[Open-scap] oscap results stored in central database?

Jan Cerny jcerny at redhat.com
Mon Feb 12 08:52:07 UTC 2018 

Hi,

This idea is very interesting.

Unfortunately it is not likely that we in Red Hat work on this database,
because it will create a strong competition for Red Hat Satellite.

But we will be very happy to provide our support and knowledge
if there will be a project developed by community.

Regards

Jan Černý
Security Technologies | Red Hat, Inc.

----- Original Message -----
> From: "Šimon Lukašík" <slukasik at redhat.com>
> To: "Luke Salsich" <luke.salsich at gmail.com>
> Cc: "open-scap-list" <open-scap-list at redhat.com>
> Sent: Friday, February 2, 2018 9:21:31 PM
> Subject: Re: [Open-scap] oscap results stored in central database?
> 
> On 02/02/2018 03:18 PM, Luke Salsich wrote:
> > Hi Simon,
> > 
> > I am surprised that SCAPtimony did not get traction as well.
> > 
> > when you say
> > 
> > "To this day, I am surprised there is no lean and functional microservice
> > to store, query and postprocess SCAP results.
> > ​"
> > 
> > What would you suggest? ​I ask because it seems like there is a
> > discussion about a lean microservice (to start with) and then a
> > discussion about a larger application or framework which can then make
> > use of the stored data. Personally, I don't think these two discussions
> > conflict. I think they are describing the first small step to a
> > microservice and then maybe to something larger after that.
> > 
> 
> When I said `that I am surprised that there is no lean and functional
> microservice to stre query and postprocess SCAP results` I was trying to
> imply that the task is really not that hard.
> 
> Take SCAPtimony and you are pretty close. I think its about 1 month of
> fulltime developer time (assuming she really knows what she is doing and
> she can afford to not look at mails, ignore sprints, scrums, managers,
> re-orgs and other urgent non-important things).
> 
> Cheers,
> ~š.
> 
> > But I would be interested to hear your thoughts on this.
> > 
> > 
> > 
> > 
> > ---------------
> > Luke Salsich
> > 
> > On Fri, Feb 2, 2018 at 8:21 AM, Šimon Lukašík <slukasik at redhat.com
> > <mailto:slukasik at redhat.com>> wrote:
> > 
> >     Hello,
> > 
> >     As original author of SCAPtimony, I feel urged to come in and say here
> >     is my $0.02 coin.
> > 
> >     After spending some time on OpenSCAP development, I started wondering
> >     where all the results of the scans go. I thought there has to be
> >     immense
> >     need to make sense of the data organizations have and make a use of it.
> >     For instance scan-result-diff in Satellite 5 was highly regarded at the
> >     time. The other idea was to waive certain rule on certain system. And
> >     there were more ideas like that.
> > 
> >     Unfortunately, SCAPtimony project did not receive a traction I hoped
> >     for. And hence the development stopped. Later on, Satellite 6 absorbed
> >     SCAPtimony code, so community can no longer leverage what they did
> >     since.
> > 
> >     To this day, I am surprised there is no lean and functional
> >     microservice
> >     to store, query and postprocess SCAP results. I am still ready, to make
> >     the SCAPtimony fly, but I would need a funding.
> > 
> >     --
> > 
> >     The standardization was also mentioned in the thread, so let me share
> >     my
> >     view on that as well. I think the standardization is great in theory. I
> >     was huge fun of standardizations after coming out from uni. However,
> >     after few years I realized that it is extremely hard to write standards
> >     that are comprehensive and usable at the same time.
> > 
> >     The way you can write good standard is to learn first. Let the
> >     businesses or independent actors come up with few solutions, notice
> >     similarities, standardize them. Let the businesses adopt that and
> >     iterate again.
> > 
> >     To return back to the topic. Parsing XML to SQL models/tables is great
> >     idea and many freshmen would certainly love to jump on it. My gut tells
> >     me, however, this is not the best (or sensible) way. I sometimes
> >     struggle to describe why my gut says what it says, but consider
> >     following: If I were founding start-up on building SCAP database, I
> >     would surely not be parsing entities to SQL for sure.
> > 
> >     Best,
> >     ~š.
> > 
> > 
> > 
> >     On 01/31/2018 10:22 PM, Luke Salsich wrote:
> >     > Hey all,
> >     >
> >     > I've been using OpenSCAP for a while on our servers and really
> >     > appreciate what it does.
> >     >
> >     > I've been looking around for a way to store scan results and then
> >     query
> >     > them and I can't seem to locate any plugins or apps which do this
> >     other
> >     > than SCAPTimony.
> >     >
> >     > SCAPTimony sounds great, but I'm not sure it's currently
> >     maintained and
> >     > I don't really want to dive into Foreman just to store Oscap results.
> >     >
> >     > What does the community use for this kind of scan / report storing
> >     > and
> >     > querying?
> >     >
> >     > We're currently using Ansible AWX to run scans and to manage
> >     > remediation. Love to find a way to pull that XML into a central
> >     > database.......
> >     >
> >     > Thanks very much.
> >     >
> >     > ---------------
> >     > Luke Salsich
> >     >
> >     >
> >     > _______________________________________________
> >     > Open-scap-list mailing list
> >     > Open-scap-list at redhat.com <mailto:Open-scap-list at redhat.com>
> >     > https://www.redhat.com/mailman/listinfo/open-scap-list
> >     <https://www.redhat.com/mailman/listinfo/open-scap-list>
> >     >
> > 
> > 
> >     ~š.
> > 
> > 
> 
> 
> ~š.
> 
> _______________________________________________
> Open-scap-list mailing list
> Open-scap-list at redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list

More information about the Open-scap-list mailing list