Hello folks,
can I go ahead and push this patch upstream?
Right now it doesn't touch RHEL-6 code at all (RHEL-6 can
be attached later via symlinks to existing tests and providing
attestations).
But having this in upstream repo could simplify the approach
to me (not to need to keep two separate local git streams),
and focus on fixing further child bugs which might arise when
trying to implement this (like the already mentioned "platform"
XSLT transformation, checking for presence of attestation for
that platform, the -devel option etc.)
RHEL-6 can start joining this scheme later gradually moving
selected rules they to be used / obtained from the shared directory
(once confirmed for work on RHEL-6 too).
And should this have shown as to be a non-viable way, we can
always return back to the old (OVAL checks pre product) schema
later just by moving the checks and removing the symlinks (whole
/shared content).
Would this be just Fedora specific change, would go ahead and push
(and count with the responsibility that if some issue is found
later, I will need to fix it).
But since it introduces new main directory structure, would
like to have your blessing first / prior doing that.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
----- Original Message -----
From: "Jan Lieskovsky" <jlieskov(a)redhat.com>
To: scap-security-guide(a)lists.fedorahosted.org
Sent: Thursday, December 5, 2013 7:53:22 PM
Subject: [PATCH] [Shared] Add initial shared OVAL check for 'Verify that Shared
Library Files Have Restrictive
Permissions' rule [was: [PATCH] [RFC] Creating shared bash script directory]
Based on thread:
https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-Decembe...
this patch adds first OVAL check into scap-security-guide/shared/oval
directory
and modifies main Makefile wrt to building Fedora packages it to include OVAL
checks directly provided in input/checks directory, together with those
linked
from shared/ directory.
For now didn't change the value of <platform> element (didn't implement
the
XSLT transformation it to be modified automatically based on underlying
system
version content is build at) - will do this in next steps, once we have
agreed
on the expected form of test_attestation element.
Passed basic sanity && regression testing on Fedora system.
RHEL-6 content has been intentionally kept intact till the moment, we are
sure
about the final shared OVAL check form.
Please review.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide