[Open-scap] OVAL content authoring tool

Šimon Lukašík slukasik at redhat.com
Mon Apr 4 08:09:16 UTC 2016 

On 04/04/2016 06:18 AM, Pravin Goyal wrote:
> Thanks, Simon. I am getting started. 
> 
> So far, I have figured out that we need below steps:
> 
> 1) Ensure that templates are in place in one directory (call it templates) and the template to actual oval content creation works - 
>     a) Have OVAL xml templates (the way you desire a particular probe based check to look like - for example, disabling services, checking file permissions, etc.). Take from existing or create your own.
>     b) csv files that contain the entry in the required format for a particular probe based check
>     c) Python scripts to take each line item in csv and convert it into an OVAL xml based on the desired template
> 
> 2) Edit Makefile to build just oval content
>     a) That means combine oval singletons into one big oval assessment content
>     b) have boilerplate information such as xmlns, generator, etc. in place
> 
> Are the above steps good enough for oval content creation? Am I missing any steps?
> 

It is about right.

There are some things that I would mention as well, but you are perhaps
already familiar with:

 * There are OVAL files that are not generated from templates.
 * Templating mechanism is introduced only for multiple checks that
share the logic
 * Look at templates in Debian/ directory. Guys there has been able to
run the templates only during the build process. That should be the way
forward in other directories as well.
 * The content authors tend to contribute XCCDF and OVAL together per
check. Writing bigger OVAL part and then following with XCCDF is not
that common.

Best,
~š.

> I am yet to work through all the steps above and just figured out the information for now. If there is anything that helps jumpstart this, it would be great, else, not a problem. I will eventually figure it out. (I come from security and compliance background and not pure developer background - so this might be at times difficult for me. But, perhaps, I will take some help locally).
> 
> Thanks and regards,
> Pravin Goyal
> ________________________________________
> From: Šimon Lukašík <slukasik at redhat.com>
> Sent: Friday, April 1, 2016 7:36 PM
> To: Pravin Goyal; open-scap-list at redhat.com
> Subject: Re: [Open-scap] OVAL content authoring tool
> 
> Hello Pravin,
> 
> I advise you what folks working on Debian/ directory has achieved.
> 
> Most of the checks will be the same for SuSE and Fedora derivatives. A
> lot is shared with Debian as well.
> 
> There will be some differences though, like configuration file paths.
> 
> We try to leverage shared/ directory within SSG to have common code
> written only once.
> 
> 
> The build scripts are still a little hairy, so I advice you to start
> with RHEL/7 or Fedora makefiles and remove everything that you don't
> need in first stage.
> 
> The build scripts are always work in progress, so don't be shy to amend
> them as you see the need.
> 
> Best,
> ~š.
> 
> On 03/31/2016 05:36 AM, Pravin Goyal wrote:
>> Team,
>> I need help. I need to setup a new platform say "SLES 11" in "scap-security-guide" project. What are the steps to be done? Where do I start?
>>
>> I see that the community has already done a lot of automation work in churning out SCAP DS with xccdf, oval and remediation.
>>
>> Please help.
>>
>> Thanks and regards,
>> Pravin Goyal
>>
>> ________________________________________
>> From: Martin Preisler <mpreisle at redhat.com>
>> Sent: Wednesday, March 30, 2016 8:18 PM
>> To: Pravin Goyal
>> Subject: Re: [Open-scap] OVAL content authoring tool
>>
>> ----- Original Message -----
>>> From: "Pravin Goyal" <pravin.goyal at outlook.com>
>>> To: "Martin Preisler" <mpreisle at redhat.com>
>>> Sent: Wednesday, March 30, 2016 12:24:14 AM
>>> Subject: Re: [Open-scap] OVAL content authoring tool
>>>
>>> One thing that I can promise is to contribute OVAL checks that you can
>>> include in SSG. I am targeting to develop OVAL rules for SLES 11 SP3 OS. So,
>>> there would be a lot of common stuff.
>>
>> Please send your questions to the public mailing list. That way more people
>> benefit from the reply. Thanks for understanding.
>>
>>
>>> Trying to understand how to work with these transforms.
>>> ________________________________________
>>> From: Pravin Goyal <pravin.goyal at outlook.com>
>>> Sent: Wednesday, March 30, 2016 9:14 AM
>>> To: Martin Preisler
>>> Subject: Re: [Open-scap] OVAL content authoring tool
>>>
>>> Hi Martin,
>>> I could see the scripts in Github. Is there a documented way to use it?
>>>
>>> Basically, I am looking to just do OVAL content at this point of time and
>>> later merge with XCCDF document when I have it.
>>>
>>> Thanks and regards,
>>> Pravin Goyal
>>> ________________________________________
>>> From: Pravin Goyal <pravin.goyal at outlook.com>
>>> Sent: Wednesday, March 30, 2016 4:16 AM
>>> To: Martin Preisler
>>> Subject: Re: [Open-scap] OVAL content authoring tool
>>>
>>> Thanks Martin for the quick response.
>>>
>>>>   I recommend looking at how SSG is built,
>>>> how we use templates to generate the boilerplate.
>>>
>>> Do you have this documented somewhere? Can you please share the link?
>>>
>>>> I recommend leveraging this community. I don't know if the project you will
>>>> be working on is an open source project but if so we will be able (and
>>>> happy)
>>>> to help you review the patches and work on the project.
>>>
>>> Thanks for extending the help. As of now, the OVAL content creation is tied
>>> very much to an internal product. STIG development for the product is in
>>> progress. We are just starting.
>>> ________________________________________
>>> From: Martin Preisler <mpreisle at redhat.com>
>>> Sent: Tuesday, March 29, 2016 9:48 PM
>>> To: Pravin Goyal
>>> Cc: open-scap-list at redhat.com
>>> Subject: Re: [Open-scap] OVAL content authoring tool
>>>
>>> ----- Original Message -----
>>>> From: "Pravin Goyal" <pravin.goyal at outlook.com>
>>>> To: open-scap-list at redhat.com
>>>> Sent: Tuesday, March 29, 2016 1:32:53 AM
>>>> Subject: [Open-scap] OVAL content authoring tool
>>>>
>>>> Hi Team,
>>>> I am sure this is a FAQ. Do you know of a well-maintained content authoring
>>>> tool?
>>>
>>> We have tried several times to come up with some fancy GUI tool to help with
>>> the development but never succeeded. The GUI tool ends up having too many
>>> options or it's not powerful enough. I recommend looking at how SSG is built,
>>> how we use templates to generate the boilerplate.
>>>
>>> The tools I suggest are git, a text editor and SSG build scripts.
>>>
>>>> I am aware of
>>>> https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/RHEL/6/transforms
>>>> that we use to develop SSG content.
>>>>
>>>> Is this still valid -
>>>> http://blog-shawndwells.rhcloud.com/wp-content/uploads/2013/07/SCAP-Workshop-Coursebook-v2.pdf
>>>> ?
>>>
>>> Looks like it is except for the repository URIs. Change them to github URIs
>>> and this will work.
>>>
>>>> Do you have any other suggestions in this regard? I am beginning a project
>>>> that would require the development of some 500+ OVAL rules. So, I am just
>>>> ensuring that I can make the best use of tools or processes already known
>>>> to
>>>> the community.
>>>
>>> I recommend leveraging this community. I don't know if the project you will
>>> be working on is an open source project but if so we will be able (and happy)
>>> to help you review the patches and work on the project.
>>>
>>> --
>>> Martin Preisler
>>> Identity Management and Platform Security | Red Hat, Inc.
>>>
>>
>> --
>> Martin Preisler
>> Identity Management and Platform Security | Red Hat, Inc.
>>
>> _______________________________________________
>> Open-scap-list mailing list
>> Open-scap-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/open-scap-list
>>
> 
> 
> ~š.
> 


~š.

More information about the Open-scap-list mailing list