scap-security-guide March 2012

scap-security-guide@lists.fedorahosted.org

10 participants
16 discussions

Start a nNew thread

[PATCH 3/3] Created output/README
by Shawn Wells 17 Mar '12

17 Mar '12

1 0

[PATCH 2/3] Updated 'make clean' to remove content directories
by Shawn Wells 17 Mar '12

17 Mar '12

1 0

[PATCH 1/3] Added back in output/ and output/.gitignore
by Shawn Wells 17 Mar '12

17 Mar '12

1 0

[PATCH] Restructured output/ Directory
by Shawn Wells 17 Mar '12

17 Mar '12

1 0

typo and a question
by David Egts 14 Mar '12

14 Mar '12

Hi all, I'm trying out SSG. Great work! I think I noticed a typo. Search for "veal" here and I think it should be "eval"... https://fedorahosted.org/scap-security-guide/ And now on to the question... :-) Does SSG generate (or plan to generate) remediation content? Check the very bottom of this page for an example... http://dev.gentoo.org/~swift/docs/genoval.xml I tried "generate fix" with the SSG content, but the resulting script was empty. I guess I'm not sure if I'm doing something wrong, or if more needs to be added to SSG to provide remediation capabilities. Thanks! Dave -- David D. Egts, RHCA, RHCSS #805007796228001 Principal Architect, Red Hat, Inc.

2 3

RE: coming soon: consistency checking scripts
by Mike Palmiotto 13 Mar '12

13 Mar '12

>On 03/12/2012 10:26 PM, Shawn Wells wrote: >> On 3/12/12 5:59 PM, Jeffrey Blank wrote: >>> We'll shortly be committing a script to do checking for consistency >>> between our OVAL and XCCDF. This should detect situations such as: >>> >>> 1) >>> a reference from an XCCDF rule to an OVAL definition that doesn't >>>exist. >>> >>> 2) >>> an XCCDF rule exists (and is used in a profile) but doesn't include >>> any reference to a check. >>> >>> 3) >>> mismatch between filename and OVAL definition name (as this is an >>> important convention for our approach to modular definitions) >> >> I think the following would be helpful too: >> >> 4) >> An XCCDF rule exists and isn't used in a profile >> >> 5) >> Any checks that are not present in an XCCDF rule >> (I can't imagine there would actually be any of these given how we've >> been making XCCFD then the checks, but it'd be good to watch for) There doesn't seem to be a way to add new prose (ie from the SNAC guide) to the scap-security-guide, due to issues with well-formedness. File names, Linux keywords, and config file settings are wrapped in <xhtml:code> and <xhtml:pre> tags in ssg, but not in the SNAC guide, so anything that isn't well-formed within the SNAC prose breaks the xccdf. There are also some cases where these settings are well-formed, but are still wrapped in the namespace (xhtml:code/pre) tags within the scap-security-guide. I'd like to keep the SNAC+scap-sec-guide merge consistent with the previous security-guide, but I can't seem to find an all-encompassing set of conditions to systematically add these tags where appropriate. I'm wondering if you guys know of a way to do this (other than manually). If not, this would be great functionality to add for future use. If no one else is currently doing so, I'd like to work on it. --Mike

2 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

scap-security-guide March 2012