Skip to content

Latest commit

 

History

History
265 lines (200 loc) · 9.72 KB

README.md

File metadata and controls

265 lines (200 loc) · 9.72 KB

oscap-lxd

Usage

oscap-lxd instancename xccdf eval INPUT_CONTENT

Only source datastreams are supported as INPUT_CONTENT!

supported oscap options are:
  --profile
  --results
  --results-arf
  --report
  --tailoring-file

Example 1

The following command evaluates a Fedora instance as root. HTML report is written out as report.html on the local machine. Can be executed from any machine that has lxc and bash. The local machine does not need openscap installed.

./oscap-lxd my-fedora xccdf eval --profile xccdf_org.ssgproject.content_profile_common --report report.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml

The output:

Copying input file '/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml' to instance working directory '/tmp/tmp.yEsdWV54ry'...
ssg-fedora-ds.xml                                                                                                                                                                                            100%  683KB 683.2KB/s   00:00    
Starting the evaluation...
Title   gpgcheck Enabled In Main Yum Configuration
Rule    xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
Result  pass

Title   gpgcheck Enabled For All Yum Package Repositories
Rule    xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled
Result  fail

Title   Disable Prelinking
Rule    xccdf_org.ssgproject.content_rule_disable_prelink
Result  fail

Title   Shared Library Files Have Restrictive Permissions
Rule    xccdf_org.ssgproject.content_rule_file_permissions_library_dirs
Result  fail

Title   Shared Library Files Have Root Ownership
Rule    xccdf_org.ssgproject.content_rule_file_ownership_library_dirs
Result  pass

Title   System Executables Have Restrictive Permissions
Rule    xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs
Result  pass

Title   System Executables Have Root Ownership
Rule    xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs
Result  pass

Title   Direct root Logins Not Allowed
Rule    xccdf_org.ssgproject.content_rule_no_direct_root_logins
Result  notchecked

Title   Virtual Console Root Logins Restricted
Rule    xccdf_org.ssgproject.content_rule_securetty_root_login_console_only
Result  pass

Title   Serial Port Root Logins Restricted
Rule    xccdf_org.ssgproject.content_rule_restrict_serial_port_logins
Result  pass

Title   Only Root Has UID 0
Rule    xccdf_org.ssgproject.content_rule_no_uidzero_except_root
Result  pass

Title   Log In to Accounts With Empty Password Impossible
Rule    xccdf_org.ssgproject.content_rule_no_empty_passwords
Result  fail

Title   Password Hashes For Each Account Shadowed
Rule    xccdf_org.ssgproject.content_rule_no_hashes_outside_shadow
Result  pass

Title   netrc Files Do Not Exist
Rule    xccdf_org.ssgproject.content_rule_no_netrc_files
Result  pass

Title   Password Minimum Length
Rule    xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs
Result  fail

Title   Password Minimum Age
Rule    xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs
Result  fail

Title   Password Maximum Age
Rule    xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs
Result  fail

Title   Password Warning Age
Rule    xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs
Result  pass

Title   Ensure that Root's Path Does Not Include World or Group-Writable Directories
Rule    xccdf_org.ssgproject.content_rule_root_path_no_groupother_writable
Result  pass

Title   SSH Root Login Disabled
Rule    xccdf_org.ssgproject.content_rule_sshd_disable_root_login
Result  pass

Title   SSH Access via Empty Passwords Disabled
Rule    xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
Result  pass

Title   SSH Idle Timeout Interval Used
Rule    xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
Result  pass

Title   SSH Client Alive Count Used
Rule    xccdf_org.ssgproject.content_rule_sshd_set_keepalive
Result  pass

Title   Enable the NTP Daemon
Rule    xccdf_org.ssgproject.content_rule_service_ntpd_enabled
Result  fail

Title   Specify a Remote NTP Server
Rule    xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server
Result  fail

oscap exit code: 2
Copying back requested files...
report.html                                                                                                                                                                                                  100%  619KB 619.0KB/s   00:00    
Removing instance temporary directory...

Example 2

A more full example, uses a tailoring file and also copies back ARF, XCCDF results. The tailoring file is copied from local machine to instance.

./oscap-ssh my-fedora xccdf eval --profile xccdf_org.ssgproject.content_profile_common --report report.html --results results.xml --results-arf arf.xml --tailoring-file ssg-fedora-ds-tailoring.xml /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml

The output:

Copying input file '/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml' to instance working directory '/tmp/tmp.yVy6snyC88'...
ssg-fedora-ds.xml                                                                                                                                                                                            100%  683KB 683.2KB/s   00:00    
Copying tailoring file 'ssg-fedora-ds-tailoring.xml' to instance working directory '/tmp/tmp.yVy6snyC88'...
ssg-fedora-ds-tailoring.xml                                                                                                                                                                                  100% 1248     1.2KB/s   00:00    
Starting the evaluation...
Title   gpgcheck Enabled In Main Yum Configuration
Rule    xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
Result  pass

Title   gpgcheck Enabled For All Yum Package Repositories
Rule    xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled
Result  fail

Title   Disable Prelinking
Rule    xccdf_org.ssgproject.content_rule_disable_prelink
Result  fail

Title   Shared Library Files Have Restrictive Permissions
Rule    xccdf_org.ssgproject.content_rule_file_permissions_library_dirs
Result  fail

Title   Shared Library Files Have Root Ownership
Rule    xccdf_org.ssgproject.content_rule_file_ownership_library_dirs
Result  pass

Title   System Executables Have Restrictive Permissions
Rule    xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs
Result  pass

Title   System Executables Have Root Ownership
Rule    xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs
Result  pass

Title   Direct root Logins Not Allowed
Rule    xccdf_org.ssgproject.content_rule_no_direct_root_logins
Result  notchecked

Title   Virtual Console Root Logins Restricted
Rule    xccdf_org.ssgproject.content_rule_securetty_root_login_console_only
Result  pass

Title   Serial Port Root Logins Restricted
Rule    xccdf_org.ssgproject.content_rule_restrict_serial_port_logins
Result  pass

Title   Only Root Has UID 0
Rule    xccdf_org.ssgproject.content_rule_no_uidzero_except_root
Result  pass

Title   Log In to Accounts With Empty Password Impossible
Rule    xccdf_org.ssgproject.content_rule_no_empty_passwords
Result  fail

Title   Password Hashes For Each Account Shadowed
Rule    xccdf_org.ssgproject.content_rule_no_hashes_outside_shadow
Result  pass

Title   netrc Files Do Not Exist
Rule    xccdf_org.ssgproject.content_rule_no_netrc_files
Result  pass

Title   Password Minimum Length
Rule    xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs
Result  fail

Title   Password Minimum Age
Rule    xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs
Result  fail

Title   Password Maximum Age
Rule    xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs
Result  fail

Title   Password Warning Age
Rule    xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs
Result  pass

Title   Ensure that Root's Path Does Not Include World or Group-Writable Directories
Rule    xccdf_org.ssgproject.content_rule_root_path_no_groupother_writable
Result  pass

Title   SSH Root Login Disabled
Rule    xccdf_org.ssgproject.content_rule_sshd_disable_root_login
Result  pass

Title   SSH Access via Empty Passwords Disabled
Rule    xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
Result  pass

Title   SSH Idle Timeout Interval Used
Rule    xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
Result  pass

Title   SSH Client Alive Count Used
Rule    xccdf_org.ssgproject.content_rule_sshd_set_keepalive
Result  pass

Title   Enable the NTP Daemon
Rule    xccdf_org.ssgproject.content_rule_service_ntpd_enabled
Result  fail

Title   Specify a Remote NTP Server
Rule    xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server
Result  fail

oscap exit code: 2
Copying back requested files...
results-xccdf.xml                                                                                                                                                                                            100%  475KB 474.8KB/s   00:00    
results-arf.xml                                                                                                                                                                                              100% 1164KB   1.1MB/s   00:00    
report.html                                                                                                                                                                                                  100%  619KB 619.0KB/s   00:00    
Removing instance temporary directory...

oscap-ssh port for lxd

This script does exactly the same as oscap-ssh did:

  • Instead of ssh to a machine lxc exec is called to an instance
  • Instead of scp to a machine lxc file push/pull is called to an instance