[PATCH 2/2] [RHEL/6, RHEL/7, Fedora] Drop Requires on openscap-utils. Add a note into manual pages regarding that.
On 5/26/14, 10:56 AM, Jan Lieskovsky wrote:
0002-RHEL-6-RHEL-7-Fedora-Drop-Requires-on-openscap-utils.patch
From 3c42c661b4f12d57fda35c3506bde1140a09a02f Mon Sep 17 00:00:00 2001 From: Jan Lieskovskyjlieskov@redhat.com Date: Mon, 26 May 2014 16:26:08 +0200 Subject: [PATCH 2/2] [RHEL/6, RHEL/7, Fedora] Drop Requires on openscap-utils. Add a note into manual pages regarding that.
Signed-off-by: Jan Lieskovskyjlieskov@redhat.com
Fedora/input/auxiliary/scap-security-guide.8 | 7 +++++++ Fedora/scap-security-guide.spec | 2 +- RHEL/6/input/auxiliary/scap-security-guide.8 | 7 +++++++ RHEL/7/input/auxiliary/scap-security-guide.8 | 7 +++++++ scap-security-guide.spec | 2 +- 5 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/Fedora/input/auxiliary/scap-security-guide.8 b/Fedora/input/auxiliary/scap-security-guide.8 index 7758f37..50235d9 100644 --- a/Fedora/input/auxiliary/scap-security-guide.8 +++ b/Fedora/input/auxiliary/scap-security-guide.8 @@ -33,6 +33,13 @@ scanning of general-purpose Fedora systems.
.SH EXAMPLES
+.B "NOTE: " +Example below assumes the openscap-utils package is installed on the system. +If that's not the case to install the openscap-utils package run the +.I yum install openscap-utils +command as the root user.
- To scan your system utilizing the OpenSCAP utility against the common profile, run:
diff --git a/Fedora/scap-security-guide.spec b/Fedora/scap-security-guide.spec index c5a8911..adf92a5 100644 --- a/Fedora/scap-security-guide.spec +++ b/Fedora/scap-security-guide.spec @@ -23,7 +23,7 @@ Source0: http://fedorapeople.org/~jlieskov/%%7Bname%7D-%%7Bversion%7D.tar.gz Source1: http://repos.ssgproject.org/sources/%%7Bname%7D-%%7Brhelssgversion%7D.tar.gz BuildArch: noarch BuildRequires: libxslt, expat, python, openscap-utils >= 0.9.1, python-lxml -Requires: xml-common, openscap-utils >= 0.9.1 +Requires: xml-common Obsoletes: openscap-content < 0:0.9.13 Provides: openscap-content
diff --git a/RHEL/6/input/auxiliary/scap-security-guide.8 b/RHEL/6/input/auxiliary/scap-security-guide.8 index 44ae1ab..e676d35 100644 --- a/RHEL/6/input/auxiliary/scap-security-guide.8 +++ b/RHEL/6/input/auxiliary/scap-security-guide.8 @@ -68,6 +68,13 @@ webpage athttp://usgcb.nist.gov/usgcb_content.html.
.SH EXAMPLES
+.B "NOTE: " +Example below assumes the openscap-utils package is installed on the system. +If that's not the case to install the openscap-utils package run the +.I yum install openscap-utils +command as the root user.
- To scan your system utilizing the OpenSCAP utility against the stig-rhel6-server-upstream profile:
diff --git a/RHEL/7/input/auxiliary/scap-security-guide.8 b/RHEL/7/input/auxiliary/scap-security-guide.8 index 97c4aec..7625fdd 100644 --- a/RHEL/7/input/auxiliary/scap-security-guide.8 +++ b/RHEL/7/input/auxiliary/scap-security-guide.8 @@ -58,6 +58,13 @@ webpage athttp://usgcb.nist.gov/usgcb_content.html.
.SH EXAMPLES
+.B "NOTE: " +Example below assumes the openscap-utils package is installed on the system. +If that's not the case to install the openscap-utils package run the +.I yum install openscap-utils +command as the root user.
- To scan your system utilizing the OpenSCAP utility against the stig-rhel6-server profile:
diff --git a/scap-security-guide.spec b/scap-security-guide.spec index fad1c6f..c23be44 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -15,7 +15,7 @@ Source0: http://repos.ssgproject.org/sources/%%7Bname%7D-%%7Bversion%7D.tar.gz BuildArch: noarch
BuildRequires: libxslt, expat, python, openscap-utils >= 0.9.1, python-lxml -Requires: xml-common, openscap-utils >= 0.9.1 +Requires: xml-common
%description The scap-security-guide project provides a guide for configuration of the -- 1.8.3.1
I'd like to open this up to the community..... Is it beneficial for OpenSCAP to simultaneously installed with SSG?
On one side the inclusion means you get tools+content with one command, which is particularly useful for those new to SCAP. On the other hand it's been mentioned that this drives users to believing SSG only works with OpenSCAP. There's no intention of "forcing" OpenSCAP on people.
So, to the user community, is auto inclusion of OpenSCAP annoying or useful?
On 5/27/14 2:43 PM, Shawn Wells wrote:
On 5/26/14, 10:56 AM, Jan Lieskovsky wrote:
0002-RHEL-6-RHEL-7-Fedora-Drop-Requires-on-openscap-utils.patch
From 3c42c661b4f12d57fda35c3506bde1140a09a02f Mon Sep 17 00:00:00 2001 From: Jan Lieskovskyjlieskov@redhat.com Date: Mon, 26 May 2014 16:26:08 +0200 Subject: [PATCH 2/2] [RHEL/6, RHEL/7, Fedora] Drop Requires on openscap-utils. Add a note into manual pages regarding that.
Signed-off-by: Jan Lieskovskyjlieskov@redhat.com
Fedora/input/auxiliary/scap-security-guide.8 | 7 +++++++ Fedora/scap-security-guide.spec | 2 +- RHEL/6/input/auxiliary/scap-security-guide.8 | 7 +++++++ RHEL/7/input/auxiliary/scap-security-guide.8 | 7 +++++++ scap-security-guide.spec | 2 +- 5 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/Fedora/input/auxiliary/scap-security-guide.8 b/Fedora/input/auxiliary/scap-security-guide.8 index 7758f37..50235d9 100644 --- a/Fedora/input/auxiliary/scap-security-guide.8 +++ b/Fedora/input/auxiliary/scap-security-guide.8 @@ -33,6 +33,13 @@ scanning of general-purpose Fedora systems. .SH EXAMPLES
+.B "NOTE: " +Example below assumes the openscap-utils package is installed on the system. +If that's not the case to install the openscap-utils package run the +.I yum install openscap-utils +command as the root user.
- To scan your system utilizing the OpenSCAP utility against the common profile, run: diff --git a/Fedora/scap-security-guide.spec
b/Fedora/scap-security-guide.spec index c5a8911..adf92a5 100644 --- a/Fedora/scap-security-guide.spec +++ b/Fedora/scap-security-guide.spec @@ -23,7 +23,7 @@ Source0: http://fedorapeople.org/~jlieskov/%%7Bname%7D-%%7Bversion%7D.tar.gz Source1: http://repos.ssgproject.org/sources/%%7Bname%7D-%%7Brhelssgversion%7D.tar.gz BuildArch: noarch BuildRequires: libxslt, expat, python, openscap-utils >= 0.9.1, python-lxml -Requires: xml-common, openscap-utils >= 0.9.1 +Requires: xml-common Obsoletes: openscap-content < 0:0.9.13 Provides: openscap-content diff --git a/RHEL/6/input/auxiliary/scap-security-guide.8 b/RHEL/6/input/auxiliary/scap-security-guide.8 index 44ae1ab..e676d35 100644 --- a/RHEL/6/input/auxiliary/scap-security-guide.8 +++ b/RHEL/6/input/auxiliary/scap-security-guide.8 @@ -68,6 +68,13 @@ webpage athttp://usgcb.nist.gov/usgcb_content.html. .SH EXAMPLES
+.B "NOTE: " +Example below assumes the openscap-utils package is installed on the system. +If that's not the case to install the openscap-utils package run the +.I yum install openscap-utils +command as the root user.
- To scan your system utilizing the OpenSCAP utility against the stig-rhel6-server-upstream profile: diff --git a/RHEL/7/input/auxiliary/scap-security-guide.8
b/RHEL/7/input/auxiliary/scap-security-guide.8 index 97c4aec..7625fdd 100644 --- a/RHEL/7/input/auxiliary/scap-security-guide.8 +++ b/RHEL/7/input/auxiliary/scap-security-guide.8 @@ -58,6 +58,13 @@ webpage athttp://usgcb.nist.gov/usgcb_content.html. .SH EXAMPLES
+.B "NOTE: " +Example below assumes the openscap-utils package is installed on the system. +If that's not the case to install the openscap-utils package run the +.I yum install openscap-utils +command as the root user.
- To scan your system utilizing the OpenSCAP utility against the stig-rhel6-server profile: diff --git a/scap-security-guide.spec b/scap-security-guide.spec
index fad1c6f..c23be44 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -15,7 +15,7 @@ Source0: http://repos.ssgproject.org/sources/%%7Bname%7D-%%7Bversion%7D.tar.gz BuildArch: noarch BuildRequires: libxslt, expat, python, openscap-utils >= 0.9.1, python-lxml -Requires: xml-common, openscap-utils >= 0.9.1 +Requires: xml-common %description The scap-security-guide project provides a guide for configuration of the -- 1.8.3.1
I'd like to open this up to the community..... Is it beneficial for OpenSCAP to simultaneously installed with SSG?
On one side the inclusion means you get tools+content with one command, which is particularly useful for those new to SCAP. On the other hand it's been mentioned that this drives users to believing SSG only works with OpenSCAP. There's no intention of "forcing" OpenSCAP on people.
So, to the user community, is auto inclusion of OpenSCAP annoying or useful?
I think it's useful to require OpenSCAP to be installed simultaneously. It's used to test SSG content, for one.
There have been some patches recently which were made in response to the latest build of OpenSCAP, such as the world_writeable_files patch. recurse_file_system="local" does something different in the latest OpenSCAP build, which potentially breaks the test for some environments (it broke for mine). This tells me that SSG's tests are somewhat reliant on the SCAP tools that are used with the content.
If all SCAP tools behaved the same way for all input, I would say that OpenSCAP shouldn't be a requirement for SSG. But they probably don't, so my vote is for requiring OpenSCAP.
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
In general, it's probably more a documentation and marketing issue. More could be done to publish examples of SSG being used with other tools.
Most people are going to be installing SSG via YUM. If the documentation indicates installing both, that is probably fine.
I agree with Paul that it is nice to install both and oscap is needed to test SSG content.
With my newbie hat on, it's taken me some time to understand the difference between OpenSCAP and SSG. I've been wondering why. After all, I've understood the difference between a browser and html page; between Excel and a Excel file.
I come back to the marketing piece.
Greg
On Tue, May 27, 2014 at 2:57 PM, Paul Tittle (Contractor) < ptittle@cmf.nrl.navy.mil> wrote:
On 5/27/14 2:43 PM, Shawn Wells wrote:
On 5/26/14, 10:56 AM, Jan Lieskovsky wrote:
0002-RHEL-6-RHEL-7-Fedora-Drop-Requires-on-openscap-utils.patch
From 3c42c661b4f12d57fda35c3506bde1140a09a02f Mon Sep 17 00:00:00 2001 From: Jan Lieskovskyjlieskov@redhat.com jlieskov@redhat.com Date: Mon, 26 May 2014 16:26:08 +0200 Subject: [PATCH 2/2] [RHEL/6, RHEL/7, Fedora] Drop Requires on openscap-utils. Add a note into manual pages regarding that.
Signed-off-by: Jan Lieskovskyjlieskov@redhat.com jlieskov@redhat.com
Fedora/input/auxiliary/scap-security-guide.8 | 7 +++++++ Fedora/scap-security-guide.spec | 2 +- RHEL/6/input/auxiliary/scap-security-guide.8 | 7 +++++++ RHEL/7/input/auxiliary/scap-security-guide.8 | 7 +++++++ scap-security-guide.spec | 2 +- 5 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/Fedora/input/auxiliary/scap-security-guide.8 b/Fedora/input/auxiliary/scap-security-guide.8 index 7758f37..50235d9 100644 --- a/Fedora/input/auxiliary/scap-security-guide.8 +++ b/Fedora/input/auxiliary/scap-security-guide.8 @@ -33,6 +33,13 @@ scanning of general-purpose Fedora systems. .SH EXAMPLES
+.B "NOTE: " +Example below assumes the openscap-utils package is installed on the system. +If that's not the case to install the openscap-utils package run the +.I yum install openscap-utils +command as the root user.
- To scan your system utilizing the OpenSCAP utility against the common profile, run: diff --git a/Fedora/scap-security-guide.spec
b/Fedora/scap-security-guide.spec index c5a8911..adf92a5 100644 --- a/Fedora/scap-security-guide.spec +++ b/Fedora/scap-security-guide.spec @@ -23,7 +23,7 @@ Source0: http://fedorapeople.org/~jlieskov/%%7Bname%7D-%%7Bversion%7D.tar.gz
Source1: http://repos.ssgproject.org/sources/%%7Bname%7D-%%7Brhelssgversion%7D.tar.gz
BuildArch: noarch BuildRequires: libxslt, expat, python, openscap-utils >= 0.9.1, python-lxml -Requires: xml-common, openscap-utils >= 0.9.1 +Requires: xml-common Obsoletes: openscap-content < 0:0.9.13 Provides: openscap-content diff --git a/RHEL/6/input/auxiliary/scap-security-guide.8 b/RHEL/6/input/auxiliary/scap-security-guide.8 index 44ae1ab..e676d35 100644 --- a/RHEL/6/input/auxiliary/scap-security-guide.8 +++ b/RHEL/6/input/auxiliary/scap-security-guide.8 @@ -68,6 +68,13 @@ webpage athttp://usgcb.nist.gov/usgcb_content.html. .SH EXAMPLES
+.B "NOTE: " +Example below assumes the openscap-utils package is installed on the system. +If that's not the case to install the openscap-utils package run the +.I yum install openscap-utils +command as the root user.
- To scan your system utilizing the OpenSCAP utility against the stig-rhel6-server-upstream profile: diff --git a/RHEL/7/input/auxiliary/scap-security-guide.8
b/RHEL/7/input/auxiliary/scap-security-guide.8 index 97c4aec..7625fdd 100644 --- a/RHEL/7/input/auxiliary/scap-security-guide.8 +++ b/RHEL/7/input/auxiliary/scap-security-guide.8 @@ -58,6 +58,13 @@ webpage athttp://usgcb.nist.gov/usgcb_content.html. .SH EXAMPLES
+.B "NOTE: " +Example below assumes the openscap-utils package is installed on the system. +If that's not the case to install the openscap-utils package run the +.I yum install openscap-utils +command as the root user.
- To scan your system utilizing the OpenSCAP utility against the stig-rhel6-server profile: diff --git a/scap-security-guide.spec b/scap-security-guide.spec
index fad1c6f..c23be44 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -15,7 +15,7 @@ Source0: http://repos.ssgproject.org/sources/%%7Bname%7D-%%7Bversion%7D.tar.gz
BuildArch: noarch BuildRequires: libxslt, expat, python, openscap-utils >= 0.9.1, python-lxml -Requires: xml-common, openscap-utils >= 0.9.1 +Requires: xml-common %description The scap-security-guide project provides a guide for configuration of the -- 1.8.3.1
I'd like to open this up to the community..... Is it beneficial for OpenSCAP to simultaneously installed with SSG?
On one side the inclusion means you get tools+content with one command, which is particularly useful for those new to SCAP. On the other hand it's been mentioned that this drives users to believing SSG only works with OpenSCAP. There's no intention of "forcing" OpenSCAP on people.
So, to the user community, is auto inclusion of OpenSCAP annoying or useful?
I think it's useful to require OpenSCAP to be installed simultaneously. It's used to test SSG content, for one.
There have been some patches recently which were made in response to the latest build of OpenSCAP, such as the world_writeable_files patch. recurse_file_system="local" does something different in the latest OpenSCAP build, which potentially breaks the test for some environments (it broke for mine). This tells me that SSG's tests are somewhat reliant on the SCAP tools that are used with the content.
If all SCAP tools behaved the same way for all input, I would say that OpenSCAP shouldn't be a requirement for SSG. But they probably don't, so my vote is for requiring OpenSCAP.
scap-security-guide mailing listscap-security-guide@lists.fedorahosted.orghttps://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
On 5/27/14, 3:08 PM, Greg Elin wrote:
In general, it's probably more a documentation and marketing issue. More could be done to publish examples of SSG being used with other tools.
Tenable produces Security Center, and they've documentation on how to ingest SCAP content.
The fine folks at SPAWAR authored SCC+SSG documentation, which we merged into the user guide (a copy of my scratch space is below, I wouldn't recommend bookmarking it): http://people.redhat.com/swells/scap-security-guide/docs/User_Guide/tmp/en-U...
Then there's RHN Satellite and OpenSCAP, both which have docs. Ideas welcome on additional tools!
Most people are going to be installing SSG via YUM. If the documentation indicates installing both, that is probably fine.
I agree with Paul that it is nice to install both and oscap is needed to test SSG content.
With my newbie hat on, it's taken me some time to understand the difference between OpenSCAP and SSG. I've been wondering why. After all, I've understood the difference between a browser and html page; between Excel and a Excel file.
I come back to the marketing piece.
Greg
On Tue, May 27, 2014 at 2:57 PM, Paul Tittle (Contractor) <ptittle@cmf.nrl.navy.mil mailto:ptittle@cmf.nrl.navy.mil> wrote:
On 5/27/14 2:43 PM, Shawn Wells wrote:On 5/26/14, 10:56 AM, Jan Lieskovsky wrote:...I'd like to open this up to the community..... Is it beneficial for OpenSCAP to simultaneously installed with SSG? On one side the inclusion means you get tools+content with one command, which is particularly useful for those new to SCAP. On the other hand it's been mentioned that this drives users to believing SSG only works with OpenSCAP. There's no intention of "forcing" OpenSCAP on people. So, to the user community, is auto inclusion of OpenSCAP annoying or useful?I think it's useful to require OpenSCAP to be installed simultaneously. It's used to test SSG content, for one. There have been some patches recently which were made in response to the latest build of OpenSCAP, such as the world_writeable_files patch. recurse_file_system="local" does something different in the latest OpenSCAP build, which potentially breaks the test for some environments (it broke for mine). This tells me that SSG's tests are somewhat reliant on the SCAP tools that are used with the content. If all SCAP tools behaved the same way for all input, I would say that OpenSCAP shouldn't be a requirement for SSG. But they probably don't, so my vote is for requiring OpenSCAP.
Given that OpenSCAP is a NIST certified SCAP scanner for RHEL6, and OpenSCAP comes natively with RHEL, I lean towards keeping the dependency. As other tools mature and become widely available this could easily be revisited. Leaning towards easy adoption seems the most advantageous path.
Anyone feel strongly *against* the dependency?
Thank you for your feedback Paul, Greg.
----- Original Message -----
From: "Greg Elin" gregelin@gitmachines.com To: "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Tuesday, May 27, 2014 9:08:00 PM Subject: Re: [PATCH 2/2] [RHEL/6, RHEL/7, Fedora] Drop Requires on openscap-utils. Add a note into manual pages regarding that.
In general, it's probably more a documentation and marketing issue. More could be done to publish examples of SSG being used with other tools.
Most people are going to be installing SSG via YUM. If the documentation indicates installing both, that is probably fine.
I agree with Paul that it is nice to install both and oscap is needed to test SSG content.
Wondering if two votes for leaving scap-security-guide RPM dependency on openscap-utils can be considered as "sufficiently demonstrating community opinion". It's better than nothing (we know there are people preferring we to keep the current situation), but wondering if there are (also) people which would want the opposite? (would be good to know, so this topic could be closed and we could move to other issues)
So anyone with desire in order to scap-security-guide removed Requires dependency on openscap-utils? If so, could you also provide also clarification / reasoning behind this motivation? (except the already mentioned one that having Requires on openscap-utils might induce impression SSG content can be used with OpenSCAP tools only)
Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
With my newbie hat on, it's taken me some time to understand the difference between OpenSCAP and SSG. I've been wondering why. After all, I've understood the difference between a browser and html page; between Excel and a Excel file.
I come back to the marketing piece.
Greg
On Tue, May 27, 2014 at 2:57 PM, Paul Tittle (Contractor) < ptittle@cmf.nrl.navy.mil > wrote:
On 5/27/14 2:43 PM, Shawn Wells wrote:
On 5/26/14, 10:56 AM, Jan Lieskovsky wrote:
0002-RHEL-6-RHEL-7-Fedora-Drop-Requires-on-openscap-utils.patch
From 3c42c661b4f12d57fda35c3506bde1140a09a02f Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky jlieskov@redhat.com Date: Mon, 26 May 2014 16:26:08 +0200 Subject: [PATCH 2/2] [RHEL/6, RHEL/7, Fedora] Drop Requires on openscap-utils. Add a note into manual pages regarding that.
Signed-off-by: Jan Lieskovsky jlieskov@redhat.com
Fedora/input/auxiliary/scap-security-guide.8 | 7 +++++++ Fedora/scap-security-guide.spec | 2 +- RHEL/6/input/auxiliary/scap-security-guide.8 | 7 +++++++ RHEL/7/input/auxiliary/scap-security-guide.8 | 7 +++++++ scap-security-guide.spec | 2 +- 5 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/Fedora/input/auxiliary/scap-security-guide.8 b/Fedora/input/auxiliary/scap-security-guide.8 index 7758f37..50235d9 100644 --- a/Fedora/input/auxiliary/scap-security-guide.8 +++ b/Fedora/input/auxiliary/scap-security-guide.8 @@ -33,6 +33,13 @@ scanning of general-purpose Fedora systems. .SH EXAMPLES
+.B "NOTE: " +Example below assumes the openscap-utils package is installed on the system. +If that's not the case to install the openscap-utils package run the +.I yum install openscap-utils +command as the root user.
To scan your system utilizing the OpenSCAP utility against the common profile, run: diff --git a/Fedora/scap-security-guide.spec b/Fedora/scap-security-guide.spec index c5a8911..adf92a5 100644 --- a/Fedora/scap-security-guide.spec +++ b/Fedora/scap-security-guide.spec @@ -23,7 +23,7 @@ Source0: http://fedorapeople.org/~jlieskov/% {name}-%{version}.tar.gz Source1: http://repos.ssgproject.org/sources/% {name}-%{rhelssgversion}.tar.gz BuildArch: noarch BuildRequires: libxslt, expat, python, openscap-utils >= 0.9.1, python-lxml -Requires: xml-common, openscap-utils >= 0.9.1 +Requires: xml-common Obsoletes: openscap-content < 0:0.9.13 Provides: openscap-content diff --git a/RHEL/6/input/auxiliary/scap-security-guide.8 b/RHEL/6/input/auxiliary/scap-security-guide.8 index 44ae1ab..e676d35 100644 --- a/RHEL/6/input/auxiliary/scap-security-guide.8 +++ b/RHEL/6/input/auxiliary/scap-security-guide.8 @@ -68,6 +68,13 @@ webpage athttp:// usgcb.nist.gov/usgcb_content.html . .SH EXAMPLES
+.B "NOTE: " +Example below assumes the openscap-utils package is installed on the system. +If that's not the case to install the openscap-utils package run the +.I yum install openscap-utils +command as the root user.
To scan your system utilizing the OpenSCAP utility against the stig-rhel6-server-upstream profile: diff --git a/RHEL/7/input/auxiliary/scap-security-guide.8 b/RHEL/7/input/auxiliary/scap-security-guide.8 index 97c4aec..7625fdd 100644 --- a/RHEL/7/input/auxiliary/scap-security-guide.8 +++ b/RHEL/7/input/auxiliary/scap-security-guide.8 @@ -58,6 +58,13 @@ webpage athttp:// usgcb.nist.gov/usgcb_content.html . .SH EXAMPLES
+.B "NOTE: " +Example below assumes the openscap-utils package is installed on the system. +If that's not the case to install the openscap-utils package run the +.I yum install openscap-utils +command as the root user.
To scan your system utilizing the OpenSCAP utility against the stig-rhel6-server profile: diff --git a/scap-security-guide.spec b/scap-security-guide.spec index fad1c6f..c23be44 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -15,7 +15,7 @@ Source0: http://repos.ssgproject.org/sources/% {name}-%{version}.tar.gz BuildArch: noarch BuildRequires: libxslt, expat, python, openscap-utils >= 0.9.1, python-lxml -Requires: xml-common, openscap-utils >= 0.9.1 +Requires: xml-common %description The scap-security-guide project provides a guide for configuration of the -- 1.8.3.1
I'd like to open this up to the community..... Is it beneficial for OpenSCAP to simultaneously installed with SSG?
On one side the inclusion means you get tools+content with one command, which is particularly useful for those new to SCAP. On the other hand it's been mentioned that this drives users to believing SSG only works with OpenSCAP. There's no intention of "forcing" OpenSCAP on people.
So, to the user community, is auto inclusion of OpenSCAP annoying or useful?
I think it's useful to require OpenSCAP to be installed simultaneously. It's used to test SSG content, for one.
There have been some patches recently which were made in response to the latest build of OpenSCAP, such as the world_writeable_files patch. recurse_file_system="local" does something different in the latest OpenSCAP build, which potentially breaks the test for some environments (it broke for mine). This tells me that SSG's tests are somewhat reliant on the SCAP tools that are used with the content.
If all SCAP tools behaved the same way for all input, I would say that OpenSCAP shouldn't be a requirement for SSG. But they probably don't, so my vote is for requiring OpenSCAP.
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Shawn, you said " OpenSCAP comes natively with RHEL".
Does that mean you do not to add EPEL repo to install openSCAP anymore?
Greg
On Tue, Jun 3, 2014 at 5:47 AM, Jan Lieskovsky jlieskov@redhat.com wrote:
Thank you for your feedback Paul, Greg.
----- Original Message -----
From: "Greg Elin" gregelin@gitmachines.com To: "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Tuesday, May 27, 2014 9:08:00 PM Subject: Re: [PATCH 2/2] [RHEL/6, RHEL/7, Fedora] Drop Requires on
openscap-utils. Add a note into manual pages
regarding that.
In general, it's probably more a documentation and marketing issue. More could be done to publish examples of SSG being used with other tools.
Most people are going to be installing SSG via YUM. If the documentation indicates installing both, that is probably fine.
I agree with Paul that it is nice to install both and oscap is needed to
test
SSG content.
Wondering if two votes for leaving scap-security-guide RPM dependency on openscap-utils can be considered as "sufficiently demonstrating community opinion". It's better than nothing (we know there are people preferring we to keep the current situation), but wondering if there are (also) people which would want the opposite? (would be good to know, so this topic could be closed and we could move to other issues)
So anyone with desire in order to scap-security-guide removed Requires dependency on openscap-utils? If so, could you also provide also clarification / reasoning behind this motivation? (except the already mentioned one that having Requires on openscap-utils might induce impression SSG content can be used with OpenSCAP tools only)
Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Technologies Team
With my newbie hat on, it's taken me some time to understand the
difference
between OpenSCAP and SSG. I've been wondering why. After all, I've understood the difference between a browser and html page; between Excel
and
a Excel file.
I come back to the marketing piece.
Greg
On Tue, May 27, 2014 at 2:57 PM, Paul Tittle (Contractor) < ptittle@cmf.nrl.navy.mil > wrote:
On 5/27/14 2:43 PM, Shawn Wells wrote:
On 5/26/14, 10:56 AM, Jan Lieskovsky wrote:
0002-RHEL-6-RHEL-7-Fedora-Drop-Requires-on-openscap-utils.patch
From 3c42c661b4f12d57fda35c3506bde1140a09a02f Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky jlieskov@redhat.com Date: Mon, 26 May 2014 16:26:08 +0200 Subject: [PATCH 2/2] [RHEL/6, RHEL/7, Fedora] Drop Requires on openscap-utils. Add a note into manual pages regarding that.
Signed-off-by: Jan Lieskovsky jlieskov@redhat.com
Fedora/input/auxiliary/scap-security-guide.8 | 7 +++++++ Fedora/scap-security-guide.spec | 2 +- RHEL/6/input/auxiliary/scap-security-guide.8 | 7 +++++++ RHEL/7/input/auxiliary/scap-security-guide.8 | 7 +++++++ scap-security-guide.spec | 2 +- 5 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/Fedora/input/auxiliary/scap-security-guide.8 b/Fedora/input/auxiliary/scap-security-guide.8 index 7758f37..50235d9 100644 --- a/Fedora/input/auxiliary/scap-security-guide.8 +++ b/Fedora/input/auxiliary/scap-security-guide.8 @@ -33,6 +33,13 @@ scanning of general-purpose Fedora systems. .SH EXAMPLES
+.B "NOTE: " +Example below assumes the openscap-utils package is installed on the
system.
+If that's not the case to install the openscap-utils package run the +.I yum install openscap-utils +command as the root user.
To scan your system utilizing the OpenSCAP utility against the common profile, run: diff --git a/Fedora/scap-security-guide.spec b/Fedora/scap-security-guide.spec index c5a8911..adf92a5 100644 --- a/Fedora/scap-security-guide.spec +++ b/Fedora/scap-security-guide.spec @@ -23,7 +23,7 @@ Source0: http://fedorapeople.org/~jlieskov/% {name}-%{version}.tar.gz Source1: http://repos.ssgproject.org/sources/% {name}-%{rhelssgversion}.tar.gz BuildArch: noarch BuildRequires: libxslt, expat, python, openscap-utils >= 0.9.1,
python-lxml
-Requires: xml-common, openscap-utils >= 0.9.1 +Requires: xml-common Obsoletes: openscap-content < 0:0.9.13 Provides: openscap-content diff --git a/RHEL/6/input/auxiliary/scap-security-guide.8 b/RHEL/6/input/auxiliary/scap-security-guide.8 index 44ae1ab..e676d35 100644 --- a/RHEL/6/input/auxiliary/scap-security-guide.8 +++ b/RHEL/6/input/auxiliary/scap-security-guide.8 @@ -68,6 +68,13 @@ webpage athttp:// usgcb.nist.gov/usgcb_content.html . .SH EXAMPLES
+.B "NOTE: " +Example below assumes the openscap-utils package is installed on the
system.
+If that's not the case to install the openscap-utils package run the +.I yum install openscap-utils +command as the root user.
To scan your system utilizing the OpenSCAP utility against the stig-rhel6-server-upstream profile: diff --git a/RHEL/7/input/auxiliary/scap-security-guide.8 b/RHEL/7/input/auxiliary/scap-security-guide.8 index 97c4aec..7625fdd 100644 --- a/RHEL/7/input/auxiliary/scap-security-guide.8 +++ b/RHEL/7/input/auxiliary/scap-security-guide.8 @@ -58,6 +58,13 @@ webpage athttp:// usgcb.nist.gov/usgcb_content.html . .SH EXAMPLES
+.B "NOTE: " +Example below assumes the openscap-utils package is installed on the
system.
+If that's not the case to install the openscap-utils package run the +.I yum install openscap-utils +command as the root user.
To scan your system utilizing the OpenSCAP utility against the stig-rhel6-server profile: diff --git a/scap-security-guide.spec b/scap-security-guide.spec index fad1c6f..c23be44 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -15,7 +15,7 @@ Source0: http://repos.ssgproject.org/sources/% {name}-%{version}.tar.gz BuildArch: noarch BuildRequires: libxslt, expat, python, openscap-utils >= 0.9.1,
python-lxml
-Requires: xml-common, openscap-utils >= 0.9.1 +Requires: xml-common %description The scap-security-guide project provides a guide for configuration of the -- 1.8.3.1
I'd like to open this up to the community..... Is it beneficial for
OpenSCAP
to simultaneously installed with SSG?
On one side the inclusion means you get tools+content with one command,
which
is particularly useful for those new to SCAP. On the other hand it's been mentioned that this drives users to believing SSG only works with
OpenSCAP.
There's no intention of "forcing" OpenSCAP on people.
So, to the user community, is auto inclusion of OpenSCAP annoying or
useful?
I think it's useful to require OpenSCAP to be installed simultaneously.
It's
used to test SSG content, for one.
There have been some patches recently which were made in response to the latest build of OpenSCAP, such as the world_writeable_files patch. recurse_file_system="local" does something different in the latest
OpenSCAP
build, which potentially breaks the test for some environments (it broke
for
mine). This tells me that SSG's tests are somewhat reliant on the SCAP
tools
that are used with the content.
If all SCAP tools behaved the same way for all input, I would say that OpenSCAP shouldn't be a requirement for SSG. But they probably don't, so
my
vote is for requiring OpenSCAP.
scap-security-guide mailing list
scap-security-guide@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
The official EL6 (and EL5) updates (May 1st) started including openscap-1.0.8. No need to add EPEL.
From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of Greg Elin Sent: terça-feira, 3 de Junho de 2014 12:22 To: SCAP Security Guide Subject: Re: [PATCH 2/2] [RHEL/6, RHEL/7, Fedora] Drop Requires on openscap-utils. Add a note into manual pages regarding that.
Shawn, you said " OpenSCAP comes natively with RHEL".
Does that mean you do not to add EPEL repo to install openSCAP anymore?
Greg
On Tue, Jun 3, 2014 at 5:47 AM, Jan Lieskovsky <jlieskov@redhat.commailto:jlieskov@redhat.com> wrote: Thank you for your feedback Paul, Greg.
----- Original Message -----
From: "Greg Elin" <gregelin@gitmachines.commailto:gregelin@gitmachines.com> To: "SCAP Security Guide" <scap-security-guide@lists.fedorahosted.orgmailto:scap-security-guide@lists.fedorahosted.org> Sent: Tuesday, May 27, 2014 9:08:00 PM Subject: Re: [PATCH 2/2] [RHEL/6, RHEL/7, Fedora] Drop Requires on openscap-utils. Add a note into manual pages regarding that.
In general, it's probably more a documentation and marketing issue. More could be done to publish examples of SSG being used with other tools.
Most people are going to be installing SSG via YUM. If the documentation indicates installing both, that is probably fine.
I agree with Paul that it is nice to install both and oscap is needed to test SSG content.
Wondering if two votes for leaving scap-security-guide RPM dependency on openscap-utils can be considered as "sufficiently demonstrating community opinion". It's better than nothing (we know there are people preferring we to keep the current situation), but wondering if there are (also) people which would want the opposite? (would be good to know, so this topic could be closed and we could move to other issues)
So anyone with desire in order to scap-security-guide removed Requires dependency on openscap-utils? If so, could you also provide also clarification / reasoning behind this motivation? (except the already mentioned one that having Requires on openscap-utils might induce impression SSG content can be used with OpenSCAP tools only)
Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
With my newbie hat on, it's taken me some time to understand the difference between OpenSCAP and SSG. I've been wondering why. After all, I've understood the difference between a browser and html page; between Excel and a Excel file.
I come back to the marketing piece.
Greg
On Tue, May 27, 2014 at 2:57 PM, Paul Tittle (Contractor) < ptittle@cmf.nrl.navy.milmailto:ptittle@cmf.nrl.navy.mil > wrote:
On 5/27/14 2:43 PM, Shawn Wells wrote:
On 5/26/14, 10:56 AM, Jan Lieskovsky wrote:
0002-RHEL-6-RHEL-7-Fedora-Drop-Requires-on-openscap-utils.patch
From 3c42c661b4f12d57fda35c3506bde1140a09a02f Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky <jlieskov@redhat.commailto:jlieskov@redhat.com> Date: Mon, 26 May 2014 16:26:08 +0200 Subject: [PATCH 2/2] [RHEL/6, RHEL/7, Fedora] Drop Requires on openscap-utils. Add a note into manual pages regarding that.
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.commailto:jlieskov@redhat.com>
Fedora/input/auxiliary/scap-security-guide.8 | 7 +++++++ Fedora/scap-security-guide.spec | 2 +- RHEL/6/input/auxiliary/scap-security-guide.8 | 7 +++++++ RHEL/7/input/auxiliary/scap-security-guide.8 | 7 +++++++ scap-security-guide.spec | 2 +- 5 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/Fedora/input/auxiliary/scap-security-guide.8 b/Fedora/input/auxiliary/scap-security-guide.8 index 7758f37..50235d9 100644 --- a/Fedora/input/auxiliary/scap-security-guide.8 +++ b/Fedora/input/auxiliary/scap-security-guide.8 @@ -33,6 +33,13 @@ scanning of general-purpose Fedora systems. .SH EXAMPLES
+.B "NOTE: " +Example below assumes the openscap-utils package is installed on the system. +If that's not the case to install the openscap-utils package run the +.I yum install openscap-utils +command as the root user.
To scan your system utilizing the OpenSCAP utility against the common profile, run: diff --git a/Fedora/scap-security-guide.spec b/Fedora/scap-security-guide.spec index c5a8911..adf92a5 100644 --- a/Fedora/scap-security-guide.spec +++ b/Fedora/scap-security-guide.spec @@ -23,7 +23,7 @@ Source0: http://fedorapeople.org/~jlieskov/%http://fedorapeople.org/~jlieskov/%25 {name}-%{version}.tar.gz Source1: http://repos.ssgproject.org/sources/%http://repos.ssgproject.org/sources/%25 {name}-%{rhelssgversion}.tar.gz BuildArch: noarch BuildRequires: libxslt, expat, python, openscap-utils >= 0.9.1, python-lxml -Requires: xml-common, openscap-utils >= 0.9.1 +Requires: xml-common Obsoletes: openscap-content < 0:0.9.13 Provides: openscap-content diff --git a/RHEL/6/input/auxiliary/scap-security-guide.8 b/RHEL/6/input/auxiliary/scap-security-guide.8 index 44ae1ab..e676d35 100644 --- a/RHEL/6/input/auxiliary/scap-security-guide.8 +++ b/RHEL/6/input/auxiliary/scap-security-guide.8 @@ -68,6 +68,13 @@ webpage athttp:// usgcb.nist.gov/usgcb_content.htmlhttp://usgcb.nist.gov/usgcb_content.html . .SH EXAMPLES
+.B "NOTE: " +Example below assumes the openscap-utils package is installed on the system. +If that's not the case to install the openscap-utils package run the +.I yum install openscap-utils +command as the root user.
To scan your system utilizing the OpenSCAP utility against the stig-rhel6-server-upstream profile: diff --git a/RHEL/7/input/auxiliary/scap-security-guide.8 b/RHEL/7/input/auxiliary/scap-security-guide.8 index 97c4aec..7625fdd 100644 --- a/RHEL/7/input/auxiliary/scap-security-guide.8 +++ b/RHEL/7/input/auxiliary/scap-security-guide.8 @@ -58,6 +58,13 @@ webpage athttp:// usgcb.nist.gov/usgcb_content.htmlhttp://usgcb.nist.gov/usgcb_content.html . .SH EXAMPLES
+.B "NOTE: " +Example below assumes the openscap-utils package is installed on the system. +If that's not the case to install the openscap-utils package run the +.I yum install openscap-utils +command as the root user.
To scan your system utilizing the OpenSCAP utility against the stig-rhel6-server profile: diff --git a/scap-security-guide.spec b/scap-security-guide.spec index fad1c6f..c23be44 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -15,7 +15,7 @@ Source0: http://repos.ssgproject.org/sources/%http://repos.ssgproject.org/sources/%25 {name}-%{version}.tar.gz BuildArch: noarch BuildRequires: libxslt, expat, python, openscap-utils >= 0.9.1, python-lxml -Requires: xml-common, openscap-utils >= 0.9.1 +Requires: xml-common %description The scap-security-guide project provides a guide for configuration of the -- 1.8.3.1
I'd like to open this up to the community..... Is it beneficial for OpenSCAP to simultaneously installed with SSG?
On one side the inclusion means you get tools+content with one command, which is particularly useful for those new to SCAP. On the other hand it's been mentioned that this drives users to believing SSG only works with OpenSCAP. There's no intention of "forcing" OpenSCAP on people.
So, to the user community, is auto inclusion of OpenSCAP annoying or useful?
I think it's useful to require OpenSCAP to be installed simultaneously. It's used to test SSG content, for one.
There have been some patches recently which were made in response to the latest build of OpenSCAP, such as the world_writeable_files patch. recurse_file_system="local" does something different in the latest OpenSCAP build, which potentially breaks the test for some environments (it broke for mine). This tells me that SSG's tests are somewhat reliant on the SCAP tools that are used with the content.
If all SCAP tools behaved the same way for all input, I would say that OpenSCAP shouldn't be a requirement for SSG. But they probably don't, so my vote is for requiring OpenSCAP.
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.orgmailto:scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.orgmailto:scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.orgmailto:scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
_______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.orgmailto:scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
OpenSCAP (the interpreter) has been included with RHEL for awhile (since rhel5).
When we first started some 2yrs ago, the EPEL version was used until RHEL versions caught up.
Today EPEL is needed for SSG content. With RHEL 6.6 all dependencies on EPEL will be dropped.
-- Shawn Wells Director, Innovation Programs shawn@redhat.com | 443.534.0130 @shawndwells
On Jun 3, 2014, at 7:22 AM, Greg Elin gregelin@gitmachines.com wrote:
Shawn, you said " OpenSCAP comes natively with RHEL".
Does that mean you do not to add EPEL repo to install openSCAP anymore?
Greg
On Tue, Jun 3, 2014 at 5:47 AM, Jan Lieskovsky jlieskov@redhat.com wrote: Thank you for your feedback Paul, Greg.
----- Original Message -----
From: "Greg Elin" gregelin@gitmachines.com To: "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Tuesday, May 27, 2014 9:08:00 PM Subject: Re: [PATCH 2/2] [RHEL/6, RHEL/7, Fedora] Drop Requires on openscap-utils. Add a note into manual pages regarding that.
In general, it's probably more a documentation and marketing issue. More could be done to publish examples of SSG being used with other tools.
Most people are going to be installing SSG via YUM. If the documentation indicates installing both, that is probably fine.
I agree with Paul that it is nice to install both and oscap is needed to test SSG content.
Wondering if two votes for leaving scap-security-guide RPM dependency on openscap-utils can be considered as "sufficiently demonstrating community opinion". It's better than nothing (we know there are people preferring we to keep the current situation), but wondering if there are (also) people which would want the opposite? (would be good to know, so this topic could be closed and we could move to other issues)
So anyone with desire in order to scap-security-guide removed Requires dependency on openscap-utils? If so, could you also provide also clarification / reasoning behind this motivation? (except the already mentioned one that having Requires on openscap-utils might induce impression SSG content can be used with OpenSCAP tools only)
Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Technologies Team
With my newbie hat on, it's taken me some time to understand the difference between OpenSCAP and SSG. I've been wondering why. After all, I've understood the difference between a browser and html page; between Excel and a Excel file.
I come back to the marketing piece.
Greg
On Tue, May 27, 2014 at 2:57 PM, Paul Tittle (Contractor) < ptittle@cmf.nrl.navy.mil > wrote:
On 5/27/14 2:43 PM, Shawn Wells wrote:
On 5/26/14, 10:56 AM, Jan Lieskovsky wrote:
0002-RHEL-6-RHEL-7-Fedora-Drop-Requires-on-openscap-utils.patch
From 3c42c661b4f12d57fda35c3506bde1140a09a02f Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky jlieskov@redhat.com Date: Mon, 26 May 2014 16:26:08 +0200 Subject: [PATCH 2/2] [RHEL/6, RHEL/7, Fedora] Drop Requires on openscap-utils. Add a note into manual pages regarding that.
Signed-off-by: Jan Lieskovsky jlieskov@redhat.com
Fedora/input/auxiliary/scap-security-guide.8 | 7 +++++++ Fedora/scap-security-guide.spec | 2 +- RHEL/6/input/auxiliary/scap-security-guide.8 | 7 +++++++ RHEL/7/input/auxiliary/scap-security-guide.8 | 7 +++++++ scap-security-guide.spec | 2 +- 5 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/Fedora/input/auxiliary/scap-security-guide.8 b/Fedora/input/auxiliary/scap-security-guide.8 index 7758f37..50235d9 100644 --- a/Fedora/input/auxiliary/scap-security-guide.8 +++ b/Fedora/input/auxiliary/scap-security-guide.8 @@ -33,6 +33,13 @@ scanning of general-purpose Fedora systems. .SH EXAMPLES
+.B "NOTE: " +Example below assumes the openscap-utils package is installed on the system. +If that's not the case to install the openscap-utils package run the +.I yum install openscap-utils +command as the root user.
To scan your system utilizing the OpenSCAP utility against the common profile, run: diff --git a/Fedora/scap-security-guide.spec b/Fedora/scap-security-guide.spec index c5a8911..adf92a5 100644 --- a/Fedora/scap-security-guide.spec +++ b/Fedora/scap-security-guide.spec @@ -23,7 +23,7 @@ Source0: http://fedorapeople.org/~jlieskov/% {name}-%{version}.tar.gz Source1: http://repos.ssgproject.org/sources/% {name}-%{rhelssgversion}.tar.gz BuildArch: noarch BuildRequires: libxslt, expat, python, openscap-utils >= 0.9.1, python-lxml -Requires: xml-common, openscap-utils >= 0.9.1 +Requires: xml-common Obsoletes: openscap-content < 0:0.9.13 Provides: openscap-content diff --git a/RHEL/6/input/auxiliary/scap-security-guide.8 b/RHEL/6/input/auxiliary/scap-security-guide.8 index 44ae1ab..e676d35 100644 --- a/RHEL/6/input/auxiliary/scap-security-guide.8 +++ b/RHEL/6/input/auxiliary/scap-security-guide.8 @@ -68,6 +68,13 @@ webpage athttp:// usgcb.nist.gov/usgcb_content.html . .SH EXAMPLES
+.B "NOTE: " +Example below assumes the openscap-utils package is installed on the system. +If that's not the case to install the openscap-utils package run the +.I yum install openscap-utils +command as the root user.
To scan your system utilizing the OpenSCAP utility against the stig-rhel6-server-upstream profile: diff --git a/RHEL/7/input/auxiliary/scap-security-guide.8 b/RHEL/7/input/auxiliary/scap-security-guide.8 index 97c4aec..7625fdd 100644 --- a/RHEL/7/input/auxiliary/scap-security-guide.8 +++ b/RHEL/7/input/auxiliary/scap-security-guide.8 @@ -58,6 +58,13 @@ webpage athttp:// usgcb.nist.gov/usgcb_content.html . .SH EXAMPLES
+.B "NOTE: " +Example below assumes the openscap-utils package is installed on the system. +If that's not the case to install the openscap-utils package run the +.I yum install openscap-utils +command as the root user.
To scan your system utilizing the OpenSCAP utility against the stig-rhel6-server profile: diff --git a/scap-security-guide.spec b/scap-security-guide.spec index fad1c6f..c23be44 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -15,7 +15,7 @@ Source0: http://repos.ssgproject.org/sources/% {name}-%{version}.tar.gz BuildArch: noarch BuildRequires: libxslt, expat, python, openscap-utils >= 0.9.1, python-lxml -Requires: xml-common, openscap-utils >= 0.9.1 +Requires: xml-common %description The scap-security-guide project provides a guide for configuration of the -- 1.8.3.1
I'd like to open this up to the community..... Is it beneficial for OpenSCAP to simultaneously installed with SSG?
On one side the inclusion means you get tools+content with one command, which is particularly useful for those new to SCAP. On the other hand it's been mentioned that this drives users to believing SSG only works with OpenSCAP. There's no intention of "forcing" OpenSCAP on people.
So, to the user community, is auto inclusion of OpenSCAP annoying or useful?
I think it's useful to require OpenSCAP to be installed simultaneously. It's used to test SSG content, for one.
There have been some patches recently which were made in response to the latest build of OpenSCAP, such as the world_writeable_files patch. recurse_file_system="local" does something different in the latest OpenSCAP build, which potentially breaks the test for some environments (it broke for mine). This tells me that SSG's tests are somewhat reliant on the SCAP tools that are used with the content.
If all SCAP tools behaved the same way for all input, I would say that OpenSCAP shouldn't be a requirement for SSG. But they probably don't, so my vote is for requiring OpenSCAP.
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
On Tuesday, June 03, 2014 07:42:44 AM Shawn Wells wrote:
OpenSCAP (the interpreter) has been included with RHEL for awhile (since rhel5).
When we first started some 2yrs ago, the EPEL version was used until RHEL versions caught up.
Today EPEL is needed for SSG content. With RHEL 6.6 all dependencies on EPEL will be dropped.
An updated openscap package was shipped in rhel6 a month ago.
https://rhn.redhat.com/errata/RHBA-2014-0450.html
EPEL is no longer needed.
-Steve
scap-security-guide@lists.fedorahosted.org
-
Greg Elin -
Jan Lieskovsky -
Paul Tittle (Contractor) -
Rui Pedro Bernardino -
Shawn Wells -
Steve Grubb