-----Original Message-----
From: secstate-bounces(a)lists.fedorahosted.org [mailto:secstate-
bounces(a)lists.fedorahosted.org] On Behalf Of Shawn Wells
Sent: Sunday, December 16, 2012 8:43 PM
To: secstate(a)lists.fedorahosted.org
Subject: Re: [SecState] SecState Evaluation
On 12/14/12 10:56 AM, Shawn Wells wrote:
> On 12/7/12 11:31 AM, Rodrian, Logan P (IS) wrote:
>> Attached are 4 CSV files, per your request. Their contents are as
>> follows:
>>
>> Bugs - Errors/inconsistencies with reporting or remediation
>> BrokenRemediation - Remediation fixes that do not perform what is
>> described AuditFalsePositivesPre - Audit report failures,
>> pre-remediation, that incorrectly report failure (check portion
>> incorrectly discovering status of checked object)
>> AuditFalsePositivesPost - Audit report failures, post-remediation,
>> that incorrectly report failure (check portion incorrectly
>> discovering status of checked object)
>>
>> I believe most of these fall into your category (2), as there is an
>> issue with the code performing work.
>>
>> Please let me know what additional information is needed/required.
>
> I had a chance to step through your spreadsheet.
>
> Many of these are bugs within the OVAL (checking) content of the SCAP
> Security Guide. I've created a number of tickets for these, located here:
>
https://fedorahosted.org/scap-security-guide/report/3
>
> The remaining items on your "REMEDIATE - Broken" and "Bugs" tab
appear
> to be originating from the Aqueduct remediation scripts.
Francisco - I'm unable to replicate this in the upstream SSG code. Do you
know what version of SSG you cloned into SecState? Can you verify this
behavior on your end? An example of what I'm doing to test is here:
https://fedorahosted.org/scap-security-guide/ticket/196
Shawn,
SecState doesn't have a cloned copy of SSG; the CLIP project pulls in both the
SecState tool and the SSG content.
I believe Logan is using CLIP for RHEL 6.2. Based on a checkout of the CLIP repo, at the
tag CLIP_RHEL_6.2_Final, it looks like the corresponding SSG git-ish is: 4d28ff3
This is from the RELEASE variable in the clip/packages/scap-security-guide/Makefile
Thanks
- Francisco
Heading out on travel for a few days, should be back online Tuesday
to
continue looking at this.
_______________________________________________
SecState mailing list
SecState(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/secstate