Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove obsolete documentation #2128

Merged
merged 1 commit into from
Jun 25, 2024
Merged

Remove obsolete documentation #2128

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
101 changes: 0 additions & 101 deletions docs/manual/manual.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1940,107 +1940,6 @@ U_RHEL_7_V3R2_STIG_SCAP_1-2_Benchmark.xml
If you are interested in DISA STIG content for other systems please refer to
https://public.cyber.mil/stigs/downloads/[DoD Cyber Exchange].

=== How to Evaluate United States Government Configuration Baseline (USGCB)
NOTE: NIST offers no official USGCB for RHEL6 as of September 2014 but you can
acquire the content from the {ssg_git}[SSG] project.

The USGCB content for represents Tier IV Checklist for Red Hat
Enterprise Linux 5 (as defined by NIST Special Publication 800-70).

WARNING: Proper evaluation of the USGCB document requires OpenSCAP version 0.9.1
or later.

After ensuring that version of OpenSCAP on your system is
sufficient, perform the following tasks:

1) Download the USGCB content.
------------------------------------------------------------------------------
$ wget http://usgcb.nist.gov/usgcb/content/scap/USGCB-rhel5desktop-1.2.5.0.zip
------------------------------------------------------------------------------

2) Unpack the USGCB content.
--------------------------------------
$ unzip USGCB-rhel5desktop-1.2.5.0.zip
--------------------------------------

3) Run evaluation of the USGCB content.
----
$ oscap xccdf eval \
--profile united_states_government_configuration_baseline \
--cpe usgcb-rhel5desktop-cpe-dictionary.xml \
--oval-results \
--fetch-remote-resources \
--results results.xml \
usgcb-rhel5desktop-xccdf.xml
----

4) Generate a scan report that is readable in a web browser.
-----
$ oscap xccdf generate report --output report.html results.xml
-----

Additional reports can be generated from detailed OVAL result files.
Scanner outputs OVAL results files in the current directory, for each
OVAL file on input there is one output. In case of USGCB, there is
one OVAL file distributed along the XCCDF, another one which is
downloaded from Red Hat Repository. The latter contains CVE information
for each evaluated definition.

----
$ oscap oval generate report --output oval-report-1.html usgcb-rhel5desktop-oval.xml.result.xml
$ oscap oval generate report --output oval-report-2.html http%3A%2F%2Fwww.redhat.com%2Fsecurity%2Fdata%2Foval%2Fcom.redhat.rhsa-all.xml.result.xml
----

If you're interested in running evaluation of the USGCB on a remote machine using
a GUI please see:
https://open-scap.org/resources/documentation/evaluate-remote-machine-for-usgcb-compliance-with-scap-workbench/[Evaluate
Remote Machine for USGCB Compliance with SCAP Workbench] tutorial.


=== How to Evaluate Third-Party Guidances
The SCAP content repository hosted at {nvd}[National Vulnerability Database]
(NVD) can be searched for publicly available guidances for a given
product. For example, as per 2013/05/11 there are
http://web.nvd.nist.gov/view/ncp/repository?tier=3&product=Red+Hat+Enterprise+Linux+5[two]
Tier III checklists for Red Hat Enterprise Linux 5. Analogously, the
MITRE Corp. hosts http://oval.mitre.org/rep-data/[repository] of OVAL
content for various platforms, sorted by versions and classes.

Likewise the USGCB, any downloaded guidance can be evaluated by
OpenSCAP.

* Examplary evaluation of DoD Consensus Security Configuration Checklist
for Red Hat Enterprise Linux 5 (2.0)
----
$ wget http://nvd.nist.gov/ncp/DoD-RHEL5-desktop.zip
$ unzip DoD-RHEL5-desktop.zip
$ oscap xccdf eval \
--profile DOD_baseline_1.0.0.1 \
--cpe dcb-rhel5_cpe-dictionary.xml \
--results result.xml \
--oval-results \
dcb-rhel5_xccdf.xml
----

* Examplary evaluation of Red Hat 5 STIG Benchmark (Version 1, Release 12)
----
$ wget http://iasecontent.disa.mil/stigs/zip/July2015/U_RedHat_5_V1R12_STIG_SCAP_1-1_Benchmark.zip
$ unzip U_RedHat_5_V1R12_STIG_SCAP_1-1_Benchmark.zip
$ oscap xccdf eval \
--profile MAC-2_Public \
--cpe U_RedHat_5_V1R12_STIG_SCAP_1-1_Benchmark-cpe-dictionary.xml \
--results result.xml \
--oval-results \
U_RedHat_5_V1R12_STIG_SCAP_1-1_Benchmark-xccdf.xml
----

Furthermore, any individual file from the archive can be inspected using
the `oscap info` command line option. The oscap program does not have
the concept of importing SCAP files, therefore it can process any SCAP
files available on the filesystem. That is possible because the SCAP
standard files are native file formats of the OpenSCAP.


=== How to check that patches are up-to-date on Red Hat Enterprise Linux 6 or 7
This section describes how to check that software patches are up-to-date using
external OVAL content.
Expand Down
Loading