On 5/27/14, 3:08 PM, Greg Elin wrote:
In general, it's probably more a documentation and marketing issue. More could be done to publish examples of SSG being used with other tools.
Tenable produces Security Center, and they've documentation on how to ingest SCAP content.
The fine folks at SPAWAR authored SCC+SSG documentation, which we merged into the user guide (a copy of my scratch space is below, I wouldn't recommend bookmarking it): http://people.redhat.com/swells/scap-security-guide/docs/User_Guide/tmp/en-U...
Then there's RHN Satellite and OpenSCAP, both which have docs. Ideas welcome on additional tools!
Most people are going to be installing SSG via YUM. If the documentation indicates installing both, that is probably fine.
I agree with Paul that it is nice to install both and oscap is needed to test SSG content.
With my newbie hat on, it's taken me some time to understand the difference between OpenSCAP and SSG. I've been wondering why. After all, I've understood the difference between a browser and html page; between Excel and a Excel file.
I come back to the marketing piece.
Greg
On Tue, May 27, 2014 at 2:57 PM, Paul Tittle (Contractor) <ptittle@cmf.nrl.navy.mil mailto:ptittle@cmf.nrl.navy.mil> wrote:
On 5/27/14 2:43 PM, Shawn Wells wrote:On 5/26/14, 10:56 AM, Jan Lieskovsky wrote:...I'd like to open this up to the community..... Is it beneficial for OpenSCAP to simultaneously installed with SSG? On one side the inclusion means you get tools+content with one command, which is particularly useful for those new to SCAP. On the other hand it's been mentioned that this drives users to believing SSG only works with OpenSCAP. There's no intention of "forcing" OpenSCAP on people. So, to the user community, is auto inclusion of OpenSCAP annoying or useful?I think it's useful to require OpenSCAP to be installed simultaneously. It's used to test SSG content, for one. There have been some patches recently which were made in response to the latest build of OpenSCAP, such as the world_writeable_files patch. recurse_file_system="local" does something different in the latest OpenSCAP build, which potentially breaks the test for some environments (it broke for mine). This tells me that SSG's tests are somewhat reliant on the SCAP tools that are used with the content. If all SCAP tools behaved the same way for all input, I would say that OpenSCAP shouldn't be a requirement for SSG. But they probably don't, so my vote is for requiring OpenSCAP.
Given that OpenSCAP is a NIST certified SCAP scanner for RHEL6, and OpenSCAP comes natively with RHEL, I lean towards keeping the dependency. As other tools mature and become widely available this could easily be revisited. Leaning towards easy adoption seems the most advantageous path.
Anyone feel strongly *against* the dependency?