[Xccdf-dev] Need help to add platform specific profiles in xccdf file

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

[Xccdf-dev] Need help to add platform specific profiles in xccdf file

Manikandan Rajamanickam
Hi,

I am working on adding compliance checks specific to my product.
The OS is Solaris and it has compliance Benchmark called solaris 
and baseline profile. I am planning to add new checks specific to my 
product as part of baseline profile? I don't have much understanding 
of xccdf.xml file need some help?
My plan is to add new platform cpe entry for my application and use
it in xccds.xml file, so that these new checks will run only when my 
application runs. Can i use the platform cpe entry to select different 
<Profiles> or <Groups>, is it possible? or Are there any other means
to achieve the same.

Thanks
Mani

_______________________________________________
XCCDF-dev mailing list
[hidden email]
To unsubscribe, send an email message to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: [Xccdf-dev] Need help to add platform specific profiles in xccdf file

Preeti Subramanian
Hi Mani,

One way is to achieve your requirement is to create a profile for your specific CPE and select that profile to run all the rules corresponding to that CPE. You could choose -P option to execute XCCDF. In Profile you would have title, description, xccdf:select tags which specifies attribute idref to Rule Ids. In a Group, you can provide Value that specifies default and a list of configuration values. In a Rule, you would provide value Id and OVAL Id that collects information.

Rule looks like:
<xccdf:Rule id=“ruled" selected="true" weight=“10.0" severity=“severity">
<xccdf:title>..
<xccdf:description>..
        <xccdf:check-export value-id=‘value-id' export-name='oval_var_id'/>
        <xccdf:check-content-ref href="oval.xml" name=“oval_def_id" />
      </xccdf:check>
</xccdf:Rule>

Hence the XCCDF benchmark would verify if value matches the one collected using OVAL Compliance definition run on the system.

Your XCCDF might look like this..

<xccdf:Benchmark>
 .
 .
  <xccdf:platform idref="cpe:/your_cpe" />
 .
 .
  <xccdf:Profile id="profileid">
    <xccdf:title>title</xccdf:title>
    <xccdf:description>desc</xccdf:description>
    <xccdf:select idref="rule1" selected="true" />
.
.
  </xccdf:Profile>
  <xccdf:Group id=".."
    <xccdf:Value>..
</xccdf:Value>
<xccdf:Rule id="rule1"..> ...as in example...
</xccdf:Rule>
.
.
</xccdf:Benchmark>
 
Hope this helps.

Preeti Subramanian

Saner Personal
A free vulnerability mitigation software. Build strong defense.


On 27-May-2016, at 18:58, Manikandan Rajamanickam <[hidden email]> wrote:

Hi,

I am working on adding compliance checks specific to my product.
The OS is Solaris and it has compliance Benchmark called solaris 
and baseline profile. I am planning to add new checks specific to my 
product as part of baseline profile? I don't have much understanding 
of xccdf.xml file need some help?
My plan is to add new platform cpe entry for my application and use
it in xccds.xml file, so that these new checks will run only when my 
application runs. Can i use the platform cpe entry to select different 
<Profiles> or <Groups>, is it possible? or Are there any other means
to achieve the same.

Thanks
Mani


_______________________________________________
XCCDF-dev mailing list
[hidden email]
To unsubscribe, send an email message to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: [Xccdf-dev] Need help to add platform specific profiles in xccdf file

Robb Delaney

For the love of God, how do we get off this email list?


😊


Thank you,

Robb Delaney
Call Architect
HighPoint
M:(317) 605-7780
O: (443) 316-5253
[hidden email]

From: [hidden email] <[hidden email]> on behalf of Preeti Subramanian <[hidden email]>
Sent: Tuesday, May 31, 2016 11:09:40 AM
To: [hidden email]
Subject: Re: [Xccdf-dev] Need help to add platform specific profiles in xccdf file
 
Hi Mani,

One way is to achieve your requirement is to create a profile for your specific CPE and select that profile to run all the rules corresponding to that CPE. You could choose -P option to execute XCCDF. In Profile you would have title, description, xccdf:select tags which specifies attribute idref to Rule Ids. In a Group, you can provide Value that specifies default and a list of configuration values. In a Rule, you would provide value Id and OVAL Id that collects information.

Rule looks like:
<xccdf:Rule id=“ruled" selected="true" weight=“10.0" severity=“severity">
<xccdf:title>..
<xccdf:description>..
        <xccdf:check-export value-id=‘value-id' export-name='oval_var_id'/>
        <xccdf:check-content-ref href="oval.xml" name=“oval_def_id" />
      </xccdf:check>
</xccdf:Rule>

Hence the XCCDF benchmark would verify if value matches the one collected using OVAL Compliance definition run on the system.

Your XCCDF might look like this..

<xccdf:Benchmark>
 .
 .
  <xccdf:platform idref="cpe:/your_cpe" />
 .
 .
  <xccdf:Profile id="profileid">
    <xccdf:title>title</xccdf:title>
    <xccdf:description>desc</xccdf:description>
    <xccdf:select idref="rule1" selected="true" />
.
.
  </xccdf:Profile>
  <xccdf:Group id=".."
    <xccdf:Value>..
</xccdf:Value>
<xccdf:Rule id="rule1"..> ...as in example...
</xccdf:Rule>
.
.
</xccdf:Benchmark>
 
Hope this helps.

Preeti Subramanian

Saner Personal
A free vulnerability mitigation software. Build strong defense.


On 27-May-2016, at 18:58, Manikandan Rajamanickam <[hidden email]> wrote:

Hi,

I am working on adding compliance checks specific to my product.
The OS is Solaris and it has compliance Benchmark called solaris 
and baseline profile. I am planning to add new checks specific to my 
product as part of baseline profile? I don't have much understanding 
of xccdf.xml file need some help?
My plan is to add new platform cpe entry for my application and use
it in xccds.xml file, so that these new checks will run only when my 
application runs. Can i use the platform cpe entry to select different 
<Profiles> or <Groups>, is it possible? or Are there any other means
to achieve the same.

Thanks
Mani


_______________________________________________
XCCDF-dev mailing list
[hidden email]
To unsubscribe, send an email message to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: [Xccdf-dev] Need help to add platform specific profiles in xccdf file

Charles Schmidt (MITRE)
Administrator
mailto:[hidden email]?body=unsubscribe%20xccdf-dev

Please use the above link to unsubscribe if you wish. Be sure to have the email sent from the account that is receiving the XCCDF dev messages.

Charles

> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]]
> On Behalf Of Robb Delaney
> Sent: Tuesday, May 31, 2016 10:34 AM
> To: [hidden email]
> Subject: Re: [Xccdf-dev] Need help to add platform specific profiles in xccdf
> file
>
> For the love of God, how do we get off this email list?
>
>
>
>
>
>
>
>
>
> Thank you,
>
> Robb Delaney
> Call Architect
> HighPoint
> M:(317) 605-7780
> O: (443) 316-5253
> [hidden email]
> <mailto:[hidden email]>
> ________________________________
>
> From: [hidden email] <[hidden email]> on
> behalf of Preeti Subramanian <[hidden email]>
> Sent: Tuesday, May 31, 2016 11:09:40 AM
> To: [hidden email]
> Subject: Re: [Xccdf-dev] Need help to add platform specific profiles in xccdf
> file
>
> Hi Mani,
>
> One way is to achieve your requirement is to create a profile for your specific
> CPE and select that profile to run all the rules corresponding to that CPE. You
> could choose -P option to execute XCCDF. In Profile you would have title,
> description, xccdf:select tags which specifies attribute idref to Rule Ids. In a
> Group, you can provide Value that specifies default and a list of configuration
> values. In a Rule, you would provide value Id and OVAL Id that collects
> information.
>
> Rule looks like:
> <xccdf:Rule id=“ruled" selected="true" weight=“10.0" severity=“severity">
> <xccdf:title>..
> <xccdf:description>..
>   <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-
> 5">
>         <xccdf:check-export value-id=‘value-id' export-name='oval_var_id'/>
>         <xccdf:check-content-ref href="oval.xml" name=“oval_def_id" />
>       </xccdf:check>
> </xccdf:Rule>
>
> Hence the XCCDF benchmark would verify if value matches the one collected
> using OVAL Compliance definition run on the system.
>
> Your XCCDF might look like this..
>
> <xccdf:Benchmark>
>  .
>  .
>   <xccdf:platform idref="cpe:/your_cpe" />
>  .
>  .
>   <xccdf:Profile id="profileid">
>     <xccdf:title>title</xccdf:title>
>     <xccdf:description>desc</xccdf:description>
>     <xccdf:select idref="rule1" selected="true" />
> .
> .
>   </xccdf:Profile>
>   <xccdf:Group id=".."
>     <xccdf:Value>..
> </xccdf:Value>
> <xccdf:Rule id="rule1"..> ...as in example...
> </xccdf:Rule>
> .
> .
> </xccdf:Benchmark>
>
> Hope this helps.
>
> Preeti Subramanian
> [hidden email] <mailto:[hidden email]>
>
> Saner Personal
> A free vulnerability mitigation software. Build strong defense.
>
> http://www.secpod.com/saner-personal.html
>
>
> On 27-May-2016, at 18:58, Manikandan Rajamanickam
> <[hidden email] <mailto:[hidden email]> >
> wrote:
>
> Hi,
>
> I am working on adding compliance checks specific to my product.
> The OS is Solaris and it has compliance Benchmark called solaris
> and baseline profile. I am planning to add new checks specific to my
> product as part of baseline profile? I don't have much understanding
> of xccdf.xml file need some help?
> My plan is to add new platform cpe entry for my application and use
> it in xccds.xml file, so that these new checks will run only when my
> application runs. Can i use the platform cpe entry to select different
> <Profiles> or <Groups>, is it possible? or Are there any other means
> to achieve the same.
>
> Thanks
> Mani
>

_______________________________________________
XCCDF-dev mailing list
[hidden email]
To unsubscribe, send an email message to [hidden email].

smime.p7s (8K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [Xccdf-dev] Need help to add platform specific profiles in xccdf file

David Solin-3
In reply to this post by Manikandan Rajamanickam
XCCDF is designed to allow authors to associate content-defined platforms with specific groups and rules.

Look at the USGCB Windows-7 content for example.  It defines a platform “bluetooth_not_enabled” in the cpe2:platform_specification tag, and it is used to platform-enable/disable the group "xccdf_gov.nist_group_conditional_bluetooth_not_enabled”.

See: https://usgcb.nist.gov/usgcb/content/scap/oval510/Win7-2.0.5.1.zip

Best regards,
—David Solin

David A. Solin
Co-Founder, Research & Technology
[hidden email]

Joval Continuous Monitoring

Facebook Linkedin


On May 27, 2016, at 8:28 AM, Manikandan Rajamanickam <[hidden email]> wrote:

Hi,

I am working on adding compliance checks specific to my product.
The OS is Solaris and it has compliance Benchmark called solaris 
and baseline profile. I am planning to add new checks specific to my 
product as part of baseline profile? I don't have much understanding 
of xccdf.xml file need some help?
My plan is to add new platform cpe entry for my application and use
it in xccds.xml file, so that these new checks will run only when my 
application runs. Can i use the platform cpe entry to select different 
<Profiles> or <Groups>, is it possible? or Are there any other means
to achieve the same.

Thanks
Mani
_______________________________________________
XCCDF-dev mailing list
[hidden email]
To unsubscribe, send an email message to [hidden email].


_______________________________________________
XCCDF-dev mailing list
[hidden email]
To unsubscribe, send an email message to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: [Xccdf-dev] Need help to add platform specific profiles in xccdf file

Manikandan Rajamanickam
Hi David,

Thanks a lot for the details, this is sort of what i needed. I added platform tag as you mentioned to enable/disable the group. One thing i noticed is that when my application is not running the rules under the group that i created for my application reported as " not applicable", actually it was not disabled, i could still see the rules/tests in the final html report under not applicable category.
In Baseline profile i have set the rules idref option selected="true", it would be nice if i can set the selected option to false when there is no matching platform on the system. May be this will completely eliminate the listing of tests in final html report. 
I am new to xccdf, please bear with me on these questions. Thanks a lot for your help on this.

Thanks,
Mani

On Wed, Jun 1, 2016 at 4:51 AM, David Solin <[hidden email]> wrote:
XCCDF is designed to allow authors to associate content-defined platforms with specific groups and rules.

Look at the USGCB Windows-7 content for example.  It defines a platform “bluetooth_not_enabled” in the cpe2:platform_specification tag, and it is used to platform-enable/disable the group "xccdf_gov.nist_group_conditional_bluetooth_not_enabled”.

See: https://usgcb.nist.gov/usgcb/content/scap/oval510/Win7-2.0.5.1.zip

Best regards,
—David Solin

David A. Solin
Co-Founder, Research & Technology
[hidden email]

Joval Continuous Monitoring

Facebook Linkedin


On May 27, 2016, at 8:28 AM, Manikandan Rajamanickam <[hidden email]> wrote:

Hi,

I am working on adding compliance checks specific to my product.
The OS is Solaris and it has compliance Benchmark called solaris 
and baseline profile. I am planning to add new checks specific to my 
product as part of baseline profile? I don't have much understanding 
of xccdf.xml file need some help?
My plan is to add new platform cpe entry for my application and use
it in xccds.xml file, so that these new checks will run only when my 
application runs. Can i use the platform cpe entry to select different 
<Profiles> or <Groups>, is it possible? or Are there any other means
to achieve the same.

Thanks
Mani
_______________________________________________
XCCDF-dev mailing list
[hidden email]
To unsubscribe, send an email message to [hidden email].


_______________________________________________
XCCDF-dev mailing list
[hidden email]
To unsubscribe, send an email message to [hidden email].


_______________________________________________
XCCDF-dev mailing list
[hidden email]
To unsubscribe, send an email message to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: [Xccdf-dev] Need help to add platform specific profiles in xccdf file

David Solin-3
Perhaps you’re experiencing a limitation of the tool you’re using?  According to the specification, you should get a not applicable result when there’s no platform match.


David A. Solin
Co-Founder, Research & Technology
[hidden email]

Joval Continuous Monitoring

Facebook Linkedin


On Jun 1, 2016, at 7:36 AM, Manikandan Rajamanickam <[hidden email]> wrote:

Hi David,

Thanks a lot for the details, this is sort of what i needed. I added platform tag as you mentioned to enable/disable the group. One thing i noticed is that when my application is not running the rules under the group that i created for my application reported as " not applicable", actually it was not disabled, i could still see the rules/tests in the final html report under not applicable category.
In Baseline profile i have set the rules idref option selected="true", it would be nice if i can set the selected option to false when there is no matching platform on the system. May be this will completely eliminate the listing of tests in final html report. 
I am new to xccdf, please bear with me on these questions. Thanks a lot for your help on this.

Thanks,
Mani

On Wed, Jun 1, 2016 at 4:51 AM, David Solin <[hidden email]> wrote:
XCCDF is designed to allow authors to associate content-defined platforms with specific groups and rules.

Look at the USGCB Windows-7 content for example.  It defines a platform “bluetooth_not_enabled” in the cpe2:platform_specification tag, and it is used to platform-enable/disable the group "xccdf_gov.nist_group_conditional_bluetooth_not_enabled”.

See: https://usgcb.nist.gov/usgcb/content/scap/oval510/Win7-2.0.5.1.zip

Best regards,
—David Solin

David A. Solin
Co-Founder, Research & Technology
[hidden email]

Joval Continuous Monitoring

Facebook Linkedin


On May 27, 2016, at 8:28 AM, Manikandan Rajamanickam <[hidden email]> wrote:

Hi,

I am working on adding compliance checks specific to my product.
The OS is Solaris and it has compliance Benchmark called solaris 
and baseline profile. I am planning to add new checks specific to my 
product as part of baseline profile? I don't have much understanding 
of xccdf.xml file need some help?
My plan is to add new platform cpe entry for my application and use
it in xccds.xml file, so that these new checks will run only when my 
application runs. Can i use the platform cpe entry to select different 
<Profiles> or <Groups>, is it possible? or Are there any other means
to achieve the same.

Thanks
Mani
_______________________________________________
XCCDF-dev mailing list
[hidden email]
To unsubscribe, send an email message to [hidden email].


_______________________________________________
XCCDF-dev mailing list
[hidden email]
To unsubscribe, send an email message to [hidden email].

_______________________________________________
XCCDF-dev mailing list
[hidden email]
To unsubscribe, send an email message to [hidden email].


_______________________________________________
XCCDF-dev mailing list
[hidden email]
To unsubscribe, send an email message to [hidden email].