I agree with Greg about providing more detail. I am especially curious
about the multiple filesystems and version control systems.
The (shared/oval) and (shared/fixes/bash) are for checks and fixes that
span multiple OS versions (App versions can be used as well if needed). Not
all the checks and fixes have to apply to every OS/App that is in the SSG.
Some might be for all versions and content in the SSG, and some might only
apply to a few. For example, not all GDM settings apply to the same OS
(i.e. 1 to many but not all). For RHEL7 and Fedora, DCONF settings apply to
configure and lock GDM settings, but DCONF does not exist at all in RHEL5
or 6 as those settings are GCONF. Not all RHEL5 and 6 GCONF settings are
equal either, etc. etc. etc. You could feasibly have a check that spans
over RHEV, OpenStack, RHEL, Ubuntu, etc.
Synchronizing the same file over multiple locations instead seems to take
wwwaayyyy more work and space than soft links and can be an entire can of
worms itself.
As Shawn alluded to, XSLT magic would be the best way of handling things.
On Wed, Apr 8, 2015 at 4:20 PM, Greg Elin <gregelin(a)gitmachines.com> wrote:
Trey,
Could you please provide a bit more detail?
I am interested bc I am trying to understand best way of eventually adding
Ubuntu SCAP into SSG, and have been wondering to link or not to link? That
is the question. Whether tis better to suffer to link shared files and risk
fragility in future or to pick up and clone rules into each distribution
and battle the onslaught of synchronizing changes in multiple directories.
In any case, I thought the share folder was holding source code for oval
checks that were common to more than one target platform. Then, when SSG is
built the shared source is turned into actual OVAL xml SCAP.
Have I completely missed that actual shared OVAL xml SCAP is in the
distributed SSG?
If the share is just in the source code, I am not following the idea of
running tests in both shared and non shared folders.
If the share is in the distribution, are you suggesting that a scan just
run all tests in both shared and non shared?
Greg Elin
P: 917-304-3488
E: gregelin(a)gitmachines.com
Sent from my iPhone
On Apr 8, 2015, at 5:13 PM, Trey Henefield <trey.henefield(a)ultra-ats.com>
wrote:
Greetings,
I wanted to propose a change to the current structure in place for shared
checks (shared/oval) and fixes (shared/fixes/bash). I was curious to get
everyone’s opinion before committing.
So the problem I see is with the symbolic linking of checks and fixes to
the shared folder. I have found it problematic when working between
different operating systems, file systems, and version control systems.
Rather than creating symbolic links to certain oval checks in the
shared/oval folder, we could choose to just process all oval checks in both
the project’s checks folder and the shared/oval folder.
However, not all checks in the current ‘shared/oval’ folder are shared by
all OS. For example, there are some that only apply to RHEL7 and Fedora,
and not RHEL6.
Any thoughts?
Thanks!
Best regards,
Trey Henefield, CISSP
Senior IAVA Engineer
Ultra Electronics
Advanced Tactical Systems, Inc.
4101 Smith School Road
Building IV, Suite 100
Austin, TX 78744 USA
Trey.Henefield(a)ultra-ats.com
Tel: +1 512 327 6795 ext. 647
Fax: +1 512 327 8043
Mobile: +1 512 541 6450
www.ultra-ats.com
*Disclaimer*
The information contained in this communication from *
trey.henefield(a)ultra-ats.com <trey.henefield(a)ultra-ats.com> * sent at
2015-04-08 17:13:55 is private and may be legally privileged or export
controlled. It is intended solely for use by *
scap-security-guide(a)lists.fedorahosted.org
<scap-security-guide(a)lists.fedorahosted.org> * and others authorized to
receive it. If you are not * scap-security-guide(a)lists.fedorahosted.org
<scap-security-guide(a)lists.fedorahosted.org> * you are hereby notified
that any disclosure, copying, distribution or taking action in reliance of
the contents of this information is strictly prohibited and may be unlawful.
--
SCAP Security Guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/
--
SCAP Security Guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/