One of the features supported through OVAL (and Open-SCAP) is to generate fix scripts when a test has failed. The administrator can then verify this script (of course) and then execute it to correct wrong settings. So I decided to play around with this as well and enhanced the Gentoo Security Benchmark (XCCDF source) with some fixables (like for the sysctl settings). And lo and behold: the thing works ;-)
After evaluating the XCCDF (together with the OVAL document) against my system, I had Open-SCAP generate a fix script:
# oscap xccdf generate fix --result-id OSCAP-Test-Gentoo-Default xccdf-results.xml #!/bin/bash # OpenSCAP fix generator output for benchmark: Gentoo Security Benchmark # XCCDF rule: rule-sysctl-ipv4-forward echo 0 > /proc/sys/net/ipv4/ip_forward # generated: 2011-12-23T14:53:03+01:00 # END OF SCRIPT
Now isn’t that nice. But generating a fix script is one thing, maintaining the XCCDF and OVAL documents is a completely other picture.
One of the downsides that I talked about earlier already is that OVAL has quite an extensible language (it’s a large XML document). Although this extensibility is very flexible and powerful, when you want to add generic tests (like validating sysctl values or matching regular expressions in files) having to write over 30 lines of XML code for a single test is time-consuming at the least. So I quickly scripted something to help me maintain these settings.
The Generating OVAL documents with genoval.sh document explains this script (which is retrievable from my git repository) whose primary purpose is to transform a single line into the entire OVAL structure. With this script, I can now just say gentoo variable USE must contain ssl and it generates both the rules in the XCCDF as the OVAL statements in the OVAL document.
Okay, it’s a script, not a feature-full application, but at least it helps me (and perhaps others as well).
I installed openscap, then downloaded your XCCDF and OVAL files to my home directory, changed their extension to .xml. When I run
oscap xccdf generate fix --result-id OSCAP-Test-Gentoo-Default ~/scap-gentoo-xccdf.xmlas root, I get the following errorsWARNING: Processing an unresolved XCCDF document. This may have unexpected results.
No TestResult ‘OSCAP-Test-Gentoo-Default’. Aborting.
Why do I have this ?
Do you also plan to integrate the XCCDF and OVAL files to the openscap ebuild or submit them upstream?
Hi René,
You need to point it to the results file generated earlier (xccdf-results.xml), not the XCCDF file itself.
I do plan to integrate them in the ebuild later when they’re more fixed and had a few other looks on them as well. Submitting them upstream will take a little more since I then first want to have gentoo-specific probes and OVAL tests approved (the upstream patch would then contain both the XCCDF/OVAL as well as the probe definitions and such). For now, I abuse the system a bit and first have a script generate the necessary output only to parse the output file (rather than using direct probes for the information).