----- Original Message ----- > From: "Šimon Lukašík" <[email protected]> > To: [email protected] > Sent: Wednesday, April 22, 2015 10:50:36 AM > Subject: OVAL 5.11 Woes > > > > tl;dr: Why I think we need OVAL 5.11 in SSG/Fedora. And what problems > does it pose. > > > The OVAL 5.11 is the latest (released) version of OVAL standard. Version > 5.11 adds support for assessing systemd properties, hence this version > is important for anyone auditing nowdays linux. The most notable user is > SCAP-Security-Guide project that develops configuration baselines (STIG, > USGCB, etc.) for RHEL7. > > OVAL 5.11 is very similar to the previous versions, thus one would > conclude that the upgrade should be straight forward. Indeed, from tool > implementation perspective upgrade is easy. > > OpenSCAP 1.2.2 brings in the support for OVAL 5.11. > > > With prior OpenSCAP versions, certain DataStream operations with OVAL > 5.11 are not possible. This is due to standard DataStream 1.2 schema > including OVAL 5.10 XSD. > > Hence, for developing OVAL 5.11 content you need OpenSCAP 1.2.2 or greater. > > And here comes the problem, SCAP-Security-Guide contains multiple > separate guidances each for a different target (RHEL6, RHEL7, or > Fedora). Majority of contributors are used to build all the guidances by > a single build process on RHEL6 or RHEL7. > > At the time of writing neither RHEL6 nor RHEL7 tooling include support > for OVAL 5.11. So, the tools on RHEL6 and RHEL7 will be limited in > processing OVAL 5.11 (SSG/Fedora) content. > > At the same time, there is value in moving the edge and start building > OVAL 5.11 (systemd) content for Fedora target. We will test systemd > checks in Fedora and move them to RHEL7 STIG later on.
+1 Since people having experience with developing SCAP content will hopefully confirm the OVAL language possibilities are limited wrt to quickly evolving OS features, and since it takes time till newly introduced OVAL language concepts get projected into scanner tools, the only way how to keep aligned with the new OVAL features is to adopt the new language version as soon as possible, I see the effort to add OVAL 5.11 support to / against Fedora content as a reasonable step. Even if this step would mean it won't be possible to build Fedora content on Red Hat Enterprise Linux 6 / 7 systems. > > Hence, it seems that the best way to proceed is buildtime magic: Build > Fedora content only when the tools are capable building it. Downside is > that RHEL6/RHEL7 contributors will not be able to build Fedora content > (until OpenSCAP 1.2.2 update hits their systems) +1 I can't see a better way how to simultaneously: * don't break existing RHEL/6 | RHEL/7 content, and * add OVAL 5.11 language support for Fedora content (the idea why we might want to support OVAL 5.11 in Fedora sooner than later is expressed in my reply to your previous paragraph). > > Jan Černý has already started adding systemd support to SSG/Fedora in > > https://github.com/OpenSCAP/scap-security-guide/pull/527 Will look at this. Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team > > Ideas? > > ~š. > -- > SCAP Security Guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > https://github.com/OpenSCAP/scap-security-guide/ -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
