OSCAP SCAP policies


The Trust Framework says regarding the Provisional Network that the Steward MUST run a weekly report using the oscap tool using the SCAP policies approved by the Sovrin Foundation’s Technical Governance Board and must email the results to the TGB.

The SCAP policies do not exist. I used the GovReady Policy from here: https://github.com/GovReady/ubuntu-scap on a Ubuntu 16.04 maschine.
It should be easy to adapt this policy to Sovrin needs and put it on the Sovrin github.


When the provisional trust framework was drafted, we intended to use the OSCAP tool on all linux-based validators. However, after we experimented a bit, we realized that OSCAP’s a bit problematic on distros that are not RedHat-derived. It can be used on ubuntu, but only with some serious compiler kung-fu and some undocumented and maintenance-challenged steps. (It’s easy to audit a ubuntu box if you’re running the tool over ssh from a Fedora/CentOS/RedHat box, but not easy to do the audit directly from ubuntu.)

Accordingly, we ended up writing a python script that implemented the same checks, but that wasn’t so distro-dependent.

If we had a community member who could teach us how to make OSCAP work easily on ubuntu, we would gladly cut over. We have some policies and could cross-check them against your GovReady ones…


I did not encounter any difficulties on Ubuntu 16.04 and can lookup later today what I actually did.
What I found that the test do not fit the ubuntu clould image I used as a basis of VM.
e.g. the test complain that /usr/bin/at is not owned by root but I think that this is not a problem becuase on my machine “at” is owned by “daemon”.

I think the real work is adopting the rules to 16.04 and newer and improve them in general


I did
sudo apt-get install libopenscap8
and cloned the ubuntu scap repo
git clone https://github.com/GovReady/ubuntu-scap.git
Then ran the tests there which do not really apply to my system.


I installed openscap and the scap-security-guides again on a fresh Ubuntu 16.04 machine.

sudo apt-get install -y autoconf automake libtool make libdbus-1-dev libdbus-glib-1-dev libcurl4-openssl-dev libgcrypt20-dev libselinux1-dev libxslt1-dev libgconf2-dev libacl1-dev libblkid-dev libcap-dev libxml2-dev libldap2-dev libpcre3-dev python-dev swig libxml-parser-perl libxml-xpath-perl libperl5.22 python-dev libbz2-dev librpm-dev swig
sudo apt-get install -y cmake expat libxml2-utils xsltproc
mkdir ~/dev && cd ~/dev
git clone https://github.com/OpenSCAP/openscap.git
cd openscap && ./autogen.sh && ./configure && make
sudo make install
cd ~/dev
git clone https://github.com/OpenSCAP/scap-security-guide
cd build
cmake ../
make -j4 ubuntu1604
sudo make install
oscap xccdf eval --profile anssi_np_nt28_high --results 20171219-anssi_np_nt28_high.xml --report 20171219-anssi_np_nt28_high.html --cpe=/usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-cpe-dictionary.xml /usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml

No Kung-Fu needed.


It sounds like the yucky compiler workarounds that used to be necessary have been eliminated. This is good news.


Next stop could be to see which checks in steward_tech_check.py are covered by scap policies and which need to be created.