[Open-scap] OVAL content authoring tool
Šimon Lukašík
slukasik at redhat.com
Mon Apr 4 08:09:16 UTC 2016
On 04/04/2016 06:18 AM, Pravin Goyal wrote:
> Thanks, Simon. I am getting started.
>
> So far, I have figured out that we need below steps:
>
> 1) Ensure that templates are in place in one directory (call it templates) and the template to actual oval content creation works -
> a) Have OVAL xml templates (the way you desire a particular probe based check to look like - for example, disabling services, checking file permissions, etc.). Take from existing or create your own.
> b) csv files that contain the entry in the required format for a particular probe based check
> c) Python scripts to take each line item in csv and convert it into an OVAL xml based on the desired template
>
> 2) Edit Makefile to build just oval content
> a) That means combine oval singletons into one big oval assessment content
> b) have boilerplate information such as xmlns, generator, etc. in place
>
> Are the above steps good enough for oval content creation? Am I missing any steps?
>
It is about right.
There are some things that I would mention as well, but you are perhaps
already familiar with:
* There are OVAL files that are not generated from templates.
* Templating mechanism is introduced only for multiple checks that
share the logic
* Look at templates in Debian/ directory. Guys there has been able to
run the templates only during the build process. That should be the way
forward in other directories as well.
* The content authors tend to contribute XCCDF and OVAL together per
check. Writing bigger OVAL part and then following with XCCDF is not
that common.
Best,
~š.
> I am yet to work through all the steps above and just figured out the information for now. If there is anything that helps jumpstart this, it would be great, else, not a problem. I will eventually figure it out. (I come from security and compliance background and not pure developer background - so this might be at times difficult for me. But, perhaps, I will take some help locally).
>
> Thanks and regards,
> Pravin Goyal
> ________________________________________
> From: Šimon Lukašík <slukasik at redhat.com>
> Sent: Friday, April 1, 2016 7:36 PM
> To: Pravin Goyal; open-scap-list at redhat.com
> Subject: Re: [Open-scap] OVAL content authoring tool
>
> Hello Pravin,
>
> I advise you what folks working on Debian/ directory has achieved.
>
> Most of the checks will be the same for SuSE and Fedora derivatives. A
> lot is shared with Debian as well.
>
> There will be some differences though, like configuration file paths.
>
> We try to leverage shared/ directory within SSG to have common code
> written only once.
>
>
> The build scripts are still a little hairy, so I advice you to start
> with RHEL/7 or Fedora makefiles and remove everything that you don't
> need in first stage.
>
> The build scripts are always work in progress, so don't be shy to amend
> them as you see the need.
>
> Best,
> ~š.
>
> On 03/31/2016 05:36 AM, Pravin Goyal wrote:
>> Team,
>> I need help. I need to setup a new platform say "SLES 11" in "scap-security-guide" project. What are the steps to be done? Where do I start?
>>
>> I see that the community has already done a lot of automation work in churning out SCAP DS with xccdf, oval and remediation.
>>
>> Please help.
>>
>> Thanks and regards,
>> Pravin Goyal
>>
>> ________________________________________
>> From: Martin Preisler <mpreisle at redhat.com>
>> Sent: Wednesday, March 30, 2016 8:18 PM
>> To: Pravin Goyal
>> Subject: Re: [Open-scap] OVAL content authoring tool
>>
>> ----- Original Message -----
>>> From: "Pravin Goyal" <pravin.goyal at outlook.com>
>>> To: "Martin Preisler" <mpreisle at redhat.com>
>>> Sent: Wednesday, March 30, 2016 12:24:14 AM
>>> Subject: Re: [Open-scap] OVAL content authoring tool
>>>
>>> One thing that I can promise is to contribute OVAL checks that you can
>>> include in SSG. I am targeting to develop OVAL rules for SLES 11 SP3 OS. So,
>>> there would be a lot of common stuff.
>>
>> Please send your questions to the public mailing list. That way more people
>> benefit from the reply. Thanks for understanding.
>>
>>
>>> Trying to understand how to work with these transforms.
>>> ________________________________________
>>> From: Pravin Goyal <pravin.goyal at outlook.com>
>>> Sent: Wednesday, March 30, 2016 9:14 AM
>>> To: Martin Preisler
>>> Subject: Re: [Open-scap] OVAL content authoring tool
>>>
>>> Hi Martin,
>>> I could see the scripts in Github. Is there a documented way to use it?
>>>
>>> Basically, I am looking to just do OVAL content at this point of time and
>>> later merge with XCCDF document when I have it.
>>>
>>> Thanks and regards,
>>> Pravin Goyal
>>> ________________________________________
>>> From: Pravin Goyal <pravin.goyal at outlook.com>
>>> Sent: Wednesday, March 30, 2016 4:16 AM
>>> To: Martin Preisler
>>> Subject: Re: [Open-scap] OVAL content authoring tool
>>>
>>> Thanks Martin for the quick response.
>>>
>>>> I recommend looking at how SSG is built,
>>>> how we use templates to generate the boilerplate.
>>>
>>> Do you have this documented somewhere? Can you please share the link?
>>>
>>>> I recommend leveraging this community. I don't know if the project you will
>>>> be working on is an open source project but if so we will be able (and
>>>> happy)
>>>> to help you review the patches and work on the project.
>>>
>>> Thanks for extending the help. As of now, the OVAL content creation is tied
>>> very much to an internal product. STIG development for the product is in
>>> progress. We are just starting.
>>> ________________________________________
>>> From: Martin Preisler <mpreisle at redhat.com>
>>> Sent: Tuesday, March 29, 2016 9:48 PM
>>> To: Pravin Goyal
>>> Cc: open-scap-list at redhat.com
>>> Subject: Re: [Open-scap] OVAL content authoring tool
>>>
>>> ----- Original Message -----
>>>> From: "Pravin Goyal" <pravin.goyal at outlook.com>
>>>> To: open-scap-list at redhat.com
>>>> Sent: Tuesday, March 29, 2016 1:32:53 AM
>>>> Subject: [Open-scap] OVAL content authoring tool
>>>>
>>>> Hi Team,
>>>> I am sure this is a FAQ. Do you know of a well-maintained content authoring
>>>> tool?
>>>
>>> We have tried several times to come up with some fancy GUI tool to help with
>>> the development but never succeeded. The GUI tool ends up having too many
>>> options or it's not powerful enough. I recommend looking at how SSG is built,
>>> how we use templates to generate the boilerplate.
>>>
>>> The tools I suggest are git, a text editor and SSG build scripts.
>>>
>>>> I am aware of
>>>> https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/RHEL/6/transforms
>>>> that we use to develop SSG content.
>>>>
>>>> Is this still valid -
>>>> http://blog-shawndwells.rhcloud.com/wp-content/uploads/2013/07/SCAP-Workshop-Coursebook-v2.pdf
>>>> ?
>>>
>>> Looks like it is except for the repository URIs. Change them to github URIs
>>> and this will work.
>>>
>>>> Do you have any other suggestions in this regard? I am beginning a project
>>>> that would require the development of some 500+ OVAL rules. So, I am just
>>>> ensuring that I can make the best use of tools or processes already known
>>>> to
>>>> the community.
>>>
>>> I recommend leveraging this community. I don't know if the project you will
>>> be working on is an open source project but if so we will be able (and happy)
>>> to help you review the patches and work on the project.
>>>
>>> --
>>> Martin Preisler
>>> Identity Management and Platform Security | Red Hat, Inc.
>>>
>>
>> --
>> Martin Preisler
>> Identity Management and Platform Security | Red Hat, Inc.
>>
>> _______________________________________________
>> Open-scap-list mailing list
>> Open-scap-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/open-scap-list
>>
>
>
> ~š.
>
~š.
More information about the Open-scap-list
mailing list