On Tue, Nov 21, 2017 at 3:28 PM, Olivier BONHOMME <[email protected]> wrote:
> Hello everybody, > > I'm still working in checking how many STIG rules have implemented > checks in OpenSCAP profiles. When executing oscap eval command, I > identified that there are several checks in status notchecked. > > After some investigation, I identified that there was no oval checks > availables for these rules. After reading some documentation about OVAL > language, I was wondering if it will be possible to implement a check > for these rules. > > For example, for the rule "homedirs must exist", the check consists in > doing a "pwchk -r" in order to identify if the homedirs exists or not. > With a shell script I know how to do that but in OVAL, i'm not sure if > it is possible. > > So I have several questions about these kind of checks : > - Is it possible to implement them using OVAL with an oval rule which > can do result command checks ? > Yes it is. > - Is it possible to implement these checks using another language. I > heard about SCE but it seems to be only for OpenSCAP. > You can definitely do that, but it won't be taken advantage of by Nessus and other scanners that use SCAP > - Will these checks stay manual checks with notchecked status on SSG ? > The plan is that these checks will have OVAL and remediation scripts in the future. It is really a matter of time, effort, and resources. There are tickets already open for each of them already. You can see them at https://github.com/OpenSCAP/scap-security-guide/projects/7 Getting the XCCDF into SSG is the easy part. The rest takes time. So if you or anyone is willing and able to help get us there, PRs are welcome. :) > Thanks for your answers. > > Regards, > Olivier Bonhomme > _______________________________________________ > scap-security-guide mailing list -- scap-security-guide@lists. > fedorahosted.org > To unsubscribe send an email to scap-security-guide-leave@ > lists.fedorahosted.org >
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
