Hi everyone,
I'm currently checking if it is possible to strip down everything unneeded from a generated XCCDF, OVAL or DS file or to include just the needed rules and OVAL definitions for a certain profile during generation.
For example:
When I generate the rhel7/sle12 output after running the cmake script, all profiles are included inside the XCCDF and DS files.
Furthermore all OVAL definitions get included even if they are not part of any listed profile. I understand that this are two pair shoes. I'm just curious if there is a way to limit the OVAL output only to those definitions that are actually needed for the defined profiles.
So, is it possible to limit the output generation to a single profile and to limit the OVAL output as well?
This is interesting especially for the DS output where I want to have a small file with all needed tests and definitions for just one profile.
Any hint or direction is appreciated. ;)
Regards, Alex~
Hi Alex,
As a user, I couldn't figure out how to do this using command line arguments.
The code for the FIPS stripping is at https://github.com/ComplianceAsCode/content/blob/master/build-scripts/enable... and you may be able to figure out how to graft in some Python to do what you need from that.
That said, what is the benefit of stripping out everything else besides size?
Trevor
On Mon, Mar 11, 2019 at 9:57 AM Alexander Bergmann abergmann@suse.com wrote:
Hi everyone,
I'm currently checking if it is possible to strip down everything unneeded from a generated XCCDF, OVAL or DS file or to include just the needed rules and OVAL definitions for a certain profile during generation.
For example:
When I generate the rhel7/sle12 output after running the cmake script, all profiles are included inside the XCCDF and DS files.
Furthermore all OVAL definitions get included even if they are not part of any listed profile. I understand that this are two pair shoes. I'm just curious if there is a way to limit the OVAL output only to those definitions that are actually needed for the defined profiles.
So, is it possible to limit the output generation to a single profile and to limit the OVAL output as well?
This is interesting especially for the DS output where I want to have a small file with all needed tests and definitions for just one profile.
Any hint or direction is appreciated. ;)
Regards, Alex~
-- Alexander Bergmann abergmann@suse.com, Security Engineer, GPG:9FFA4886 SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg) -----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEE4wplpA9QAGaytfYU3lTodZ/6SIYFAlyGaSkACgkQ3lTodZ/6 SIbBogf/TvJ4ACrIMST/0NPlWifg+ewJbVtbZveuxIy5eCu3ebLCKhbIRNJsmf5r BnVOct2WaiEpJsbh2mKb0ntjQLEyIV1QY0e0GXjBbeItbddGGlwhEijmfCbAzF6k q8EXCcnXWjb7guMXcibj0MitUgkIxHOi8dZ7ugvdbric07XV0KUZCZiMuo9RY5O5 mEm+GwmMwdDunzUuZ/+HxmSJP3YsK+AlTuGMTpl/TMq1jE/I578xnDoMUroE57LG 61x9+h7Rd1rVnlTuMkMLB58GWvYWI59HMNnYkqgXmM6/TFQM7tpDyM8Gk2x6ifLy /lRURpYA6zldXlAenICWdGODDibtOg== =wGuh -----END PGP SIGNATURE----- _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
In each profile, you could set `documentation_complete` to `False` except for the profile that you want to build. However, there will still be some content that gets added because it applies to all products.
But outside of filesize, why are you wanting to remove content that is tailorable and customizable with SCAP-workbench.
On Mon, Mar 11, 2019 at 7:57 AM Alexander Bergmann abergmann@suse.com wrote:
Hi everyone,
I'm currently checking if it is possible to strip down everything unneeded from a generated XCCDF, OVAL or DS file or to include just the needed rules and OVAL definitions for a certain profile during generation.
For example:
When I generate the rhel7/sle12 output after running the cmake script, all profiles are included inside the XCCDF and DS files.
Furthermore all OVAL definitions get included even if they are not part of any listed profile. I understand that this are two pair shoes. I'm just curious if there is a way to limit the OVAL output only to those definitions that are actually needed for the defined profiles.
So, is it possible to limit the output generation to a single profile and to limit the OVAL output as well?
This is interesting especially for the DS output where I want to have a small file with all needed tests and definitions for just one profile.
Any hint or direction is appreciated. ;)
Regards, Alex~
-- Alexander Bergmann abergmann@suse.com, Security Engineer, GPG:9FFA4886 SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg) -----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEE4wplpA9QAGaytfYU3lTodZ/6SIYFAlyGaSkACgkQ3lTodZ/6 SIbBogf/TvJ4ACrIMST/0NPlWifg+ewJbVtbZveuxIy5eCu3ebLCKhbIRNJsmf5r BnVOct2WaiEpJsbh2mKb0ntjQLEyIV1QY0e0GXjBbeItbddGGlwhEijmfCbAzF6k q8EXCcnXWjb7guMXcibj0MitUgkIxHOi8dZ7ugvdbric07XV0KUZCZiMuo9RY5O5 mEm+GwmMwdDunzUuZ/+HxmSJP3YsK+AlTuGMTpl/TMq1jE/I578xnDoMUroE57LG 61x9+h7Rd1rVnlTuMkMLB58GWvYWI59HMNnYkqgXmM6/TFQM7tpDyM8Gk2x6ifLy /lRURpYA6zldXlAenICWdGODDibtOg== =wGuh -----END PGP SIGNATURE----- _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
scap-security-guide@lists.fedorahosted.org