover the automated checks.
btw, those 85 manual RHEL6 controls could be automated. Most are run this command if it produces results its a finding. A few require interpretation but most seem like they could be automated.
Lee
________________________________ From: Shawn Wells shawn@redhat.com Sent: Thursday, November 29, 2018 1:14 PM To: scap-security-guide@lists.fedorahosted.org Subject: Re: alternatives to STIG Viewer once Oracle JDK 8 / JavaFX 8 is EOL in January 2019?
On 11/28/18 12:51 PM, Trevor Vaughan wrote:
Heh, no offense taken. I just needed to turn the little lights green with a .ckl file...and I did :-D
What are the .ckl files imported into? How are they used?
For example if OpenSCAP or Satellite could evaluate a system and output a properly formatted .ckl file... would that provide value? What happens with .ckl files? _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html [https://getfedora.org/static/images/fedora.png]https://getfedora.org/code-of-conduct.html
Fedora Code of Conducthttps://getfedora.org/code-of-conduct.html getfedora.org Choose Freedom. Choose Fedora. Pick a flavor of Fedora streamlined for your needs, and get to work right away.
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
Agreed, operational environments require at least one manual checkout line items.
From: lee.meinecke@gtri.gatech.edu Sent: November 29, 2018 2:25 PM To: scap-security-guide@lists.fedorahosted.org Reply to: scap-security-guide@lists.fedorahosted.org Subject: Re: alternatives to STIG Viewer once Oracle JDK 8 / JavaFX 8 is EOL in January 2019?
.ckl files are the manual checklists that are used to import the automated XCCDF content. For example on RHEL6 you import the XCCDF content from the scan and then you have 85 manual controls to review. You use the Java STIG viewer (JavaFX required) as the GUI to provide comments and choose from a drop down menu (open, not a finding, not applicable) for each manual control. The auditors typcially request results from each host in .ckl format I believe because it shows you've done the manual review as opposed to providing an SCC or openscap HTML report which would only cover the automated checks.
btw, those 85 manual RHEL6 controls could be automated. Most are run this command if it produces results its a finding. A few require interpretation but most seem like they could be automated.
Lee
________________________________ From: Shawn Wells shawn@redhat.com Sent: Thursday, November 29, 2018 1:14 PM To: scap-security-guide@lists.fedorahosted.org Subject: Re: alternatives to STIG Viewer once Oracle JDK 8 / JavaFX 8 is EOL in January 2019?
On 11/28/18 12:51 PM, Trevor Vaughan wrote:
Heh, no offense taken. I just needed to turn the little lights green with a .ckl file...and I did :-D
What are the .ckl files imported into? How are they used?
For example if OpenSCAP or Satellite could evaluate a system and output a properly formatted .ckl file... would that provide value? What happens with .ckl files? _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html [https://getfedora.org/static/images/fedora.png]https://getfedora.org/code-of-conduct.html
Fedora Code of Conducthttps://getfedora.org/code-of-conduct.html getfedora.org Choose Freedom. Choose Fedora. Pick a flavor of Fedora streamlined for your needs, and get to work right away.
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor... THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege have been waived. If you are not the intended recipient, you are hereby notified that any review, re-transmission, dissemination, distribution, copying, conversion to hard copy, taking of action in reliance on or other use of this communication is strictly prohibited. If you are not the intended recipient and have received this message in error, please notify me by return e-mail and delete or destroy all copies of this message.
They can and have been automated. One of our engineers at LM has created a very bloated python script that goes through each of the items in the DISA STIG, and only leaves one unanswered (I think it's the "ask the admin if he's doing backups")
Tom A.
From: Meinecke, Lee lee.meinecke@gtri.gatech.edu Sent: Thursday, November 29, 2018 2:25 PM To: scap-security-guide@lists.fedorahosted.org Subject: EXTERNAL: Re: alternatives to STIG Viewer once Oracle JDK 8 / JavaFX 8 is EOL in January 2019?
.ckl files are the manual checklists that are used to import the automated XCCDF content. For example on RHEL6 you import the XCCDF content from the scan and then you have 85 manual controls to review. You use the Java STIG viewer (JavaFX required) as the GUI to provide comments and choose from a drop down menu (open, not a finding, not applicable) for each manual control. The auditors typcially request results from each host in .ckl format I believe because it shows you've done the manual review as opposed to providing an SCC or openscap HTML report which would only cover the automated checks.
btw, those 85 manual RHEL6 controls could be automated. Most are run this command if it produces results its a finding. A few require interpretation but most seem like they could be automated.
Lee
________________________________ From: Shawn Wells <shawn@redhat.commailto:shawn@redhat.com> Sent: Thursday, November 29, 2018 1:14 PM To: scap-security-guide@lists.fedorahosted.orgmailto:scap-security-guide@lists.fedorahosted.org Subject: Re: alternatives to STIG Viewer once Oracle JDK 8 / JavaFX 8 is EOL in January 2019?
On 11/28/18 12:51 PM, Trevor Vaughan wrote:
Heh, no offense taken. I just needed to turn the little lights green with a .ckl file...and I did :-D
What are the .ckl files imported into? How are they used?
For example if OpenSCAP or Satellite could evaluate a system and output a properly formatted .ckl file... would that provide value? What happens with .ckl files? _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.orgmailto:scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.orgmailto:scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html [https://getfedora.org/static/images/fedora.png]https://getfedora.org/code-of-conduct.html
Fedora Code of Conducthttps://getfedora.org/code-of-conduct.html getfedora.org Choose Freedom. Choose Fedora. Pick a flavor of Fedora streamlined for your needs, and get to work right away.
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
The issue is less the automation (that's easy) and more that it isn't actually a codified standard.
I'll hop onto the STIG feedback space on SoftwareForge and see if they have a schema anywhere. The last time I asked, there wasn't one, but that was quite some time ago.
Trevor
On Thu, Nov 29, 2018 at 2:18 PM Albrecht, Thomas C < thomas.c.albrecht@lmco.com> wrote:
They can and have been automated. One of our engineers at LM has created a very bloated python script that goes through each of the items in the DISA STIG, and only leaves one unanswered (I think it’s the “ask the admin if he’s doing backups”)
Tom A.
*From:* Meinecke, Lee lee.meinecke@gtri.gatech.edu *Sent:* Thursday, November 29, 2018 2:25 PM *To:* scap-security-guide@lists.fedorahosted.org *Subject:* EXTERNAL: Re: alternatives to STIG Viewer once Oracle JDK 8 / JavaFX 8 is EOL in January 2019?
.ckl files are the manual checklists that are used to import the automated XCCDF content. For example on RHEL6 you import the XCCDF content from the scan and then you have 85 manual controls to review. You use the Java STIG viewer (JavaFX required) as the GUI to provide comments and choose from a drop down menu (open, not a finding, not applicable) for each manual control. The auditors typcially request results from each host in .ckl format I believe because it shows you've done the manual review as opposed to providing an SCC or openscap HTML report which would only cover the automated checks.
btw, those 85 manual RHEL6 controls could be automated. Most are run this command if it produces results its a finding. A few require interpretation but most seem like they could be automated.
Lee
*From:* Shawn Wells shawn@redhat.com *Sent:* Thursday, November 29, 2018 1:14 PM *To:* scap-security-guide@lists.fedorahosted.org *Subject:* Re: alternatives to STIG Viewer once Oracle JDK 8 / JavaFX 8 is EOL in January 2019?
On 11/28/18 12:51 PM, Trevor Vaughan wrote:
Heh, no offense taken. I just needed to turn the little lights green with a .ckl file...and I did :-D
What are the .ckl files imported into? How are they used?
For example if OpenSCAP or Satellite could evaluate a system and output a properly formatted .ckl file... would that provide value? What happens with .ckl files? _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
https://getfedora.org/code-of-conduct.html
Fedora Code of Conduct https://getfedora.org/code-of-conduct.html
getfedora.org
Choose Freedom. Choose Fedora. Pick a flavor of Fedora streamlined for your needs, and get to work right away.
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor... _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
On 11/29/18 5:54 PM, Trevor Vaughan wrote:
The issue is less the automation (that's easy) and more that it isn't actually a codified standard.
Could these be expressed as OCIL?
https://csrc.nist.gov/projects/security-content-automation-protocol/specific...
For example, here's the codified OCIL for manual inspection to make sure /var/log/httpd is 0700 or less permissive :
<ns0:questionnaire id="ocil:ssg-dir_perms_var_log_httpd_ocil:questionnaire:1"> ns0:titleSet Permissions on the /var/log/httpd/ Directory</ns0:title> ns0:actions ns0:test_action_refocil:ssg-dir_perms_var_log_httpd_action:testaction:1</ns0:test_action_ref> </ns0:actions> </ns0:questionnaire> ..... <ns0:boolean_question_test_action id="ocil:ssg-dir_perms_var_log_httpd_action:testaction:1" question_ref="ocil:ssg-dir_perms_var_log_httpd_question:question:1"> ns0:when_true ns0:resultPASS</ns0:result> </ns0:when_true> ns0:when_false ns0:resultFAIL</ns0:result> </ns0:when_false> </ns0:boolean_question_test_action> .......... <ns0:boolean_question id="ocil:ssg-dir_perms_var_log_httpd_question:question:1"> ns0:question_textRun the following command to check the mode of the httpd log directory: $ ls -l /var/log/ | grep httpd Log directory must be mode 0700 or less permissive. Is it the case that it is more permissive? </ns0:question_text> </ns0:boolean_question>
If these manual checks can be coded in OCIL they can be included in SCAP-based reports natively.
Also means we could create an organizational answers file, such as "Do you do backups?" that Tom mentioned earlier in the thread. Organizational answers could automatically be incorporated into the results files.
I'll hop onto the STIG feedback space on SoftwareForge and see if they have a schema anywhere. The last time I asked, there wasn't one, but that was quite some time ago.
Thanks Trevor!
On Thu, Nov 29, 2018, at 10:22 PM, Shawn Wells wrote:
On 11/29/18 5:54 PM, Trevor Vaughan wrote:
The issue is less the automation (that's easy) and more that it isn't actually a codified standard.
Could these be expressed as OCIL?
https://csrc.nist.gov/projects/security-content-automation-protocol/specific...
For example, here's the codified OCIL for manual inspection to make sure /var/log/httpd is 0700 or less permissive :
<ns0:questionnaire id="ocil:ssg-dir_perms_var_log_httpd_ocil:questionnaire:1"> ns0:titleSet Permissions on the /var/log/httpd/ Directory</ns0:title> ns0:actions ns0:test_action_refocil:ssg-dir_perms_var_log_httpd_action:testaction:1</ns0:test_action_ref> </ns0:actions> </ns0:questionnaire> ..... <ns0:boolean_question_test_action id="ocil:ssg-dir_perms_var_log_httpd_action:testaction:1" question_ref="ocil:ssg-dir_perms_var_log_httpd_question:question:1"> ns0:when_true ns0:resultPASS</ns0:result> </ns0:when_true> ns0:when_false ns0:resultFAIL</ns0:result> </ns0:when_false> </ns0:boolean_question_test_action> .......... <ns0:boolean_question id="ocil:ssg-dir_perms_var_log_httpd_question:question:1"> ns0:question_textRun the following command to check the mode of the httpd log directory: $ ls -l /var/log/ | grep httpd Log directory must be mode 0700 or less permissive. Is it the case that it is more permissive? </ns0:question_text> </ns0:boolean_question>
If these manual checks can be coded in OCIL they can be included in SCAP-based reports natively.
Also means we could create an organizational answers file, such as "Do you do backups?" that Tom mentioned earlier in the thread. Organizational answers could automatically be incorporated into the results files.
All this sounds awesome!
V/r, James Cassell
I'll hop onto the STIG feedback space on SoftwareForge and see if they have a schema anywhere. The last time I asked, there wasn't one, but that was quite some time ago.
Thanks Trevor!
Sounds good providing the parser is hardened to withstand logic bombs.
-----Original Message----- From: Shawn Wells [mailto:shawn@redhat.com] Sent: Thursday, November 29, 2018 10:22 PM To: scap-security-guide@lists.fedorahosted.org Subject: Re: alternatives to STIG Viewer once Oracle JDK 8 / JavaFX 8 is EOL in January 2019?
On 11/29/18 5:54 PM, Trevor Vaughan wrote:
The issue is less the automation (that's easy) and more that it isn't actually a codified standard.
Could these be expressed as OCIL?
https://csrc.nist.gov/projects/security-content-automation-protocol/specific...
For example, here's the codified OCIL for manual inspection to make sure /var/log/httpd is 0700 or less permissive :
<ns0:questionnaire
id="ocil:ssg-dir_perms_var_log_httpd_ocil:questionnaire:1"> ns0:titleSet Permissions on the /var/log/httpd/ Directory</ns0:title> ns0:actions ns0:test_action_refocil:ssg-dir_perms_var_log_httpd_action:testactio n:1</ns0:test_action_ref> </ns0:actions> </ns0:questionnaire> ..... ns0:boolean_question_test_action id="ocil:ssg-dir_perms_var_log_httpd_action:testaction:1" question_ref="ocil:ssg-dir_perms_var_log_httpd_question:question:1" ns0:when_true ns0:resultPASS</ns0:result> </ns0:when_true> ns0:when_false ns0:resultFAIL</ns0:result> </ns0:when_false> </ns0:boolean_question_test_action> .......... ns0:boolean_question id="ocil:ssg-dir_perms_var_log_httpd_question:question:1" ns0:question_textRun the following command to check the mode of the httpd log directory: $ ls -l /var/log/ | grep httpd Log directory must be mode 0700 or less permissive. Is it the case that it is more permissive? </ns0:question_text> </ns0:boolean_question>
If these manual checks can be coded in OCIL they can be included in SCAP-based reports natively.
Also means we could create an organizational answers file, such as "Do you do backups?" that Tom mentioned earlier in the thread. Organizational answers could automatically be incorporated into the results files.
I'll hop onto the STIG feedback space on SoftwareForge and see if they have a schema anywhere. The last time I asked, there wasn't one, but that was quite some time ago.
Thanks Trevor! _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor... THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege have been waived. If you are not the intended recipient, you are hereby notified that any review, re-transmission, dissemination, distribution, copying, conversion to hard copy, taking of action in reliance on or other use of this communication is strictly prohibited. If you are not the intended recipient and have received this message in error, please notify me by return e-mail and delete or destroy all copies of this message.
Yeah, the material could easily be OCIL.
An XSLT layer could be added to convert from OCIL and OVAL Reports to the CKL format. That would be a vast improvement over the 'just wing it' approach that we have now.
Trevor
On Thu, Nov 29, 2018 at 9:22 PM Shawn Wells shawn@redhat.com wrote:
On 11/29/18 5:54 PM, Trevor Vaughan wrote:
The issue is less the automation (that's easy) and more that it isn't actually a codified standard.
Could these be expressed as OCIL?
https://csrc.nist.gov/projects/security-content-automation-protocol/specific...
For example, here's the codified OCIL for manual inspection to make sure /var/log/httpd is 0700 or less permissive :
<ns0:questionnaire
id="ocil:ssg-dir_perms_var_log_httpd_ocil:questionnaire:1"> ns0:titleSet Permissions on the /var/log/httpd/ Directory</ns0:title> ns0:actions
ns0:test_action_refocil:ssg-dir_perms_var_log_httpd_action:testaction:1</ns0:test_action_ref>
</ns0:actions> </ns0:questionnaire>
..... ns0:boolean_question_test_action id="ocil:ssg-dir_perms_var_log_httpd_action:testaction:1" question_ref="ocil:ssg-dir_perms_var_log_httpd_question:question:1" ns0:when_true ns0:resultPASS</ns0:result> </ns0:when_true> ns0:when_false ns0:resultFAIL</ns0:result> </ns0:when_false> </ns0:boolean_question_test_action> .......... ns0:boolean_question id="ocil:ssg-dir_perms_var_log_httpd_question:question:1" ns0:question_textRun the following command to check the mode of the httpd log directory: $ ls -l /var/log/ | grep httpd Log directory must be mode 0700 or less permissive. Is it the case that it is more permissive? </ns0:question_text> </ns0:boolean_question>
If these manual checks can be coded in OCIL they can be included in SCAP-based reports natively.
Also means we could create an organizational answers file, such as "Do you do backups?" that Tom mentioned earlier in the thread. Organizational answers could automatically be incorporated into the results files.
I'll hop onto the STIG feedback space on SoftwareForge and see if they have a schema anywhere. The last time I asked, there wasn't one, but that was quite some time ago.
Thanks Trevor! _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
Have requested public publication of the CKL schema. There is one, it's just not public for some reason.
On Fri, Nov 30, 2018 at 8:45 PM Trevor Vaughan tvaughan@onyxpoint.com wrote:
Yeah, the material could easily be OCIL.
An XSLT layer could be added to convert from OCIL and OVAL Reports to the CKL format. That would be a vast improvement over the 'just wing it' approach that we have now.
Trevor
On Thu, Nov 29, 2018 at 9:22 PM Shawn Wells shawn@redhat.com wrote:
On 11/29/18 5:54 PM, Trevor Vaughan wrote:
The issue is less the automation (that's easy) and more that it isn't actually a codified standard.
Could these be expressed as OCIL?
https://csrc.nist.gov/projects/security-content-automation-protocol/specific...
For example, here's the codified OCIL for manual inspection to make sure /var/log/httpd is 0700 or less permissive :
<ns0:questionnaire
id="ocil:ssg-dir_perms_var_log_httpd_ocil:questionnaire:1"> ns0:titleSet Permissions on the /var/log/httpd/ Directory</ns0:title> ns0:actions
ns0:test_action_refocil:ssg-dir_perms_var_log_httpd_action:testaction:1</ns0:test_action_ref>
</ns0:actions> </ns0:questionnaire>
..... ns0:boolean_question_test_action id="ocil:ssg-dir_perms_var_log_httpd_action:testaction:1" question_ref="ocil:ssg-dir_perms_var_log_httpd_question:question:1" ns0:when_true ns0:resultPASS</ns0:result> </ns0:when_true> ns0:when_false ns0:resultFAIL</ns0:result> </ns0:when_false> </ns0:boolean_question_test_action> .......... ns0:boolean_question id="ocil:ssg-dir_perms_var_log_httpd_question:question:1" ns0:question_textRun the following command to check the mode of the httpd log directory: $ ls -l /var/log/ | grep httpd Log directory must be mode 0700 or less permissive. Is it the case that it is more permissive? </ns0:question_text> </ns0:boolean_question>
If these manual checks can be coded in OCIL they can be included in SCAP-based reports natively.
Also means we could create an organizational answers file, such as "Do you do backups?" that Tom mentioned earlier in the thread. Organizational answers could automatically be incorporated into the results files.
I'll hop onto the STIG feedback space on SoftwareForge and see if they have a schema anywhere. The last time I asked, there wasn't one, but that was quite some time ago.
Thanks Trevor! _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
-- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --
CKL files are a supported input formal for Vulnerator, which is a tool commonly used for putting POAMs together in an excel format.
https://github.com/Vulnerator/Vulnerator
Tom A.
-----Original Message----- From: Shawn Wells shawn@redhat.com Sent: Thursday, November 29, 2018 2:14 PM To: scap-security-guide@lists.fedorahosted.org Subject: EXTERNAL: Re: alternatives to STIG Viewer once Oracle JDK 8 / JavaFX 8 is EOL in January 2019?
On 11/28/18 12:51 PM, Trevor Vaughan wrote:
Heh, no offense taken. I just needed to turn the little lights green with a .ckl file...and I did :-D
What are the .ckl files imported into? How are they used?
For example if OpenSCAP or Satellite could evaluate a system and output a properly formatted .ckl file... would that provide value? What happens with .ckl files? _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
VRAM and security center can also make use of them.
On Thu, Nov 29, 2018, 3:24 PM Albrecht, Thomas C <thomas.c.albrecht@lmco.com wrote:
CKL files are a supported input formal for Vulnerator, which is a tool commonly used for putting POAMs together in an excel format.
https://github.com/Vulnerator/Vulnerator
Tom A.
-----Original Message----- From: Shawn Wells shawn@redhat.com Sent: Thursday, November 29, 2018 2:14 PM To: scap-security-guide@lists.fedorahosted.org Subject: EXTERNAL: Re: alternatives to STIG Viewer once Oracle JDK 8 / JavaFX 8 is EOL in January 2019?
On 11/28/18 12:51 PM, Trevor Vaughan wrote:
Heh, no offense taken. I just needed to turn the little lights green with a .ckl file...and I did :-D
What are the .ckl files imported into? How are they used?
For example if OpenSCAP or Satellite could evaluate a system and output a properly formatted .ckl file... would that provide value? What happens with .ckl files? _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor... _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
scap-security-guide@lists.fedorahosted.org