OVAL 5.11 Woes

Wed, 22 Apr 2015 01:51:08 -0700 



tl;dr: Why I think we need OVAL 5.11 in SSG/Fedora. And what problems 
does it pose.




The OVAL 5.11 is the latest (released) version of OVAL standard. Version 
5.11 adds support for assessing systemd properties, hence this version 
is important for anyone auditing nowdays linux. The most notable user is 
SCAP-Security-Guide project that develops configuration baselines (STIG, 
USGCB, etc.) for RHEL7.



OVAL 5.11 is very similar to the previous versions, thus one would 
conclude that the upgrade should be straight forward. Indeed, from tool 
implementation perspective upgrade is easy.


OpenSCAP 1.2.2 brings in the support for OVAL 5.11.



With prior OpenSCAP versions, certain DataStream operations with OVAL 
5.11 are not possible. This is due to standard DataStream 1.2 schema 
including OVAL 5.10 XSD.


Hence, for developing OVAL 5.11 content you need OpenSCAP 1.2.2 or greater.


And here comes the problem, SCAP-Security-Guide contains multiple 
separate guidances each for a different target (RHEL6, RHEL7, or 
Fedora). Majority of contributors are used to build all the guidances by 
a single build process on RHEL6 or RHEL7.



At the time of writing neither RHEL6 nor RHEL7 tooling include support 
for OVAL 5.11. So, the tools on RHEL6 and RHEL7 will be limited in 
processing OVAL 5.11 (SSG/Fedora) content.



At the same time, there is value in moving the edge and start building 
OVAL 5.11 (systemd) content for Fedora target. We will test systemd 
checks in Fedora and move them to RHEL7 STIG later on.



Hence, it seems that the best way to proceed is buildtime magic: Build 
Fedora content only when the tools are capable building it. Downside is 
that RHEL6/RHEL7 contributors will not be able to build Fedora content 
(until OpenSCAP 1.2.2 update hits their systems)


Jan Černý has already started adding systemd support to SSG/Fedora in

    https://github.com/OpenSCAP/scap-security-guide/pull/527

Ideas?

~š.
--
SCAP Security Guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/





















					Reply via email to