Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [openscap]

Open source suite of SCAP tools

http://www.open-scap.org/page/Main_Page

SCAP is a line of standards managed by NIST. It was created to provide a standardized approach to maintaining the security of enterprise systems, such as automatically verifying the presence of patches, checking system security configuration settings, and examining systems for signs of compromise.

The SCAP suite contains multiple complex data exchange formats that are to be used to transmit important vulnerability, configuration, and other security data. Historically, there have been few tools that provide a way to query this data in the needed format. This lack of tools makes the barrier to entry very high and discourages adoption of these protocols by the community. It's our goal to create a framework of libraries and tools to improve the accessibility of SCAP and enhance the usability of the information it represents.

39 questions
1
vote
1 answer

How do I cross-reference OpenSCAP benchmarks to the CIS documentation?

I'm using the SCAP WorkBench, and have gone in to customize the CIS profile for RHEL 8. The benchmark items are clearly titled with things like "Modify the System Login Banner". The item properties even give the Security Identifier. But I cannot…
RansomStoddard
  • 11
  • 1
1
vote
1 answer

Performing an OpenSCAP Remediation via a chroot session -- "Can't perform remediation in offline mode" Error

I am attempting to perform an OpenSCAP remediation through a chroot session. My command is structured as follows: oscap-chroot /mnt/chroot_fs \ xccdf eval \ --remediate \ --results results.xml \ --report report.html…
TJ Zimmerman
  • 241
  • 5
  • 17
1
vote
0 answers

Build SCAP files from reference system

The current way of dealing with a SCAP configuration file is unwieldy. Let's look at the process as I read it in the documentation: Take a starting config file (CIS, DISA STIG, OpenSCAP reference) Make changes manually to reflect reference at our…
Kenneth
  • 31
  • 5
1
vote
1 answer

How to run OpenSCAP with my own PowerShell-script

I want to check if is screensaver on my Windows 10 Pro active using my own PowerShell-script and OpenSCAP 1.3.2 (Windows version). I wrote such file test.xml:
Dzmitry Lapeta
  • 11
  • 1
0
votes
1 answer

How to rollback after openscap remediation

What is the best practice to rollback after a openscap remediate that made the system unstable other than to restore a system backup
OlivierThompson
  • 1
  • 1
0
votes
1 answer

OpenSCAP for windows target

I am searching for OpenSCAP support for windows target servers. Currently OpenSCAP does not allow to run scans locally against a Windows machine. Please check this post. But it does not have enough information on it. Does anyone know any workaround…
tech_enthusiast
  • 103
  • 5
0
votes
1 answer

not able to make SCE script working

I'm trying to use SCE script in openscap ds file and all I get is "notchecked" status here is my ds file:
Raymond
  • 1
0
votes
1 answer

OpenSCAP reporting false for RHSA patches on Redhat6 Server x86_64

did OpenSCAP scan initially and was inform of that the server had 16 hits on definitions that require patching. performed yum update and rebooted said server and its reflecting the newer version :2.6.32-696.20.1.el6.x86_64 after patching, re-did…
Zak SiJie Ang
  • 3
  • 3
0
votes
1 answer

OpenSCAP remediation won't boot

I am runnnig OenSCAP on a CentOS 6.9 box, after I run it and remediate the findings my machine won't boot. It gets to the CentOS splash screen and stops. When I hit Alt+d it will loop when loading the mouse. If I remove the mouse it stops after…
Rusht
  • 1
  • 2
0
votes
2 answers

Using CIS Benchmarks with openscap

I am trying to get CIS Centos 6 benchmarks running with openscap. But it does not work. I am calling it like this: oscap oval eval /var/tmp/cis-cat-full/benchmarks/CIS_CentOS_Linux_6_Benchmark_v2.0.1-oval.xml which produces tons of output…
Isaac
  • 1,195
  • 3
  • 25
  • 43
0
votes
1 answer

Openscap CIS RHEL6 Profile unavailible?

I'm running Open-SCAP Workbench 1.2.0 on RHEL8.6 installed via dnf, rpm: openscap-1.3.6-3.el8.x86_64. While choosing a profile after loading the 'RHEL 6' content (an ssg-rhel6-xccdf.xml file located in /usr/share/xml/scap/ssg/), I was unable to find…
sam
  • 11
  • 2
0
votes
1 answer

Can OpenScap generate 1 report compiling multiple results?

Sample command to evaluate: $ oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_rht-ccp --results scan-xccdf-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml Sample command to remediate: $ oscap xccdf remediate --results…
psyntium
  • 3
  • 2
0
votes
1 answer

Generating plain-text report in OpenSCAP

I have set up OpenSCAP for compliance testing. Right now I am generating xml and html reports. oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_custom --results-arf results.xml --report report.html ssg-centos7-custom.xml I really need…
Geoffrey Gardella
  • 1
0
votes
1 answer

OpenScap Debian 10 Benchmarks

The lastest openscap package I downloaded for Debian 10 does not include a datastream or benchmark for Debian 10. The latest release they have is debian 8 and I get "Not Applicable" when using this for the scan. Can someone tell me how I can get the…
Eddie Newman
  • 1
0
votes
0 answers

OpenSCAP on Debian 11

Building out and SIEM server on a Debian 11 OS. Does anyone know when the package libopenscap8 will become available? After reviewing the packages available for Debian servers, I found it was available for the Debian 10 OS. I really don't want to…
John
  • 1
1
2
3