OpenSCAP and SCAP Workbench on Windows – part 2

Go to Part 1

Remote scanning

I have made some progress with remote scanning but there still are issues that prevent convenient usage. Right now workbench on Windows can:

  • login to the remote machine
  • query oscap capabilities and parse them
  • copy input content to the remote machine (ssh+tee)
  • start the scan
  • copy remote results back to the local machine

remote-scan-from-windows-1

So it seems remote scan is working fine, right? The issue is that ssh continuously asks for login over and over again. This is not such an issue if you have a private key setup but if you login with username and password this is a major pain. You have to type the password in a dozen of times, each time for one performed action. To make matters worse, setting up ssh private key in cygwin ssh isn’t straightforward at all.

The issue stems from the fact that it seems cygwin ssh does not support ControlMaster and ControlPath options. Right now I am researching alternatives but haven’t found anything suitable yet. Suggestions welcome.

Windows content tailoring

However I also have good news 🙂

NIST has released release candidate of the upcoming USGCB content for Microsoft products. At first workbench failed to open it, claiming there are referenced tests that are non-existent. Turns out openscap had some of the Windows specific OVAL enumeration strings missing and/or wrong. This has been fixed in openscap master branch.

OpenSCAP and SCAP Workbench from master branches can now open the upcoming USGCB content for Windows 7. Furthermore, workbench can customize Windows-specific content and save the result for later use.

windows-tailoring-1 windows-tailoring-2 windows-tailoring-3

I have performed profile customization of the Windows 7 USGCB profile and saved it to a tailoring file, here is how the resulting file looks like:

<?xml version="1.0" encoding="UTF-8"?>
<xccdf:Tailoring xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" id="xccdf_scap-workbench_tailoring_default">
  <xccdf:benchmark href="C:/Users/mpreisle/Desktop/USGCB-Windows/Win7-2.0.5.1-rc1/scap_gov.nist_USGCB-Windows-7.xml"/>
  <xccdf:version time="2015-03-02T17:28:53">1</xccdf:version>
  <xccdf:Profile id="xccdf_gov.nist_profile_united_states_government_configuration_baseline_version_2.0.5.1_customized" extends="xccdf_gov.nist_profile_united_states_government_configuration_baseline_version_2.0.5.1">
    <xccdf:title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">United States Government Configuration Baseline 2.0.5.1 [CUSTOMIZED]</xccdf:title>
    <xccdf:description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This profile represents guidance outlined in United States Government Configuration Baseline for desktop systems with Microsoft Windows 7 installed.</xccdf:description>
    <xccdf:select idref="xccdf_gov.nist_group_security_options_settings" selected="false"/>
    <xccdf:select idref="xccdf_gov.nist_group_system_services_settings" selected="false"/>
    <xccdf:set-value idref="xccdf_gov.nist_value_auto_admin_logon_var">1</xccdf:set-value>
    <xccdf:set-value idref="xccdf_gov.nist_value_router_discovery_var">1</xccdf:set-value>
  </xccdf:Profile>
</xccdf:Tailoring>

Executables for testing

Please keep in mind that this is a preliminary release that is in no way official. It just shows what is possible right now and allows me to outline future plans. You should NOT use this in production!

scap-workbench-win32-prealpha2.zip

You need to edit scap-workbench.bat if you want to try remote scanning. Right now workbench requires absolute path to win-ssh-askpass.exe and I am too much of a Windows scripting newbie to do it automatically 🙂 This will be fixed later. The executable is in the bin folder in the zip file.

One thought on “OpenSCAP and SCAP Workbench on Windows – part 2”

  1. Hi, I am using OpenScap Workbench on windows 7 and for some reason it uses my AD credentials to scan a server, even though I put root as the username, please advise

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.