[Open-scap] When to expect OVAL probes for OpenShift?
Shawn Wells
shawn at redhat.com
Wed Feb 13 20:59:30 UTC 2019
On 2/11/19 7:38 PM, Steve Grubb wrote:
> On Thursday, February 7, 2019 1:23:58 PM EST Shawn Wells wrote:
>> So then, to rephrase the question, when will there be OVAL
>> tests/subjects/states/items for OpenShift, akin to how there are for
>> systemd and SELinux?
> Those were created specifically to address problems in drafting content for
> the USGCB settings a long time ago. They were created because there was no
> other good way of getting the information.
>
>> Would be extremely surprising to learn this process hasn't been started
>> already, but getting the sense it hasn't been. Not really sure who to
>> direct the question to.... likely Marek and Matej?
> Things aren't created until there's a demonstrated need. What are the
> underlying configuration that you are trying to read? What parts of the config
> are needed? Where is this information kept?
Seems like there is a ever growing backlog of probes that need creation.
Quick examples of polling dconf db, and parsing "oc get" commands for
OpenShift settings. Neither keeps their state in config files so need to
use those commands specifically.
> Just wanted to show how the systemd tests were created:
> http://making-security-measurable.1364806.n2.nabble.com/Proposal-for-OVAL-5-11-systemd-test-td7583274.html
>
> There was some discussion about what the intended use would be. What
> questions would the test answer? Then some discussion about syntax and
> attribute vs elements, etc. Right now, I think anyone that could help needs a
> little better definition of the problem you are seeing.
Excellent. Thank you -- will review to help me learn the correct
vernacular.
At this point, getting the impression there's been zero work on creating
OpenShift probes though.
More information about the Open-scap-list
mailing list