Personally, I would like it if I could just flip a switch and tell it to build *all* profiles for the 'RedHat family'.
Primarily, I use this for testing and just kicking around new ideas via Vagrant since getting ahold of "real" RedHat is still not viable in public Travis CI via Vagrant. I can do everything else, but not that. Trevor On Mon, Aug 5, 2019 at 4:28 AM Jan Cerny <[email protected]> wrote: > Hi Tim, > > The list of profiles that get included in CentOS XCCDFs is defined by > variable "standard_profiles" in ssg/constants.py on line 57. > If you want to include any RHEL Profile into CentOS XCCDF add its ID > to this variable. > > The magic that creates CentOS XCCDF is in > build-scripts/enable_derivatives.py and ssg/build_derivatives.py. > Basically, it takes the complete RHEL XCCDF and removes some things. > > If you want to create a new profile, put it into profiles directory, > eg. rhel7/profiles. > > We currently don't have any way to define that the profile is CentOS > only. That means your new profile will also appear in RHEL XCCDF and > Scientific Linux XCCDF. We will probably need to develop some logic > for that. > > Alternatively, CentOS could be transformed to a separate product. This > has been done for Oracle Linux. The drawback of creating a separate > product is that it requires to duplicate a lot of things (profiles, > CPE dictionaries,) and also to add the product ID into "prodtype" > field in all rules and OVALs. > > Regards > > On Thu, Aug 1, 2019 at 3:43 PM Tim Burress <[email protected]> wrote: > > > > Hello! > > I'm still learning my way around the directory tree and the build system > and have a couple of questions. For historical reasons, we typically use > CentOS on our servers, and I see that, instead of having its own product > tree, CentOS is considered a derivative of RHEL. I suppose the reasons for > that are pretty obvious, though it does create a bit of a problem when > trying to do something specific to CentOS. One question I have about the > way things are set up now, though, is that, although the XCCDF for RHEL7 > defines 12 profiles, the XCCDF for CentOS only defines 2. I've grep'ed my > way around the build system trying to figure out where the logic for that > is, but haven't had any luck. Could someone point me to the right place? > > > > What we want to do, ultimately, is define several new profiles that > would be applied to CentOS within our organization, depending on the risk > level of the system. The baseline for this would be close to the RHEL7 CUI > profile, with a few obvious exceptions. Given the special status of CentOS > as a derivative of RHEL, do you have any suggestions for a good way to do > that? I'm guessing we'd have to define the profiles in rhel7/profiles, but > then use some logic somewhere (nice and vague...) to apply them to CentOS > so they end up in the CentOS XCCDF and DS, but rather than trial-and-error > I thought I would just ask. > > > > Along the way we'll probably write some OVAL content and rules to handle > local situations and would be happy to contribute those if they would be > useful. > > > > Thanks! > > _______________________________________________ > > scap-security-guide mailing list -- > [email protected] > > To unsubscribe send an email to > [email protected] > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > > > > -- > Jan Černý > Security Technologies | Red Hat, Inc. > _______________________________________________ > scap-security-guide mailing list -- > [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 -- This account not approved for unencrypted proprietary information --
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
