New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

oscap-ssh - remote oval and xccdf evaluation #69

Merged
merged 21 commits into from Apr 30, 2015

Conversation

Projects
None yet
3 participants
@mpreisler
Member

mpreisler commented Apr 18, 2015

Introduction

This pull request adds oscap-ssh - a portable bash script that requires just bash, ssh, scp and mktemp to perform OVAL and XCCDF evaluation of remote machines. The remote machine has to have oscap installed and in $PATH. This can be accomplished by installing openscap-scanner (or openscap-utils if openscap-scanner is not available).

What follows is a walk through a typical usage of the script. The output has been shortened for brevity. OVAL evaluation would be very similar, the documentation included in the script should be enough to get it working.

Usage (XCCDF eval)

oscap-ssh user@host 22 xccdf eval INPUT_CONTENT

Only source datastreams are supported as INPUT_CONTENT!

supported oscap options are:
  --profile
  --results
  --results-arf
  --report
  --tailoring-file

Example 1

The following command evaluates a remote Fedora machine as root. HTML report is written out as report.html on the local machine. Can be executed from any machine that has ssh, scp and bash. The local machine does not need openscap installed.

./oscap-ssh root@192.168.1.13 22 xccdf eval --profile xccdf_org.ssgproject.content_profile_common --report report.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml

The output:

Connecting to 'root@192.168.1.13' on port '22'...
root@192.168.1.13's password: 
Connected!
Copying input file '/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml' to remote working directory '/tmp/tmp.yEsdWV54ry'...
ssg-fedora-ds.xml                                                                                                                                                                                            100%  683KB 683.2KB/s   00:00    
Starting the evaluation...
Title   gpgcheck Enabled In Main Yum Configuration
Rule    xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
Result  pass

Title   gpgcheck Enabled For All Yum Package Repositories
Rule    xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled
Result  fail

[snip]

Title   Enable the NTP Daemon
Rule    xccdf_org.ssgproject.content_rule_service_ntpd_enabled
Result  fail

Title   Specify a Remote NTP Server
Rule    xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server
Result  fail

oscap exit code: 2
Copying back requested files...
report.html                                                                                                                                                                                                  100%  619KB 619.0KB/s   00:00    
Removing remote temporary directory...
Disconnecting ssh and removing master ssh socket directory...

Example 2

A more full example, uses a tailoring file and also copies back ARF, XCCDF results. The tailoring file is copied from local machine to remote.

./oscap-ssh root@192.168.1.13 22 xccdf eval --profile xccdf_org.ssgproject.content_profile_common --report report.html --results results.xml --results-arf arf.xml --tailoring-file ssg-fedora-ds-tailoring.xml /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml

The output:

Connecting to 'root@192.168.1.13' on port '22'...
root@192.168.1.13's password: 
Connected!
Copying input file '/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml' to remote working directory '/tmp/tmp.yVy6snyC88'...
ssg-fedora-ds.xml                                                                                                                                                                                            100%  683KB 683.2KB/s   00:00    
Copying tailoring file 'ssg-fedora-ds-tailoring.xml' to remote working directory '/tmp/tmp.yVy6snyC88'...
ssg-fedora-ds-tailoring.xml                                                                                                                                                                                  100% 1248     1.2KB/s   00:00    
Starting the evaluation...
Title   gpgcheck Enabled In Main Yum Configuration
Rule    xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
Result  pass

Title   gpgcheck Enabled For All Yum Package Repositories
Rule    xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled
Result  fail

[snip]

Title   Enable the NTP Daemon
Rule    xccdf_org.ssgproject.content_rule_service_ntpd_enabled
Result  fail

Title   Specify a Remote NTP Server
Rule    xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server
Result  fail

oscap exit code: 2
Copying back requested files...
results-xccdf.xml                                                                                                                                                                                            100%  475KB 474.8KB/s   00:00    
results-arf.xml                                                                                                                                                                                              100% 1164KB   1.1MB/s   00:00    
report.html                                                                                                                                                                                                  100%  619KB 619.0KB/s   00:00    
Removing remote temporary directory...
Disconnecting ssh and removing master ssh socket directory...

TODO

I don't consider this ready to be merged. There are 2 minor things that need to be finished before that.

  • make install support - this script should be installed alongside scap-as-rpm
  • --help support - the usage description should be displayed if user uses -h or --help as the only parameter

This pull request can in the meantime serve as a discussion hub. Reviews, suggestions for improvement or any other feedback from anyone highly appreciated!

@mpreisler

This comment has been minimized.

Show comment
Hide comment
@mpreisler

mpreisler Apr 19, 2015

Member

I have finished the TODO tasks outlined in the first post. In my opinion the pull request is ready for merging.

I'd also like to suggest that oscap-vm and oscap-container be done with similar command line syntax - oscap-vm my_virtual_machine xccdf eval ..., oscap-container my_container xccdf eval .... Having the vm_id or container_id as the first argument makes it easy to store the id and shift arguments, thus getting all arguments to pass to oscap.

Member

mpreisler commented Apr 19, 2015

I have finished the TODO tasks outlined in the first post. In my opinion the pull request is ready for merging.

I'd also like to suggest that oscap-vm and oscap-container be done with similar command line syntax - oscap-vm my_virtual_machine xccdf eval ..., oscap-container my_container xccdf eval .... Having the vm_id or container_id as the first argument makes it easy to store the id and shift arguments, thus getting all arguments to pass to oscap.

Show outdated Hide outdated utils/oscap-ssh
SSH_HOST="$1"
SSH_PORT="$2"
if [ "$3" == "--v" ]; then

This comment has been minimized.

@jan-cerny

jan-cerny Apr 20, 2015

Member

It should also support --version

@jan-cerny

jan-cerny Apr 20, 2015

Member

It should also support --version

@jan-cerny

This comment has been minimized.

Show comment
Hide comment
@jan-cerny

jan-cerny Apr 20, 2015

Member

Looks great!

Member

jan-cerny commented Apr 20, 2015

Looks great!

@jan-cerny

This comment has been minimized.

Show comment
Hide comment
@jan-cerny

jan-cerny Apr 20, 2015

Member

I spend some time playing with this script, and everything worked for me.

Member

jan-cerny commented Apr 20, 2015

I spend some time playing with this script, and everything worked for me.

@jan-cerny

This comment has been minimized.

Show comment
Hide comment
@jan-cerny

jan-cerny Apr 20, 2015

Member

When trying to turn off the virtual machine, GNOME tells me that some other users are still connected remotely.

Member

jan-cerny commented Apr 20, 2015

When trying to turn off the virtual machine, GNOME tells me that some other users are still connected remotely.

@isimluk

This comment has been minimized.

Show comment
Hide comment
@isimluk

isimluk Apr 29, 2015

Member

lgtm, except for the issues raised by Jan.

Member

isimluk commented Apr 29, 2015

lgtm, except for the issues raised by Jan.

@mpreisler

This comment has been minimized.

Show comment
Hide comment
@mpreisler

mpreisler Apr 29, 2015

Member

OK, let me reiterate my new TODO so I don't forget :-)

  • --version
  • -h and --help for the remote oscap
  • exit properly, use -O exit instead of passing the exit command to remote host, similar to what SCAP Workbench is doing [1]

I expect more oscap options to be missing. Those can be added later as people discover them.

[1] https://github.com/OpenSCAP/scap-workbench/blob/055a9eadc561ebfa57218729ad3110d84b17a045/src/RemoteSsh.cpp#L184

Member

mpreisler commented Apr 29, 2015

OK, let me reiterate my new TODO so I don't forget :-)

  • --version
  • -h and --help for the remote oscap
  • exit properly, use -O exit instead of passing the exit command to remote host, similar to what SCAP Workbench is doing [1]

I expect more oscap options to be missing. Those can be added later as people discover them.

[1] https://github.com/OpenSCAP/scap-workbench/blob/055a9eadc561ebfa57218729ad3110d84b17a045/src/RemoteSsh.cpp#L184

mpreisler added some commits Apr 29, 2015

Support remote -h and --help in oscap-ssh
Yes, it's useless but the docs say -h and --help is supported
and it's too confusing to explain that it's only supported
locally.
@mpreisler

This comment has been minimized.

Show comment
Hide comment
@mpreisler

mpreisler Apr 29, 2015

Member

All remaining tasks have been fixed with the latest 3 commits.

@jan-cerny, @isimluk, thanks for the review!

Member

mpreisler commented Apr 29, 2015

All remaining tasks have been fixed with the latest 3 commits.

@jan-cerny, @isimluk, thanks for the review!

isimluk added a commit that referenced this pull request Apr 30, 2015

Merge pull request #69 from mpreisler/oscap_ssh
oscap-ssh - remote oval and xccdf evaluation

@isimluk isimluk merged commit df4e88c into OpenSCAP:maint-1.2 Apr 30, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment