----- Original Message -----
From: "Shawn Wells" <shawn(a)redhat.com>
To: scap-security-guide(a)lists.fedorahosted.org
Sent: Sunday, August 31, 2014 8:14:05 AM
Subject: Re: New report and guide in openscap 1.1.0
On 8/29/14, 5:41 AM, Martin Preisler wrote:
> ----- Original Message -----
>> > From: "Trey Henefield" <trey.henefield(a)ultra-ats.com>
>> > To: "SCAP Security Guide"
<scap-security-guide(a)lists.fedorahosted.org>
>> > Sent: Thursday, August 28, 2014 9:28:34 PM
>> > Subject: RE: New report and guide in openscap 1.1.0
>> >
>> > I had provided a comment a while back that I never heard back on.
>> >
>> > "I am not sure if it has been mentioned, but I personally would find
it
>> > useful to include details on the results.
>> >
>> > For instance, considering a check that ensures all libraries meet
>> > certain
>> > permissions, it would be useful to identify all entries that are
>> > non-compliant, if failed.
> We already do that for a lot of checks but not all. For example it's done
> for file permission checks.
>
> Random Examples:
> "Verify and Correct File Permissions with RPM"
> "Verify that All World-Writable Directories Have Sticky Bits Set"
> "Ensure All Files Are Owned by a User"
> "Set Password Minimum Length in login.defs"
> ...
>
> Is there any type of a check that is missing this functionality where it
> is essential?
Honestly, it'd be incredibly useful for all of them.
From the table on File Permissions with RPM, noticed the stylesheet
creates the "OVAL details" label. Tried searching through the OpenSCAP
code to see how the XSLT gets this information to no avail:
https://github.com/OpenSCAP/openscap/search?utf8=%E2%9C%93&q=%22OVAL+...
The way it works is somewhat complicated :-)
See
https://github.com/OpenSCAP/openscap/blob/master/xsl/xccdf-report-impl.xs...
We try to locate an OVAL results file, query the relevant objects using XPath and run
templates on them, generating HTML.
https://github.com/OpenSCAP/openscap/blob/master/xsl/xccdf-report-oval-de...
contains support for some OVAL objects. If you need more it has to be added into
that file.
--
Martin Preisler