Thursday, December 13, 2018

OpenSCAP on Centos7

yum install openscap openscap-scanner scap-security-guide

$ rpm -qa | grep openscap
openscap-scanner-1.2.16-8.el7_5.x86_64
openscap-1.2.16-8.el7_5.x86_64

$rpm -qa | grep scap-security-guide
scap-security-guide-0.1.36-10.el7.centos.noarch

$ pwd
/usr/share/xml/scap

Things you can scan for free:
$ find . | grep xml
./ssg/content/ssg-centos6-ds.xml
./ssg/content/ssg-centos7-ds.xml
./ssg/content/ssg-centos7-xccdf.xml
./ssg/content/ssg-firefox-ds.xml
./ssg/content/ssg-jre-ds.xml
./ssg/content/ssg-rhel7-cpe-dictionary.xml
./ssg/content/ssg-rhel7-cpe-oval.xml
./ssg/content/ssg-rhel7-oval.xml
./ssg/content/ssg-centos6-xccdf.xml
./ssg/content/ssg-firefox-cpe-dictionary.xml
./ssg/content/ssg-firefox-cpe-oval.xml
./ssg/content/ssg-firefox-ocil.xml
./ssg/content/ssg-firefox-oval.xml
./ssg/content/ssg-firefox-xccdf.xml
./ssg/content/ssg-jre-cpe-dictionary.xml
./ssg/content/ssg-jre-cpe-oval.xml
./ssg/content/ssg-jre-ocil.xml
./ssg/content/ssg-jre-oval.xml
./ssg/content/ssg-jre-xccdf.xml
./ssg/content/ssg-rhel6-cpe-dictionary.xml
./ssg/content/ssg-rhel6-cpe-oval.xml
./ssg/content/ssg-rhel6-ds.xml
./ssg/content/ssg-rhel6-ocil.xml
./ssg/content/ssg-rhel6-oval.xml
./ssg/content/ssg-rhel6-xccdf.xml
./ssg/content/ssg-rhel7-ds.xml
./ssg/content/ssg-rhel7-ocil.xml
./ssg/content/ssg-rhel7-xccdf.xml


Here is how to get a report of your compliance.
#  oscap info "/usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml"
Document type: Source Data Stream
Imported: 2017-10-19T18:41:07

Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel7-xccdf-1.2.xml
Generated: (null)
Version: 1.2
Checklists:
        Ref-Id: scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml
                Status: draft
                Generated: 2017-10-19
                Resolved: true
                Profiles:
                        xccdf_org.ssgproject.content_profile_standard
                        xccdf_org.ssgproject.content_profile_pci-dss
                        xccdf_org.ssgproject.content_profile_C2S
                        xccdf_org.ssgproject.content_profile_rht-ccp
                        xccdf_org.ssgproject.content_profile_common
                        xccdf_org.ssgproject.content_profile_stig-rhel7-disa
                        xccdf_org.ssgproject.content_profile_stig-rhevh-upstream
                        xccdf_org.ssgproject.content_profile_ospp-rhel7
                        xccdf_org.ssgproject.content_profile_cjis-rhel7-server
                        xccdf_org.ssgproject.content_profile_docker-host
                        xccdf_org.ssgproject.content_profile_nist-800-171-cui
                Referenced check files:
                        ssg-rhel7-oval.xml
                                system: http://oval.mitre.org/XMLSchema/oval-definitions-5
                        ssg-rhel7-ocil.xml
                                system: http://scap.nist.gov/schema/ocil/2
                        https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2
                                system: http://oval.mitre.org/XMLSchema/oval-definitions-5
        Ref-Id: scap_org.open-scap_cref_ssg-rhel7-pcidss-xccdf-1.2.xml
                Status: draft
                Generated: 2017-10-19
                Resolved: true
                Profiles:
                        xccdf_org.ssgproject.content_profile_pci-dss_centric
                Referenced check files:
                        ssg-rhel7-oval.xml
                                system: http://oval.mitre.org/XMLSchema/oval-definitions-5
                        ssg-rhel7-ocil.xml
                                system: http://scap.nist.gov/schema/ocil/2
                        https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2
                                system: http://oval.mitre.org/XMLSchema/oval-definitions-5
Checks:
        Ref-Id: scap_org.open-scap_cref_ssg-rhel7-oval.xml
        Ref-Id: scap_org.open-scap_cref_ssg-rhel7-ocil.xml
        Ref-Id: scap_org.open-scap_cref_ssg-rhel7-cpe-oval.xml
        Ref-Id: scap_org.open-scap_cref_ssg-rhel7-oval.xml000
        Ref-Id: scap_org.open-scap_cref_ssg-rhel7-ocil.xml000
Dictionaries:
        Ref-Id: scap_org.open-scap_cref_ssg-rhel7-cpe-dictionary.xml

# oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard --report report.html /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml
WARNING: This content points out to the remote resources. Use `--fetch-remote-resources' option to download them.
WARNING: Skipping https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 file which is referenced from XCCDF content
Title   Ensure Red Hat GPG Key Installed
Rule    xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
Result  pass

Title   Ensure gpgcheck Enabled In Main Yum Configuration
Rule    xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
Result  pass

Title   Ensure Software Patches Installed
Rule    xccdf_org.ssgproject.content_rule_security_patches_up_to_date
Result  notchecked

Title   Verify and Correct File Permissions with RPM
Rule    xccdf_org.ssgproject.content_rule_rpm_verify_permissions
Result  fail

Title   Verify File Hashes with RPM
Rule    xccdf_org.ssgproject.content_rule_rpm_verify_hashes
Result  pass

Title   Add nodev Option to /dev/shm
Rule    xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev
Result  pass

Title   Add nosuid Option to /dev/shm
Rule    xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid
Result  pass

Title   Verify that All World-Writable Directories Have Sticky Bits Set
Rule    xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits
Result  fail

Title   Ensure No World-Writable Files Exist
Rule    xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable
Result  pass

Title   Ensure All SGID Executables Are Authorized
Rule    xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_sgid
Result  pass

Title   Ensure All SUID Executables Are Authorized
Rule    xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_suid
Result  pass

Title   Prevent Log In to Accounts With Empty Password
Rule    xccdf_org.ssgproject.content_rule_no_empty_passwords
Result  fail

Title   Ensure that Root's Path Does Not Include World or Group-Writable Directories
Rule    xccdf_org.ssgproject.content_rule_accounts_root_path_dirs_no_write
Result  pass

Male configuration report using settings database
$ oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard --report report.html /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml


$oscap oval eval --results $(hostname)-oval-results-$(date +%Y%m%d).xml --report $(hostname)-oval-report-$(date +%Y%m%d).html /usr/share/xml/scap/ssg/content/ssg-rhel7-oval.xml

$oscap xccdf eval --oval-results --profile server --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml

download centos oval
wget https://oval.mitre.org/rep-data/5.10/org.mitre.oval/p/platform/centos.linux.7.xml

make vuln report based on cves
oscap oval eval --results $(hostname)-oval-results-$(date +%Y%m%d).xml --report $(hostname)-oval-report-$(date +%Y%m%d).html centos.linux.7.xml

that report is pretty out of date though!  mitre hasn't updated since 2015.

try to download and run per https://www.open-scap.org/resources/documentation/perform-vulnerability-scan-of-rhel-6-machine/

these commands dont seem to make anything past 2014 either...
wget https://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml
oscap oval eval --results rhsa-results-oval.xml  --report oval-report.html  Red_Hat_Enterprise_Linux_7.xml


this one doesnt return anything at all
wget https://oval.cisecurity.org/repository/download/5.11.2/vulnerability/centos_linux_7.xml
 oscap oval eval --results centos-results-oval.xml --report oval-report-centos.html centos_linux_7.xml

try the patch one
https://oval.cisecurity.org/repository/download/5.11.2/patch/centos_linux_7.xml
 sudo  oscap oval eval --results centos-results-oval.xml --report oval-report-centos.html centos_linux_7.xml
doesn't seem to show any missing patches from a box I know is missing a few...



references:
https://community.alfresco.com/community/platform/blog/2016/12/21/hardening-assessment-and-automation-with-openscap-in-5-minutes
https://oval.mitre.org/rep-data/5.10/org.mitre.oval/p/index.html


https://serverfault.com/questions/923295/openscap-and-centos-7-oval-definitions
"wget https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2

bunzip2 com.redhat.rhsa-RHEL7.xml.bz2

oscap oval eval --results rhsa-results-oval.xml --report ${HTMLPATH}/myreport.html com.redhat.rhsa-RHEL7.xml"

Competitors to openscap audits vs CIS on CENT7
https://github.com/haxorof/centos-bench-security
https://github.com/massyn/centos-cis-benchmark
https://github.com/CISecurity/OVALRepo


Posted by at No comments:
Labels: ,

Friday, February 16, 2018

OpenVAS OSX Sierra Mac Ports install fails

Here is my failed attempt at getting ports to install openvas on OSX.
port Version 2.4.2
xcodebuild version 9.2 Build version 9C40b

sudo port install openvas*

fails, missing lbzip2
sudo port install lbzip2

sort port install openvas* fails due to missing ac_nonexistent.h

google says that .h file comes from coccinelle

sudo port install coccinelle fails with "info:build is not a compiled interface for this version of OCaml

port list |grep -i ocaml finds a ton of different ocaml ports, which is it?

since we don't know, sudo port install ocaml*
that fails at ocaml-kernel, cannot find external tool ocamlbuild

sudo port install ocaml-ocamlbuild
then sudo port install ocaml* failed again on ocaml-core-kernel

giving up on ocaml, it looksl ike the coccinelle was built with an older version of ocaml, how to lock that older version into the port install?
Posted by at No comments:
Labels: ,
Subscribe to: Comments (Atom)