Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [openscap]

Open source suite of SCAP tools

http://www.open-scap.org/page/Main_Page

SCAP is a line of standards managed by NIST. It was created to provide a standardized approach to maintaining the security of enterprise systems, such as automatically verifying the presence of patches, checking system security configuration settings, and examining systems for signs of compromise.

The SCAP suite contains multiple complex data exchange formats that are to be used to transmit important vulnerability, configuration, and other security data. Historically, there have been few tools that provide a way to query this data in the needed format. This lack of tools makes the barrier to entry very high and discourages adoption of these protocols by the community. It's our goal to create a framework of libraries and tools to improve the accessibility of SCAP and enhance the usability of the information it represents.

39 questions
7
votes
3 answers

Which CentOS security policy is suitable for a single-purpose server?

I am exploring CentOS as a possibility for hosting a number of servers (mail, web, database, etc). Each machine will have a single purpose, and security is a priority. At the first installation, I am confronted with this: Information about these…
spraff
  • 519
  • 4
  • 8
  • 18
5
votes
2 answers

How do I force Anaconda's SCAP add-on to let me use a USB keyboard?

The problem I'm creating an RHEL 7.3 installation image with a custom kickstart file. I can add this to my kickstart file to enable SCAP configuration during installation: %addon org_fedora_oscap content-type = scap-security-guide profile =…
Alex P
  • 181
  • 8
4
votes
1 answer

Evaluating DISA-STIG for Windows 7 returns only "notchecked"

I've downloaded the DISA_STIG for Windows 7 from https://www.stigviewer.com/stig/windows_7/ (XML version) and tried to evaluate my desktop with OSCAP 1.3.0 for windows, with the command: oscap xccdf eval --profile MAC-3_Public --results…
Zottmann
  • 41
  • 2
2
votes
2 answers

openscap and CentOS 7 OVAL definitions

I'm using the Redhat cve reports to run OVAL scans against CentOS 7. I'm trying to understand if the results are accurate, or if I should be doing it differently. If I run an OVAL report like this: wget…
J Adams
  • 181
  • 9
2
votes
1 answer

Tailoring file on kickstarted RHEL7.4 installation causes OSCAP plugin to not remediate

I'm having trouble getting RHEL7.4 to use a tailoring file with the OSCAP addon . I've taken the following steps to make this work. Created a customization RPM using the scap-workbench tool Added that RPM to the kickstart installation Specified…
zachlowry
  • 23
  • 2
2
votes
1 answer

How can I use openscap to do an offline OVAL scan of a Cisco router?

This doc describes a process of scanning a router's "show tech" file with a joval utility. I downloaded joval's trial, but didn't see that utility. Can openscap do offline OVAL scans of Cisco routers? I want the routers to generate some file (show…
red888
  • 4,069
  • 16
  • 58
  • 104
1
vote
0 answers

OpenSCAP warning: obtrusive data from probe

I'm using OpenSCAP 1.3.1 on Windows 10 Professional (64-bit) with the CISecurity OVAL vulnerability definitions, schema version 5.11.1. My definition files all pass validation. I receive a lot of these warnings when evaluating my Windows 10…
Arbiter
  • 141
  • 3
1
vote
0 answers

Verify on a client workstation that all GPOs are enforced using OpenSCAP

I would like to verify that all my GPOs are enforced on client workstations using OpenSCAP. A manual verification of each policy is not acceptable. I have exported my GPO's to an XML file but I can't find a way to load them in OpenSCAP or transform…
Marc
  • 11
  • 1
1
vote
0 answers

oscap-vm fails to produce HTML results

I am getting started with oscap-vm, basically using openscap in an offline mode to scan VM images looking for CVEs. When I use oscap-vm installed on RHEL7.6 and scan Ubuntu images, oscap-vm fails with bunch of errors and fails to produce a HTML or…
Sunil Agrawal
  • 11
  • 1
1
vote
1 answer

OpenSCAP with external resources on a device with no external networking

I am attempting to scan a virtual machine generated off of a RHEL7 kickstart with some in-house configuration. Since the machine in question is still in testing, it's not yet authorized to connect out to the internet, only to its host. I'm using…
matthock
  • 203
  • 1
  • 5
1
vote
1 answer

Run OpenSCAP locally on Windows

Please tell me if I am missing something here. OpenSCAP will not currently allow you to run scans locally against a Windows machine. I have read posts on Experts Exchange that lead me to believe that there might be a workaround to this problem, but…
John Kenny
  • 11
  • 1
  • 2
1
vote
1 answer

Can I delete anaconda-ks.cfg and openscap_data from root folder?

I just noticed that after every fresh CentOS 7 (7.2) installation I perform, there are two files created in the root folder (/root): openscap_data folder anaconda-ks.cfg file As far as I understand the openscap_scanner is a vulnerability scanner…
LuMa
  • 247
  • 4
  • 13
1
vote
1 answer

specificity in root account email requirement (xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias)

The test for xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias is looking specifically for root: system.administrator@mail.mil in /etc/aliases and OpenSCAP remediation automatically adds that. The real issue to address is to make…
Jeff Schmidt
  • 11
  • 1
1
vote
0 answers

writing your own openscap scan profile

I am currently checking the remote machine using the command oscap-ssh login@host 22 xccdf eval -- profile xccdf_org.ssgproject.content_profile_standart --report name.html. But the test templates don't suit me, I only need to check three conditions,…
Сергей Пешков
  • 11
  • 1
1
vote
1 answer

OpenSCAP ssh with keyfile

I would like to test a CentOS system with OpenSCAP run from my Windows PC. The problem is that I can ssh to the CentOS with keyfile only, as per company policy. I did not find whether SCAP workbench supports this. Can it be done or I need ssh…
Laszlo Bekefi
  • 11
  • 1
1
2 3