Hello folks,
we are pleased to announce SCAP Security Guide of version 0.1.22.
The highlights include: * new (experimental [*]) SCAP content for Firefox, Java, Webmin, and Red Hat Enterprise Linux 5 products, * drop support for Fedora 19 and add support for Fedora 22 and Rawhide, * all content now successfully validates against version 5.11 of the OVAL language, * multi_platform support has been introduced for OVAL checks, * the root Makefile has been equipped with 'make dist' and 'make install' targets,
Product specific enhancements: * RHEL/6 ** content now contains OVAL checks for Avahi, FTP, and DHCP services, ** new PCI-DSS profile has been provided, ** new DISA STIG profile kickstart is now available,
* RHEL/7 ** package installed OVAL checks for selected packages have been provided, ** 15 new audit service checks have been ported to RHEL/7, ** many more OVAL checks && remediation enhancements,
* Fedora ** content is now shipped in OVAL language version 5.11 by default, ** the systemdtest template and example OVAL checks have been included, ** the audit system component benchmark section has been added, ** 15 new audit service checks have been ported to Fedora,
For the full list of changes see: [1] https://github.com/OpenSCAP/scap-security-guide/issues?page=1&q=mileston...
and
[2] https://github.com/OpenSCAP/scap-security-guide/issues?q=milestone%3A%22Draf...
Downloads [**]: [3] https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.22
Thanks to all who contributed to make this release the reality!
Happy scanning && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
[*] Users are encouraged to test these && report the issues found. [**] See BUILD.md for guidance wrt to obtaining RPMs.
----- Original Message -----
From: "Jan Lieskovsky" jlieskov@redhat.com To: "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Monday, May 4, 2015 7:18:48 PM Subject: SCAP Security Guide v0.1.22 is now live
Hello folks,
we are pleased to announce SCAP Security Guide of version 0.1.22.
\o/
[snip]
[*] Users are encouraged to test these && report the issues found. [**] See BUILD.md for guidance wrt to obtaining RPMs.
Could you please build it and attach a zip and the RPMs to the tag? If we consider remote scanning use-cases these users may not have all the build tools necessary to produce RPMs. They may be using Windows or MacOS X or a distribution that doesn't use RPM.
GitHub allows making releases out of tags and attaching files to them, see https://github.com/OpenSCAP/scap-workbench/releases/tag/1.1.0 for an example.
Hello Martin,
to follow up on this.
----- Original Message -----
From: "Martin Preisler" mpreisle@redhat.com To: "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Cc: "Jan Lieskovsky" jlieskov@redhat.com Sent: Monday, May 4, 2015 7:48:02 PM Subject: Re: SCAP Security Guide v0.1.22 is now live
----- Original Message -----
From: "Jan Lieskovsky" jlieskov@redhat.com To: "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Monday, May 4, 2015 7:18:48 PM Subject: SCAP Security Guide v0.1.22 is now live
Hello folks,
we are pleased to announce SCAP Security Guide of version 0.1.22.
\o/
[snip]
[*] Users are encouraged to test these && report the issues found. [**] See BUILD.md for guidance wrt to obtaining RPMs.
Could you please build it and attach a zip and the RPMs to the tag? If we consider remote scanning use-cases these users may not have all the build tools necessary to produce RPMs. They may be using Windows or MacOS X or a distribution that doesn't use RPM.
GitHub allows making releases out of tags and attaching files to them, see https://github.com/OpenSCAP/scap-workbench/releases/tag/1.1.0 for an example.
Right, you are correct the GitHub recently supports inclusion of also "binary" data to the release tags. That's not the problem though.
The issue is to ship also RPM files on GitHub together with particular release we would need to set up and manage signing server instance and set up a policy for sharing the key used to sign those RPMs (across all the users who can create the release).
Since this is a not trivial (and time consuming) task for now we are not planning to ship also RPM packages with upstream GitHub releases. But to make the life of content users a bit easier (hopefully), we decided to (together with existing source code tarball) to ship / provide also another tarball / zip archive with the XML files being expanded already. In other words tar / zip archive where the user can download all the XML OVAL / XCCDF / Datastream files already built (in the form they would have been obtained after issuing the ```make / make dist``` command for particular product). This tarball / zip would produce expanded versions of XML benchmark files for all currently supported products (from top of head briefly mentioning RHEL/5, RHEL/6, RHEL/7, Fedora, Java, Firefox, and Chrome SCAP content). The zips could be uniquely identified with associated MD5 / SHA256 sum information coupled with them (provided in the same GitHub release tag directory as the expanded XML zip archive).
I will explore possibilities how to automatically create such a tarball, when preparing new upstream release.
Hope the above being helpful.
Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
-- Martin Preisler Security Technologies | Red Hat, Inc.
Very exciting to SSG Content expanding!
Interim publishing of the built XML files sounds pretty useful.
Greg Elin P: 917-304-3488 E: gregelin@gitmachines.com
Sent from my iPhone
On May 7, 2015, at 2:39 PM, Jan Lieskovsky jlieskov@redhat.com wrote:
Hello Martin,
to follow up on this.
----- Original Message -----
From: "Martin Preisler" mpreisle@redhat.com To: "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Cc: "Jan Lieskovsky" jlieskov@redhat.com Sent: Monday, May 4, 2015 7:48:02 PM Subject: Re: SCAP Security Guide v0.1.22 is now live
----- Original Message -----
From: "Jan Lieskovsky" jlieskov@redhat.com To: "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Monday, May 4, 2015 7:18:48 PM Subject: SCAP Security Guide v0.1.22 is now live
Hello folks,
we are pleased to announce SCAP Security Guide of version 0.1.22.
\o/
[snip]
[*] Users are encouraged to test these && report the issues found. [**] See BUILD.md for guidance wrt to obtaining RPMs.
Could you please build it and attach a zip and the RPMs to the tag? If we consider remote scanning use-cases these users may not have all the build tools necessary to produce RPMs. They may be using Windows or MacOS X or a distribution that doesn't use RPM.
GitHub allows making releases out of tags and attaching files to them, see https://github.com/OpenSCAP/scap-workbench/releases/tag/1.1.0 for an example.
Right, you are correct the GitHub recently supports inclusion of also "binary" data to the release tags. That's not the problem though.
The issue is to ship also RPM files on GitHub together with particular release we would need to set up and manage signing server instance and set up a policy for sharing the key used to sign those RPMs (across all the users who can create the release).
Since this is a not trivial (and time consuming) task for now we are not planning to ship also RPM packages with upstream GitHub releases. But to make the life of content users a bit easier (hopefully), we decided to (together with existing source code tarball) to ship / provide also another tarball / zip archive with the XML files being expanded already. In other words tar / zip archive where the user can download all the XML OVAL / XCCDF / Datastream files already built (in the form they would have been obtained after issuing the ```make / make dist``` command for particular product). This tarball / zip would produce expanded versions of XML benchmark files for all currently supported products (from top of head briefly mentioning RHEL/5, RHEL/6, RHEL/7, Fedora, Java, Firefox, and Chrome SCAP content). The zips could be uniquely identified with associated MD5 / SHA256 sum information coupled with them (provided in the same GitHub release tag directory as the expanded XML zip archive).
I will explore possibilities how to automatically create such a tarball, when preparing new upstream release.
Hope the above being helpful.
Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Technologies Team
-- Martin Preisler Security Technologies | Red Hat, Inc.
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
scap-security-guide@lists.fedorahosted.org
-
Greg Elin -
Jan Lieskovsky -
Martin Preisler