Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [openscap]

Open source suite of SCAP tools

http://www.open-scap.org/page/Main_Page

SCAP is a line of standards managed by NIST. It was created to provide a standardized approach to maintaining the security of enterprise systems, such as automatically verifying the presence of patches, checking system security configuration settings, and examining systems for signs of compromise.

The SCAP suite contains multiple complex data exchange formats that are to be used to transmit important vulnerability, configuration, and other security data. Historically, there have been few tools that provide a way to query this data in the needed format. This lack of tools makes the barrier to entry very high and discourages adoption of these protocols by the community. It's our goal to create a framework of libraries and tools to improve the accessibility of SCAP and enhance the usability of the information it represents.

49 questions
0
votes
0 answers

Does OpenSCAP have a feature to add comments on XCCDF scan findings?

I am new to OpenSCAP and I was wondering if OpenSCAP has a feature to add comments one could insert to XCCDF scan findings that could be updated and be viewed in reports? Is it also possible to add the comments from the command line…
Divya
  • 1
0
votes
1 answer

OpenSCAP Workbench customize Datastream Files

When i try to tailoring this datastream file, i get following error: Opened file '/Applications/scap-workbench.app/Contents/Resources/ssg/ssg-rhel7-ds.xml'. Error while opening file. There was a problem with ScanningSession! Failed to reload…
xtixmo
  • 1
0
votes
1 answer

Ubuntu 20.04 CIS xccdf benchmarks

I was hoping that someone knew where to find xccdf files for Ubuntu 20.04 with CIS benchmarks to run with Openscap. It looks like the out-of-the-box Openscap only includes RHEL, firefox, and java. I see that Ubuntu Security Guide might be an option,…
wabbajack001
  • 21
  • 2
0
votes
0 answers

OpenScap scan results are false-positive

I recently ran the OpenScap Audit scan on a SLES 12 machine, and the result seems to be false-positive. Eg for these two checks : 1) Ensure sudo logfile exists - sudo logfile The description for this item mentions : A custom log sudo file can be…
anaigini
  • 1
  • 1
0
votes
1 answer

oscap-chroot: offline mode is not supported by uname probe

We are trying to scan offline mounts using oscap-chroot on ubuntu 20 But we are getting following error: W: oscap: Requested offline mode is not supported by uname probe. Can you please help resolve this issue.
Abdul Karim
  • 1
0
votes
1 answer

How do I use a certain remediation shell script in SCAP Workbench

I am new to SCAP Workbench and I am trying it out for the first time. I was wondering how do I use the remediation shell script for just one issue.
tylihemi
  • 1
0
votes
1 answer

Openscap on RHEL access to older policies?

Currently using Openscap on some RHEL8.6 servers. I have a need to use / check older policies. Currently the package comes with CIS Linux 8 Benchmark™, v2.0.0, released 2022-02-23 Is it possible to use the older V1.x.x CIS policy ? If so where can I…
AndyM
  • 948
  • 2
  • 16
  • 26
0
votes
1 answer

Can OpenScap generate 1 report compiling multiple results?

Sample command to evaluate: $ oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_rht-ccp --results scan-xccdf-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml Sample command to remediate: $ oscap xccdf remediate --results…
psyntium
  • 3
  • 2
0
votes
1 answer

Generating plain-text report in OpenSCAP

I have set up OpenSCAP for compliance testing. Right now I am generating xml and html reports. oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_custom --results-arf results.xml --report report.html ssg-centos7-custom.xml I really need…
Geoffrey Gardella
  • 1
0
votes
1 answer

OpenScap Debian 10 Benchmarks

The lastest openscap package I downloaded for Debian 10 does not include a datastream or benchmark for Debian 10. The latest release they have is debian 8 and I get "Not Applicable" when using this for the scan. Can someone tell me how I can get the…
Eddie Newman
  • 1
0
votes
1 answer

Issues using SCAP Workbench on Fedora 35

I have an issue with installing and running Flatpacks because I installed SCAP Workbench which changed my default system settings (Fedora 35).
guestseekinghelp
  • 1
0
votes
2 answers

OSCAP doesn't work for remediation on Ubuntu 18.04 install

my oscap for ubuntu 18.04 doesn't remediate with the commands or through the gui through the scap workbench oscap xccdf eval --remediate -profile profilename xmlfilename this checks and shows the results for each STIG configuration, but then at the…
evgam
  • 1
0
votes
2 answers

STIG validation -> group policy or user setting?

I'm trying to determine if the enforcement of a STIG rule is driven solely by group policy, or user setting, or some combination of both. By this, I mean that when a STIG rule is flagged as failing, and I correct the setting, the STIG rule still…
Jim Carr
  • 101
0
votes
1 answer

OpenSCAP for SLES 15 docker container and/or image

I see from this page that it is possible to scan either a running RHEL 7 docker container or the docker image. Is this only possible for RHEL 7 or can it be done for other operating systems? Specifically interested in SLES.
Jay
  • 101
  • 1
0
votes
1 answer

Anaconda openscap addon scan

I added openscap addon in kickstart. After the iso is installed, I run the scan on one vm with addon and one without addon. The scan results don't have much difference. For instance, passed 64 vs 61. Both vms are selinx enabled. I don't know what I…
user2525034
  • 1
1 2
3
4