typo and a question
by David Egts
Hi all,
I'm trying out SSG. Great work!
I think I noticed a typo. Search for "veal" here and I think it should be "eval"...
https://fedorahosted.org/scap-security-guide/
And now on to the question... :-)
Does SSG generate (or plan to generate) remediation content? Check the very bottom of this page for an example...
http://dev.gentoo.org/~swift/docs/genoval.xml
I tried "generate fix" with the SSG content, but the resulting script was empty. I guess I'm not sure if I'm doing something wrong, or if more needs to be added to SSG to provide remediation capabilities.
Thanks!
Dave
--
David D. Egts, RHCA, RHCSS #805007796228001
Principal Architect, Red Hat, Inc.
12 years, 1 month
RE: coming soon: consistency checking scripts
by Mike Palmiotto
>On 03/12/2012 10:26 PM, Shawn Wells wrote:
>> On 3/12/12 5:59 PM, Jeffrey Blank wrote:
>>> We'll shortly be committing a script to do checking for consistency
>>> between our OVAL and XCCDF. This should detect situations such as:
>>>
>>> 1)
>>> a reference from an XCCDF rule to an OVAL definition that doesn't
>>>exist.
>>>
>>> 2)
>>> an XCCDF rule exists (and is used in a profile) but doesn't include
>>> any reference to a check.
>>>
>>> 3)
>>> mismatch between filename and OVAL definition name (as this is an
>>> important convention for our approach to modular definitions)
>>
>> I think the following would be helpful too:
>>
>> 4)
>> An XCCDF rule exists and isn't used in a profile
>>
>> 5)
>> Any checks that are not present in an XCCDF rule
>> (I can't imagine there would actually be any of these given how we've
>> been making XCCFD then the checks, but it'd be good to watch for)
There doesn't seem to be a way to add new prose (ie from the SNAC guide) to the scap-security-guide, due to issues with well-formedness. File names, Linux keywords, and config file settings are wrapped in <xhtml:code> and <xhtml:pre> tags in ssg, but not in the SNAC guide, so anything that isn't well-formed within the SNAC prose breaks the xccdf.
There are also some cases where these settings are well-formed, but are still wrapped in the namespace (xhtml:code/pre) tags within the scap-security-guide. I'd like to keep the SNAC+scap-sec-guide merge consistent with the previous security-guide, but I can't seem to find an all-encompassing set of conditions to systematically add these tags where appropriate. I'm wondering if you guys know of a way to do this (other than manually).
If not, this would be great functionality to add for future use. If no one else is currently doing so, I'd like to work on it.
--Mike
12 years, 1 month