Incorporate other sources of XML format "Security as Code"

[bknowles]

The NIST National Vulnerability Database lists 9 Tier IV checklists and 72 Tier III checklists. These should work in any SCAP-compliant tool.

The Center for Internet Security Benchmarks have over 35 XML-format checklists, which should likewise be functional in any SCAP-compliant tool.

If you're going to use this format for your code, you might want to reference other known repositories for these things, or incorporate their content here.

[Alan-R]

Thanks Brad!

On 06/24/2015 07:06 PM, Brad Knowles wrote:

The NIST National Vulnerability Database lists 9 Tier IV checklists https://web.nvd.nist.gov/view/ncp/repository?tier=4&startIndex=0 and 72 Tier III checklists https://web.nvd.nist.gov/view/ncp/repository?tier=3&startIndex=0. These should work in any SCAP-compliant tool https://nvd.nist.gov/scapproducts.cfm.

The Center for Internet Security Benchmarks https://benchmarks.cisecurity.org/downloads/ have over 35 XML-format checklists, which should likewise be functional in any SCAP-compliant tool.

The CIS checklists are not freely available. They are "Available to CIS Security Benchmarks Members", which presumably means they can't share them, nor could I if I had access. This is part of why I've started this effort. It's intended to be collaborative, and freely available - i.e., FOSS-like. Thanks for collaborating!

If you're going to use this format for your code, you might want to reference other known repositories for these things, or incorporate their content here.

I'm all for getting as much as I can from elsewhere. I'm using that format as fodder for the data, not as my preferred format (I'm not a big fan of XML). I wrote that code mainly to save me time and effort for importing the data.

I knew about the other NIST checklists. I believe I downloaded all of the publicly available ones in a zip file. Some can't be posted on any web site - "for official use only". I just started with one sample based on RedHat to make sure that I understood it enough to reformat it into JSON. Strangely enough, SCAP doesn't appear to have any provisions for multiple languages. I made sure my JSON format accommodates that.

Also, many of the NIST checks aren't RedHat specific, so someone needs to promote those up higher in the directory structure to either the Linux or the POSIX levels. Do I hear any volunteers? ;-)

This is also something that's lost in the NIST approach. They really only care about Red Hat (from a Linux perspective). They are also very version specific. If a particular test applies differently on RHEL6 for example, I can demote it to a subdirectory, but I started out with the idea that most were probably not RHEL6-specific. My general reaction is that if a test depends on a feature that's not present in RHEL5, for example, that it's not version-specific. There are always tests that don't apply unless you have something installed or activated.

Thanks for the suggestion!

While we're at it, another source of IT best practices is the open source Lynis project who also has code for hundreds of best practices. I'm not so sure about the text describing them.

[bknowles]

I fully agree with your view on XML. It's definitely not my favourite. And the NIST NVD approach seems to be very brittle to me.

The advantage here is that you can refer to these other efforts, and ensure that people who look at your stuff know that you have considered what else is available -- and why you consider that to be unsuitable for what you're doing. So, you don't continue to have people bugging you about the same things over and over again. ;)

[Alan-R]

Resolved this issue (or so I think) by commit https://github.com/IT-bestpractices/root/commit/3b598f5e5056a3eabc163efb69385f8c79d8af36 Brad, if you have further suggestions on the README, feel free to make changes and generate a pull request ;-).