On 3/15/12 9:32 AM, "Steve Grubb" sgrubb@redhat.com wrote:
On Thursday, March 15, 2012 09:10:23 AM Spencer R. Shimko wrote:
Are you thinking of something significantly different from the
secstate
effort?
There is a lot of overlap between what is shipped with RHEL and
secstate.
We have had teleconferences on combining codebases somewhat, but that was
a
long time ago. We can restart that discussion if you want, but not on this mail list.
Sounds good. We'll sync up separately.
I think the topic at-hand focuses on requirement content and remediation content - not the tools.
I thought secstate was a tool and not content. Is there more to secstate than code? I might have missed that.
You are in correct regarding sec state being a tool. However, in the midst of a conversation about content a question was asked about a tool. I responded by providing a link to the tool. The details of that tool should definitely be discussed on the OpenSCAP list (as you mention below). But I digress because this I think we are going down a rabbit hole.
As of right now I think this list is the best place to have those conversations.
For content, sure.
Even for puppet content? While I would really like to get it into a SCAP remediation standard it will be in Puppet for now. I know there has been movement towards BASH scripts for the content and honestly the content we written in the past was basically BASH scripts wrapped in a Puppet module. This time around we're using Augeas which I hope will allow us to develop more robust content with far fewer BASH scripts wrapped in Puppet. Thoughts?
I guess the real question here is if we should ignore the fact that it isn't in a SCAP standard and push the Puppet-based remediation content into SSG. I would really prefer this approach but I completely understand if the SSG community doesn't want to start cramming non-SCAP content in SSG's git repo.
However if the general sentiment of the list is that remediation needs to be discussed elsewhere (since it won't be SCAP) I'll happily move it to the CLIP mailing list.
Is that where you discuss the secstate code? I was thinking of the openscap mail list which is where all the previous discussion of secstate/openscap code merging occurred. :)
Heh I think I left out a critical word up there :P Should have read "remediation *content* could be discussed on the CLIP list." The rationale being that we have hosted puppet remediation content there for years and distributed it as part of CLIP.
Thanks, --Spencer
-Steve