-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello everybody,
We periodically run XCCDF evaluation of sce-community-content [1] and I'd like to inform you that we also included scap-security-guide XCCDF into our automated test system [2].
Tests are run on RHEL-6.3 virtual system installed from kickstart similar to USCGB kickstart. If you add <fix> remediations to your content, we can merge them into used kickstart and reinstall system.
We use oscap tool from openscap package in version 0.8.2 (built from git sources). This tool validates input content, evaluates XCCDF and also validates output data. If there is no problem in the scan, columns '# pass', '# failed' and '# other' are filled with values based on result in results.xml, link "full report" refers to report.html made by oscap and "git revision" link refers to git web frontend used with used git revision. If there is any problem during scan, "full report" refers to oscap log.
[1] https://fedorahosted.org/sce-community-content/wiki/Results [2] https://fedorahosted.org/sce-community-content/raw-attachment/wiki/Results_R...
Regards,
Petr - -- Petr Lautrbach plautrba@redhat.com, Red Hat, Inc.
This is excellent -- thanks Petr!
Delivering <fix> tags that can create a kickstart is definitely a goal: input/fixes/bash-ks.xml awaits contributions in case anybody out there feels ambitious...
In this use-case, the oscap scan is being used to guarantee idempotent behavior for remediation. For other use cases (such as remediation during system operation, driven by administrators) we will want to coordinate with Aqueduct project and Tresys projects (e.g. secstate), and these may involve additional sets of <fix> tags.
On 05/25/2012 08:33 AM, Petr Lautrbach wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello everybody,
We periodically run XCCDF evaluation of sce-community-content [1] and I'd like to inform you that we also included scap-security-guide XCCDF into our automated test system [2].
Tests are run on RHEL-6.3 virtual system installed from kickstart similar to USCGB kickstart. If you add <fix> remediations to your content, we can merge them into used kickstart and reinstall system.
We use oscap tool from openscap package in version 0.8.2 (built from git sources). This tool validates input content, evaluates XCCDF and also validates output data. If there is no problem in the scan, columns '# pass', '# failed' and '# other' are filled with values based on result in results.xml, link "full report" refers to report.html made by oscap and "git revision" link refers to git web frontend used with used git revision. If there is any problem during scan, "full report" refers to oscap log.
[1] https://fedorahosted.org/sce-community-content/wiki/Results [2] https://fedorahosted.org/sce-community-content/raw-attachment/wiki/Results_R...
Regards,
Petr
Petr Lautrbach plautrba@redhat.com, Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJPv3wjAAoJEGOorUuYLENza8oP/2vawoytYQlVGv29KE51nfF/ 2mbbEjOkQ+lBc1EILXxEk+2BMxBRCQtFWgzqT0XadWj4IvAZEjOKUNCzDshlciqv CC1X3sMoCgH2etLZRng11Ej6YKHmp4ikwjzRUWfnUrDNcMU8rCJkOFCfS+zOrx4Q mDO/oCWjpIWv4cyGF/Jr63lUubtaybx1PQIMq32lzaKSLlALsuuAt+9AdkAEdHA1 dUU+m0YKxXiOV5VSPtRueoXdrh7Xt4qTwhUYb93PGUIUvM3xsD6FqneFgIhWuP3t A3wBg+JuRt3e5QDWSv7aQkVL18OZDXEq4YaO/A6ADSurXeC5dXamFVAtLimJzV3x GU679Y/sN1sMj71jotSlfjGs+YmyFDIiPvo7XQYyLdyyfN32yP6uVGY5i/LiuGZk mEjiO+bBNkOPA5OFb9Di88bsT84xa9buzx8etpGYx64B6oJxuyWUnW1TrRmZKC4m 5FacoCiPtSvDSIJ5y9Wa2DuO38wX+vW+tyZ5KVfAwfYXuFYCbwxRQjho7bsYsSoo 9K+lHSq0JZh5DSQgiOJDW+CkwJ5AyPiXL3BMEcuhuxVBlj+LjXGIC3i4VL6CmQXN USN83Ze6UaYLStuu5nC8Q5cpdK2Yb3rSYMe4BwJ7k7CjhJX48IgsX/GxXmicEHVL TqmnmdsHfeegXaWkf3Vc =UE5K -----END PGP SIGNATURE----- _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org
-
Jeffrey Blank -
Petr Lautrbach