OpenSCAP (the interpreter) has been included with RHEL for awhile (since rhel5).
When we first started some 2yrs ago, the EPEL version was used until RHEL versions caught up.
Today EPEL is needed for SSG content. With RHEL 6.6 all dependencies on EPEL will be dropped.
-- Shawn Wells Director, Innovation Programs shawn@redhat.com | 443.534.0130 @shawndwells
On Jun 3, 2014, at 7:22 AM, Greg Elin gregelin@gitmachines.com wrote:
Shawn, you said " OpenSCAP comes natively with RHEL".
Does that mean you do not to add EPEL repo to install openSCAP anymore?
Greg
On Tue, Jun 3, 2014 at 5:47 AM, Jan Lieskovsky jlieskov@redhat.com wrote: Thank you for your feedback Paul, Greg.
----- Original Message -----
From: "Greg Elin" gregelin@gitmachines.com To: "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Tuesday, May 27, 2014 9:08:00 PM Subject: Re: [PATCH 2/2] [RHEL/6, RHEL/7, Fedora] Drop Requires on openscap-utils. Add a note into manual pages regarding that.
In general, it's probably more a documentation and marketing issue. More could be done to publish examples of SSG being used with other tools.
Most people are going to be installing SSG via YUM. If the documentation indicates installing both, that is probably fine.
I agree with Paul that it is nice to install both and oscap is needed to test SSG content.
Wondering if two votes for leaving scap-security-guide RPM dependency on openscap-utils can be considered as "sufficiently demonstrating community opinion". It's better than nothing (we know there are people preferring we to keep the current situation), but wondering if there are (also) people which would want the opposite? (would be good to know, so this topic could be closed and we could move to other issues)
So anyone with desire in order to scap-security-guide removed Requires dependency on openscap-utils? If so, could you also provide also clarification / reasoning behind this motivation? (except the already mentioned one that having Requires on openscap-utils might induce impression SSG content can be used with OpenSCAP tools only)
Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Technologies Team
With my newbie hat on, it's taken me some time to understand the difference between OpenSCAP and SSG. I've been wondering why. After all, I've understood the difference between a browser and html page; between Excel and a Excel file.
I come back to the marketing piece.
Greg
On Tue, May 27, 2014 at 2:57 PM, Paul Tittle (Contractor) < ptittle@cmf.nrl.navy.mil > wrote:
On 5/27/14 2:43 PM, Shawn Wells wrote:
On 5/26/14, 10:56 AM, Jan Lieskovsky wrote:
0002-RHEL-6-RHEL-7-Fedora-Drop-Requires-on-openscap-utils.patch
From 3c42c661b4f12d57fda35c3506bde1140a09a02f Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky jlieskov@redhat.com Date: Mon, 26 May 2014 16:26:08 +0200 Subject: [PATCH 2/2] [RHEL/6, RHEL/7, Fedora] Drop Requires on openscap-utils. Add a note into manual pages regarding that.
Signed-off-by: Jan Lieskovsky jlieskov@redhat.com
Fedora/input/auxiliary/scap-security-guide.8 | 7 +++++++ Fedora/scap-security-guide.spec | 2 +- RHEL/6/input/auxiliary/scap-security-guide.8 | 7 +++++++ RHEL/7/input/auxiliary/scap-security-guide.8 | 7 +++++++ scap-security-guide.spec | 2 +- 5 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/Fedora/input/auxiliary/scap-security-guide.8 b/Fedora/input/auxiliary/scap-security-guide.8 index 7758f37..50235d9 100644 --- a/Fedora/input/auxiliary/scap-security-guide.8 +++ b/Fedora/input/auxiliary/scap-security-guide.8 @@ -33,6 +33,13 @@ scanning of general-purpose Fedora systems. .SH EXAMPLES
+.B "NOTE: " +Example below assumes the openscap-utils package is installed on the system. +If that's not the case to install the openscap-utils package run the +.I yum install openscap-utils +command as the root user.
To scan your system utilizing the OpenSCAP utility against the common profile, run: diff --git a/Fedora/scap-security-guide.spec b/Fedora/scap-security-guide.spec index c5a8911..adf92a5 100644 --- a/Fedora/scap-security-guide.spec +++ b/Fedora/scap-security-guide.spec @@ -23,7 +23,7 @@ Source0: http://fedorapeople.org/~jlieskov/% {name}-%{version}.tar.gz Source1: http://repos.ssgproject.org/sources/% {name}-%{rhelssgversion}.tar.gz BuildArch: noarch BuildRequires: libxslt, expat, python, openscap-utils >= 0.9.1, python-lxml -Requires: xml-common, openscap-utils >= 0.9.1 +Requires: xml-common Obsoletes: openscap-content < 0:0.9.13 Provides: openscap-content diff --git a/RHEL/6/input/auxiliary/scap-security-guide.8 b/RHEL/6/input/auxiliary/scap-security-guide.8 index 44ae1ab..e676d35 100644 --- a/RHEL/6/input/auxiliary/scap-security-guide.8 +++ b/RHEL/6/input/auxiliary/scap-security-guide.8 @@ -68,6 +68,13 @@ webpage athttp:// usgcb.nist.gov/usgcb_content.html . .SH EXAMPLES
+.B "NOTE: " +Example below assumes the openscap-utils package is installed on the system. +If that's not the case to install the openscap-utils package run the +.I yum install openscap-utils +command as the root user.
To scan your system utilizing the OpenSCAP utility against the stig-rhel6-server-upstream profile: diff --git a/RHEL/7/input/auxiliary/scap-security-guide.8 b/RHEL/7/input/auxiliary/scap-security-guide.8 index 97c4aec..7625fdd 100644 --- a/RHEL/7/input/auxiliary/scap-security-guide.8 +++ b/RHEL/7/input/auxiliary/scap-security-guide.8 @@ -58,6 +58,13 @@ webpage athttp:// usgcb.nist.gov/usgcb_content.html . .SH EXAMPLES
+.B "NOTE: " +Example below assumes the openscap-utils package is installed on the system. +If that's not the case to install the openscap-utils package run the +.I yum install openscap-utils +command as the root user.
To scan your system utilizing the OpenSCAP utility against the stig-rhel6-server profile: diff --git a/scap-security-guide.spec b/scap-security-guide.spec index fad1c6f..c23be44 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -15,7 +15,7 @@ Source0: http://repos.ssgproject.org/sources/% {name}-%{version}.tar.gz BuildArch: noarch BuildRequires: libxslt, expat, python, openscap-utils >= 0.9.1, python-lxml -Requires: xml-common, openscap-utils >= 0.9.1 +Requires: xml-common %description The scap-security-guide project provides a guide for configuration of the -- 1.8.3.1
I'd like to open this up to the community..... Is it beneficial for OpenSCAP to simultaneously installed with SSG?
On one side the inclusion means you get tools+content with one command, which is particularly useful for those new to SCAP. On the other hand it's been mentioned that this drives users to believing SSG only works with OpenSCAP. There's no intention of "forcing" OpenSCAP on people.
So, to the user community, is auto inclusion of OpenSCAP annoying or useful?
I think it's useful to require OpenSCAP to be installed simultaneously. It's used to test SSG content, for one.
There have been some patches recently which were made in response to the latest build of OpenSCAP, such as the world_writeable_files patch. recurse_file_system="local" does something different in the latest OpenSCAP build, which potentially breaks the test for some environments (it broke for mine). This tells me that SSG's tests are somewhat reliant on the SCAP tools that are used with the content.
If all SCAP tools behaved the same way for all input, I would say that OpenSCAP shouldn't be a requirement for SSG. But they probably don't, so my vote is for requiring OpenSCAP.
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide