----- Original Message -----
From: "Šimon Lukašík" <slukasik(a)redhat.com>
To: scap-security-guide(a)lists.fedorahosted.org
Sent: Wednesday, April 22, 2015 10:50:36 AM
Subject: OVAL 5.11 Woes
tl;dr: Why I think we need OVAL 5.11 in SSG/Fedora. And what problems
does it pose.
The OVAL 5.11 is the latest (released) version of OVAL standard. Version
5.11 adds support for assessing systemd properties, hence this version
is important for anyone auditing nowdays linux. The most notable user is
SCAP-Security-Guide project that develops configuration baselines (STIG,
USGCB, etc.) for RHEL7.
OVAL 5.11 is very similar to the previous versions, thus one would
conclude that the upgrade should be straight forward. Indeed, from tool
implementation perspective upgrade is easy.
OpenSCAP 1.2.2 brings in the support for OVAL 5.11.
With prior OpenSCAP versions, certain DataStream operations with OVAL
5.11 are not possible. This is due to standard DataStream 1.2 schema
including OVAL 5.10 XSD.
Hence, for developing OVAL 5.11 content you need OpenSCAP 1.2.2 or greater.
And here comes the problem, SCAP-Security-Guide contains multiple
separate guidances each for a different target (RHEL6, RHEL7, or
Fedora). Majority of contributors are used to build all the guidances by
a single build process on RHEL6 or RHEL7.
At the time of writing neither RHEL6 nor RHEL7 tooling include support
for OVAL 5.11. So, the tools on RHEL6 and RHEL7 will be limited in
processing OVAL 5.11 (SSG/Fedora) content.
At the same time, there is value in moving the edge and start building
OVAL 5.11 (systemd) content for Fedora target. We will test systemd
checks in Fedora and move them to RHEL7 STIG later on.
+1
Since people having experience with developing SCAP content will
hopefully confirm the OVAL language possibilities are limited wrt to
quickly evolving OS features, and since it takes time till newly introduced
OVAL language concepts get projected into scanner tools, the only way
how to keep aligned with the new OVAL features is to adopt the new language
version as soon as possible, I see the effort to add OVAL 5.11 support
to / against Fedora content as a reasonable step. Even if this step
would mean it won't be possible to build Fedora content on Red Hat
Enterprise Linux 6 / 7 systems.
Hence, it seems that the best way to proceed is buildtime magic: Build
Fedora content only when the tools are capable building it. Downside is
that RHEL6/RHEL7 contributors will not be able to build Fedora content
(until OpenSCAP 1.2.2 update hits their systems)
+1 I can't see a better way how to simultaneously:
* don't break existing RHEL/6 | RHEL/7 content, and
* add OVAL 5.11 language support for Fedora content (the idea why
we might want to support OVAL 5.11 in Fedora sooner than later is
expressed in my reply to your previous paragraph).
Jan Černý has already started adding systemd support to SSG/Fedora in
https://github.com/OpenSCAP/scap-security-guide/pull/527
Will look at this.
Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team