Shawn, you said " OpenSCAP comes natively with RHEL".
Does that mean you do not to add EPEL repo to install openSCAP anymore?
Greg
On Tue, Jun 3, 2014 at 5:47 AM, Jan Lieskovsky jlieskov@redhat.com wrote:
Thank you for your feedback Paul, Greg.
----- Original Message -----
From: "Greg Elin" gregelin@gitmachines.com To: "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Tuesday, May 27, 2014 9:08:00 PM Subject: Re: [PATCH 2/2] [RHEL/6, RHEL/7, Fedora] Drop Requires on
openscap-utils. Add a note into manual pages
regarding that.
In general, it's probably more a documentation and marketing issue. More could be done to publish examples of SSG being used with other tools.
Most people are going to be installing SSG via YUM. If the documentation indicates installing both, that is probably fine.
I agree with Paul that it is nice to install both and oscap is needed to
test
SSG content.
Wondering if two votes for leaving scap-security-guide RPM dependency on openscap-utils can be considered as "sufficiently demonstrating community opinion". It's better than nothing (we know there are people preferring we to keep the current situation), but wondering if there are (also) people which would want the opposite? (would be good to know, so this topic could be closed and we could move to other issues)
So anyone with desire in order to scap-security-guide removed Requires dependency on openscap-utils? If so, could you also provide also clarification / reasoning behind this motivation? (except the already mentioned one that having Requires on openscap-utils might induce impression SSG content can be used with OpenSCAP tools only)
Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Technologies Team
With my newbie hat on, it's taken me some time to understand the
difference
between OpenSCAP and SSG. I've been wondering why. After all, I've understood the difference between a browser and html page; between Excel
and
a Excel file.
I come back to the marketing piece.
Greg
On Tue, May 27, 2014 at 2:57 PM, Paul Tittle (Contractor) < ptittle@cmf.nrl.navy.mil > wrote:
On 5/27/14 2:43 PM, Shawn Wells wrote:
On 5/26/14, 10:56 AM, Jan Lieskovsky wrote:
0002-RHEL-6-RHEL-7-Fedora-Drop-Requires-on-openscap-utils.patch
From 3c42c661b4f12d57fda35c3506bde1140a09a02f Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky jlieskov@redhat.com Date: Mon, 26 May 2014 16:26:08 +0200 Subject: [PATCH 2/2] [RHEL/6, RHEL/7, Fedora] Drop Requires on openscap-utils. Add a note into manual pages regarding that.
Signed-off-by: Jan Lieskovsky jlieskov@redhat.com
Fedora/input/auxiliary/scap-security-guide.8 | 7 +++++++ Fedora/scap-security-guide.spec | 2 +- RHEL/6/input/auxiliary/scap-security-guide.8 | 7 +++++++ RHEL/7/input/auxiliary/scap-security-guide.8 | 7 +++++++ scap-security-guide.spec | 2 +- 5 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/Fedora/input/auxiliary/scap-security-guide.8 b/Fedora/input/auxiliary/scap-security-guide.8 index 7758f37..50235d9 100644 --- a/Fedora/input/auxiliary/scap-security-guide.8 +++ b/Fedora/input/auxiliary/scap-security-guide.8 @@ -33,6 +33,13 @@ scanning of general-purpose Fedora systems. .SH EXAMPLES
+.B "NOTE: " +Example below assumes the openscap-utils package is installed on the
system.
+If that's not the case to install the openscap-utils package run the +.I yum install openscap-utils +command as the root user.
To scan your system utilizing the OpenSCAP utility against the common profile, run: diff --git a/Fedora/scap-security-guide.spec b/Fedora/scap-security-guide.spec index c5a8911..adf92a5 100644 --- a/Fedora/scap-security-guide.spec +++ b/Fedora/scap-security-guide.spec @@ -23,7 +23,7 @@ Source0: http://fedorapeople.org/~jlieskov/% {name}-%{version}.tar.gz Source1: http://repos.ssgproject.org/sources/% {name}-%{rhelssgversion}.tar.gz BuildArch: noarch BuildRequires: libxslt, expat, python, openscap-utils >= 0.9.1,
python-lxml
-Requires: xml-common, openscap-utils >= 0.9.1 +Requires: xml-common Obsoletes: openscap-content < 0:0.9.13 Provides: openscap-content diff --git a/RHEL/6/input/auxiliary/scap-security-guide.8 b/RHEL/6/input/auxiliary/scap-security-guide.8 index 44ae1ab..e676d35 100644 --- a/RHEL/6/input/auxiliary/scap-security-guide.8 +++ b/RHEL/6/input/auxiliary/scap-security-guide.8 @@ -68,6 +68,13 @@ webpage athttp:// usgcb.nist.gov/usgcb_content.html . .SH EXAMPLES
+.B "NOTE: " +Example below assumes the openscap-utils package is installed on the
system.
+If that's not the case to install the openscap-utils package run the +.I yum install openscap-utils +command as the root user.
To scan your system utilizing the OpenSCAP utility against the stig-rhel6-server-upstream profile: diff --git a/RHEL/7/input/auxiliary/scap-security-guide.8 b/RHEL/7/input/auxiliary/scap-security-guide.8 index 97c4aec..7625fdd 100644 --- a/RHEL/7/input/auxiliary/scap-security-guide.8 +++ b/RHEL/7/input/auxiliary/scap-security-guide.8 @@ -58,6 +58,13 @@ webpage athttp:// usgcb.nist.gov/usgcb_content.html . .SH EXAMPLES
+.B "NOTE: " +Example below assumes the openscap-utils package is installed on the
system.
+If that's not the case to install the openscap-utils package run the +.I yum install openscap-utils +command as the root user.
To scan your system utilizing the OpenSCAP utility against the stig-rhel6-server profile: diff --git a/scap-security-guide.spec b/scap-security-guide.spec index fad1c6f..c23be44 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -15,7 +15,7 @@ Source0: http://repos.ssgproject.org/sources/% {name}-%{version}.tar.gz BuildArch: noarch BuildRequires: libxslt, expat, python, openscap-utils >= 0.9.1,
python-lxml
-Requires: xml-common, openscap-utils >= 0.9.1 +Requires: xml-common %description The scap-security-guide project provides a guide for configuration of the -- 1.8.3.1
I'd like to open this up to the community..... Is it beneficial for
OpenSCAP
to simultaneously installed with SSG?
On one side the inclusion means you get tools+content with one command,
which
is particularly useful for those new to SCAP. On the other hand it's been mentioned that this drives users to believing SSG only works with
OpenSCAP.
There's no intention of "forcing" OpenSCAP on people.
So, to the user community, is auto inclusion of OpenSCAP annoying or
useful?
I think it's useful to require OpenSCAP to be installed simultaneously.
It's
used to test SSG content, for one.
There have been some patches recently which were made in response to the latest build of OpenSCAP, such as the world_writeable_files patch. recurse_file_system="local" does something different in the latest
OpenSCAP
build, which potentially breaks the test for some environments (it broke
for
mine). This tells me that SSG's tests are somewhat reliant on the SCAP
tools
that are used with the content.
If all SCAP tools behaved the same way for all input, I would say that OpenSCAP shouldn't be a requirement for SSG. But they probably don't, so
my
vote is for requiring OpenSCAP.
scap-security-guide mailing list
scap-security-guide@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide