On 5/14/14, 5:55 AM, Jan Lieskovsky wrote:
Hello Shawn,
----- Original Message -----
From: "Shawn Wells" <[email protected]>
To: [email protected]
Sent: Tuesday, May 13, 2014 10:15:13 PM
Subject: Re: SCC (UNCLASSIFIED)
On 5/13/14, 8:20 AM, Shaw, Ray V CTR USARMY ARL (US) wrote:
Classification: UNCLASSIFIED
Caveats: NONE
Unfortunately, I'm not aware of a way to do that. You just get to select
your
XCCDF and the stream you want, and SCC kind of does its thing (or doesn't,
in
this case); the other files aren't specified explicitly as they are with
OpenSCAP. It just has them all and decides what to do with them. I tried
moving the cpe-oval file out of /opt/scc/Resources/Content, but then it
just
complained, used its generic CPE dictionary, and failed anyway.
I also tried loading ssg-rhel6-oval.xml as OVAL content, and running a scan
that way, but that comes up with:
[ERROR] Could not find the external variables file for "ssg-rhel6-oval".
And yes, definitely running RHEL :p I've tried it on a few different
systems,
both Workstation and Server.
Strange. The SCC guys and I traded EMails last night, they're sending
over the latest SCC build. The SSG community has a good relationship
with that team, many even beta test their releases, making this odd.
Will ping the list once I've the latest version downloaded (hopefully
today).
If it's not a business secret would it be possible to document the way,
how such beta release SCC build can be obtained? Even informally (to
be read as - mail this email contact with justification / reasoning
[referencing particular SSG mailing list use case] why you need access
to the software) would be sufficient.
The sole motivation behind this request being it's not the first time
there's is some SCC issue with SSG content reported (SCC behaving differently
than OpenSCAP) and I think it would only help to improve the maturity
(of both?) of the projects we to be directly able to test / experience
the issues our users are experiencing (we to be able more quickly to
identify potential reasons & fix them where / if necessary).
Have searched further in the past, how SCC can be obtained, but from
the page:
[1]
http://www.public.navy.mil/spawar/Atlantic/ProductsServices/Pages/SCAP.aspx
to be able to download that software you need to belong in one of the following
groups:
* Department of Defence (DoD) user with valid Common Access Card (CAC) id,
* Non-DOD - US Government Employee or contractor,
There's also alternate method (if you don't fall in none of the above groups),
it's possible to request access via [email protected] email address
providing
the following justification:
1) US Federal agency you are supporting
2) Government POC with .gov or .mil email address or Contract Number
but since I didn't find a way how either of the three can be achieved (is this
documented somewhere on SSG's wiki?) gave up on following SCC error / bug
reports
from our customers, since it's hard to identify the reason / source of the
problem,
when you aren't able to download / try the software in question.
I think there might be more people on this mailing list able to offer their help
into investigating such bug reports / use cases, but just due to the limitation
not having access to the tool (and even not being able in transparent way to
obtain
it), not investing their time in these cases further (which doesn't help neither
of the two projects).
emailed SPAWAR, they said:
Just have them email the SCC mailbox and we'll add them to our distro list, so
they will get any updates in the future as well. Also if you want to be on
alpha and beta testing builds, just indicate as such.
So, for people interested, shoot a note over to [email protected]
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
