Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [openscap]

Open source suite of SCAP tools

http://www.open-scap.org/page/Main_Page

SCAP is a line of standards managed by NIST. It was created to provide a standardized approach to maintaining the security of enterprise systems, such as automatically verifying the presence of patches, checking system security configuration settings, and examining systems for signs of compromise.

The SCAP suite contains multiple complex data exchange formats that are to be used to transmit important vulnerability, configuration, and other security data. Historically, there have been few tools that provide a way to query this data in the needed format. This lack of tools makes the barrier to entry very high and discourages adoption of these protocols by the community. It's our goal to create a framework of libraries and tools to improve the accessibility of SCAP and enhance the usability of the information it represents.

49 questions
1
vote
1 answer

specificity in root account email requirement (xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias)

The test for xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias is looking specifically for root: system.administrator@mail.mil in /etc/aliases and OpenSCAP remediation automatically adds that. The real issue to address is to make…
Jeff Schmidt
  • 11
  • 1
1
vote
2 answers

OpenSCAP ssh with keyfile

I would like to test a CentOS system with OpenSCAP run from my Windows PC. The problem is that I can ssh to the CentOS with keyfile only, as per company policy. I did not find whether SCAP workbench supports this. Can it be done or I need ssh…
Laszlo Bekefi
  • 11
  • 1
1
vote
1 answer

How do I cross-reference OpenSCAP benchmarks to the CIS documentation?

I'm using the SCAP WorkBench, and have gone in to customize the CIS profile for RHEL 8. The benchmark items are clearly titled with things like "Modify the System Login Banner". The item properties even give the Security Identifier. But I cannot…
RansomStoddard
  • 11
  • 1
1
vote
1 answer

Performing an OpenSCAP Remediation via a chroot session -- "Can't perform remediation in offline mode" Error

I am attempting to perform an OpenSCAP remediation through a chroot session. My command is structured as follows: oscap-chroot /mnt/chroot_fs \ xccdf eval \ --remediate \ --results results.xml \ --report report.html…
TJ Zimmerman
  • 251
  • 6
  • 18
1
vote
0 answers

Build SCAP files from reference system

The current way of dealing with a SCAP configuration file is unwieldy. Let's look at the process as I read it in the documentation: Take a starting config file (CIS, DISA STIG, OpenSCAP reference) Make changes manually to reflect reference at our…
Kenneth
  • 31
  • 5
1
vote
1 answer

How to run OpenSCAP with my own PowerShell-script

I want to check if is screensaver on my Windows 10 Pro active using my own PowerShell-script and OpenSCAP 1.3.2 (Windows version). I wrote such file test.xml:
Dzmitry Lapeta
  • 11
  • 1
0
votes
1 answer

How to rollback after openscap remediation

What is the best practice to rollback after a openscap remediate that made the system unstable other than to restore a system backup
OlivierThompson
  • 1
  • 1
0
votes
1 answer

OpenSCAP for windows target

I am searching for OpenSCAP support for windows target servers. Currently OpenSCAP does not allow to run scans locally against a Windows machine. Please check this post. But it does not have enough information on it. Does anyone know any workaround…
tech_enthusiast
  • 103
  • 5
0
votes
1 answer

not able to make SCE script working

I'm trying to use SCE script in openscap ds file and all I get is "notchecked" status here is my ds file:
Raymond
  • 1
0
votes
1 answer

OpenSCAP reporting false for RHSA patches on Redhat6 Server x86_64

did OpenSCAP scan initially and was inform of that the server had 16 hits on definitions that require patching. performed yum update and rebooted said server and its reflecting the newer version :2.6.32-696.20.1.el6.x86_64 after patching, re-did…
Zak SiJie Ang
  • 3
  • 3
0
votes
1 answer

OpenSCAP remediation won't boot

I am runnnig OenSCAP on a CentOS 6.9 box, after I run it and remediate the findings my machine won't boot. It gets to the CentOS splash screen and stops. When I hit Alt+d it will loop when loading the mouse. If I remove the mouse it stops after…
Rusht
  • 1
  • 2
0
votes
2 answers

Using CIS Benchmarks with openscap

I am trying to get CIS Centos 6 benchmarks running with openscap. But it does not work. I am calling it like this: oscap oval eval /var/tmp/cis-cat-full/benchmarks/CIS_CentOS_Linux_6_Benchmark_v2.0.1-oval.xml which produces tons of output…
Isaac
  • 1,215
  • 3
  • 26
  • 44
0
votes
0 answers

Removing CIS Level 2 RH profile from Rocky Linux 9

I have selected the Redhat CIS server level security profile while installation and now I am seeing lot of restriction. I like to remove this security profile from my Rocky Linux 9. I have tested the Openscap scan and its onlt 62% pass while having…
Arvind Saxena
  • 1
0
votes
0 answers

oscap-ssh scanning ubuntu22.04 Result notapplicable

please tell me if there are any options to check the workstation on ubuntu22.04 using openscap. I downloaded ssg for Ubuntu22.04, but when I try to check, I get a Result notapplicable on all points.....I scan remotely, using oscap-ssh. do you have…
Overlord
  • 1
0
votes
1 answer

Can oscap tool be run on a container to scan the host VM?

Can the openscap's oscap tool be run on a container to scan the host VM? NOTE: It runs fine on the RHEL container (after install) Dockerfile FROM registry.access.redhat.com/ubi8/ubi:latest RUN yum -y update RUN yum -y install -y openscap-scanner…
serverisfaulting
  • 1
1
2
3 4