OpenSCAP - feedback from the real world
I wanted to get a feeler of whether folks are using OpenSCAP. I also was curious if people were using it with their Satellite/Spacewalk infrastructure, or stand-alone.
Was it worth implementing (i.e. would you do it again)?
Did you use it with Satellite, and would you implement it stand-alone if given the option to do it over)?
How much customization of the pre-canned audit files did you need?
What particular skills did you find helpful (i.e. did you find yourself using Python quite often)?
Were there any blatant issues you had to work through that you would advise researching in advance?
Thanks!
Did you end up altering your build standard to pass the standard audit? (i.e. separate /var/log and /var/log/audit)
What kind of issues did you run in to that were not anticipated?
EDIT:
Any idea whether OpenSCAP will continue to be integrated with Satellite 6.x? Will it be more tightly-coupled?
Responses
Just updated my Satellite to 5.6 and a couple of dev boxes to RHEL 6.5. Installed all of the scap packages. If I run the oscap on the local machine it works fine, if I run it from the satellite I am seeing unicode errors in /var/log/up2date. Will be contacting support.
We are planning to implement it in our Satellite to replace Qualys VM (vulnerability management) scans.
It is required to comply with PCI DSS requirements and SCAP would save us money.
also it would be easier to have access to XML profiles.
Hello David,
Here's a few highlights from Satellite 5.6 Release Notes [1]:
" Improved SCAP auditing features and support for XCCDF 1.2 to provide capturing of detailed HTML reports.
...
BZ#861006
Satellite 5.6 has the ability to aggregate full SCAP results, collecting OVAL and XCCDF results into a fully downloadable HTML report for each scan. The extended information available in the report can help administrators investigate the possible causes of audit failure.
The organization administrator can configure this feature, setting up file size limits for individual SCAP files. This feature is turned off by default for each organization. It requires the latest spacewalk-oscap packages on the client systems in order to work properly.
...
New API Methods:
org.getPolicyForScapFileUpload
org.getPolicyForScapResultDeletion
org.setPolicyForScapFileUpload
org.setPolicyForScapResultDeletion
system.scap.deleteXccdfScan
..."
[1] https://access.redhat.com/site/documentation/en-US/Red_Hat_Satellite/5.6/html-single/Release_Notes/index.html
If you want to look upstream and contribute to the security policy and scan content community, https://fedorahosted.org/scap-security-guide/ is a great place to start.
James, Remmele, had I known about this thread I would have pinged you about it @ Summit!
Andrew's suggestion for SSG is the way to go. You can build XCCDF from scratch with something like scap-workbench (https://fedorahosted.org/scap-workbench/), but the SSG community is the upstream for orgs like DISA and has a solid set of starting points. I believe that the content will be available directly starting in RHEL 6.6 without need for EPEL.
The basic skillset needed is XML. Reading, tracing, connecting XML. And if you're looking at SSG, then a bit of make so you can see how they are doing some of the XML transformations to build the final XML from the snippets.
I've worked on a CIS policy, it wasn't very hard to get started but the upstream community has since formed around building something that worked as well. I started with the STIG profile (a DoD profile) and got the basic mapping of what existed and what didn't against the CIS benchmark in an afternoon. Working on the missing controls wasn't very hard either.
SCAP is on the roadmap (and loudly shouted for) in Sat 6, but won't be there on GA from what I've been led to understand. (not an employee no special inside track ;) ).
-Matt
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
