Hello everybody,
I'm trying to write my first OVAL check and the associated remediation script. For my first try, I decided to test with a simple check https://github.com/OpenSCAP/scap-security-guide/issues/1861.
I think, I succedeed writing the OVAL check but I have big issues with the remediation : When I execute the remediate command using the results file from the eval command, my remediation is never selected.
After some investigations, I realized that the fix wasn't generated into the results file.
I must admit I'm a little bit lost and I don't understand why my remediation fix is not generated into the results file.
That's why i'm looking for some help in order to understand how to investigate for resolving that issue (Which i'm sure is a newbie thing)
I put my files on the following GIST : https://gist.github.com/ptitoliv/fe10d4d37049801b60c98b255c7a6d66
Thanks for your help.
Regards, Olivier Bonhomme
Le 26/12/2017 à 17:15, Olivier BONHOMME a écrit :
Hello everybody,
I'm trying to write my first OVAL check and the associated remediation script. For my first try, I decided to test with a simple check https://github.com/OpenSCAP/scap-security-guide/issues/1861.
I think, I succedeed writing the OVAL check but I have big issues with the remediation : When I execute the remediate command using the results file from the eval command, my remediation is never selected.
After some investigations, I realized that the fix wasn't generated into the results file.
Hello again,
I have to make a quick update. I realized that I wasn't using the correct results file :(. Sorry for the noise about that terrible mistake !
So there is some progress but now I have now an issue that I really don't understand.
When using the (correct) results file with the command oscap remediate, it seems that the remediation I wrote is never selected nor even analyzed : I enabled vebose mode with the DEVEL level and I can't see anything about the remediation i wrote in the stacktrace.
Does anybody have an idea why my remediation is not selected ? I updated the GIST with the correct results file.
Important precision : I use CentOS and not RHEL.
Thanks again for your help
Regards, Olivier Bonhomme
Le 26/12/2017 à 17:53, Olivier BONHOMME a écrit :
Important precision : I use CentOS and not RHEL.
Hello again,
After more investigation, I think I found the problem. I didn't include the CPE dictionnary when executing the remdiation so most of the remediations were considered as not applicable !
When using --cpe ssg-rhel7-cpe-dictionary.xml, the remediations including the one I just wrote, is selected and applied.
Regards, Olivier Bonhomme
Hello Olivier, great to hear that you were able to solve the issue! Response times are slower here over the holidays...
For the cpe problem, I suggest to use datastreams. It has CPE bundled within, so it works out-of-the-box so to say. It wasn't so important in the past, where we used only standard CPEs, as these are also shipped as part of oscap. But now, as we included support for containerized environments (using SSG-based cpe:/a:machine and cpe:/a:container), using default will show lots of stuff not applicable.
And I have checked the patch and merged it, thank you! Marek
On 12/30/2017 03:04 PM, Olivier BONHOMME wrote:
Le 26/12/2017 à 17:53, Olivier BONHOMME a écrit :
Important precision : I use CentOS and not RHEL.
Hello again,
After more investigation, I think I found the problem. I didn't include the CPE dictionnary when executing the remdiation so most of the remediations were considered as not applicable !
When using --cpe ssg-rhel7-cpe-dictionary.xml, the remediations including the one I just wrote, is selected and applied.
Regards, Olivier Bonhomme _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org
On 1/2/18 6:58 AM, Marek Haicman wrote:
Hello Olivier, great to hear that you were able to solve the issue! Response times are slower here over the holidays...
For the cpe problem, I suggest to use datastreams. It has CPE bundled within, so it works out-of-the-box so to say. It wasn't so important in the past, where we used only standard CPEs, as these are also shipped as part of oscap. But now, as we included support for containerized environments (using SSG-based cpe:/a:machine and cpe:/a:container), using default will show lots of stuff not applicable.
And I have checked the patch and merged it, thank you! Marek
Thanks Oliver for sending your notes to the mailing list.... even if you felt if you were just talking to yourself over the holidays :)
As a community we haven't focused much on developing a good FAQ/knowledge base/something that archives commonly asked questions. There's been some talk about potentially using stack overflow for this. Would that be better than keeping a GitHub wiki page?
IMHO it would, because of the amount of developers that try stack overflow first.
On the other side, most people are subscribed to the mailing list and may not actively monitor stack overflow...
I'd actually say both. SO can overwhelm you with results that you have to wade through, especially if you don't know enough to ask a specific question. Can't tell you how many times I've googled something and the SO hit only tied to a related/trending section sharing a key word. A wiki provides a nice central location that doesn't have this noise, and can make it easier to find what you want.
Robert Sanders Sr. Secure Systems Engineer
FORCEPOINT T +1.703.896.4762 F +1.703.318.5041 www.forcepoint.com
FORWARD WITHOUT FEAR
________________________________________ From: Shawn Wells [shawn@redhat.com] Sent: Tuesday, January 02, 2018 2:39 PM To: scap-security-guide@lists.fedorahosted.org Subject: EXTERNAL: Re: Issues for writing a remediation
On 1/2/18 6:58 AM, Marek Haicman wrote:
Hello Olivier, great to hear that you were able to solve the issue! Response times are slower here over the holidays...
For the cpe problem, I suggest to use datastreams. It has CPE bundled within, so it works out-of-the-box so to say. It wasn't so important in the past, where we used only standard CPEs, as these are also shipped as part of oscap. But now, as we included support for containerized environments (using SSG-based cpe:/a:machine and cpe:/a:container), using default will show lots of stuff not applicable.
And I have checked the patch and merged it, thank you! Marek
Thanks Oliver for sending your notes to the mailing list.... even if you felt if you were just talking to yourself over the holidays :)
As a community we haven't focused much on developing a good FAQ/knowledge base/something that archives commonly asked questions. There's been some talk about potentially using stack overflow for this. Would that be better than keeping a GitHub wiki page?
IMHO it would, because of the amount of developers that try stack overflow first.
On the other side, most people are subscribed to the mailing list and may not actively monitor stack overflow... _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org
Le 02/01/2018 à 20:39, Shawn Wells a écrit :
On 1/2/18 6:58 AM, Marek Haicman wrote:
Hello Olivier, great to hear that you were able to solve the issue! Response times are slower here over the holidays...
For the cpe problem, I suggest to use datastreams. It has CPE bundled within, so it works out-of-the-box so to say. It wasn't so important in the past, where we used only standard CPEs, as these are also shipped as part of oscap. But now, as we included support for containerized environments (using SSG-based cpe:/a:machine and cpe:/a:container), using default will show lots of stuff not applicable.
And I have checked the patch and merged it, thank you! Marek
Thanks Oliver for sending your notes to the mailing list.... even if you felt if you were just talking to yourself over the holidays :)
As a community we haven't focused much on developing a good FAQ/knowledge base/something that archives commonly asked questions. There's been some talk about potentially using stack overflow for this. Would that be better than keeping a GitHub wiki page?
IMHO it would, because of the amount of developers that try stack overflow first.
On the other side, most people are subscribed to the mailing list and may not actively monitor stack overflow...
Hello Shawn, Marek and the community,
First of all, thanks for having accept my first patch into the scap-security-guide master branch. I will try to provide other OVAL checks and associated remediations for missing STIG rules in the next day/weeks.
In order to answer your questions, as a total newbie into the SSG community so I guess with a complete external point of view, I think the Github wiki page is the good place to add the developer rules. When I tried to write my first check, the documentation I read was the developer guide. In my opinion, I think it would be nice to add things into that documentation.
Considering my small experience, I would add for example the advices provided by Marek like using the DS file in stead of the XCCDF. In a more general way, what about adding a chapter telling the commands to use for validating our new checks and remediations.
For me, there is already interesting stuff in the developper guide. For me, it was a good starting point for doing my first contributions.
Maybe I am old school but compared to SO, I prefer the documentation on the Github pages because it's a centralized place where we can find interesting information. And added to that, the mailing list is also a good channel for additional support because it's also centralized with an easy way to search for data using the archives.
Here are my 2 cents.
Regards, Olivier
scap-security-guide@lists.fedorahosted.org