On 11/26/19 9:05 AM, Kern, Thomas (CONTR) wrote:
> Having the openscap tools available is great. I know that it is difficult to provide each distribution with SCAP control files to check for all compliance settings. It would be nice if there were SCAP control files for a 'Linux distribution independent' compliance scan, checking the setting of the most common compliance issues across all variations of Linux.
Has been discussed. Creating such content would be very cumbersome --
most linux distros keep things in different places (e.g. Fedora vs RHEL
vs Ubuntu vs SLES), or have different implementations (AppArmor vs
SELinux).
While SCAP does support if-clauses ("If SuSE, check AppArmor; elif RHEL,
check SELinux") there hasn't been a development community form to take
on that work. Patches welcome if someone wants to begin though!