<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <br>
    <br>
    <div class="moz-cite-prefix">On 6/3/15 2:23 AM, <a class="moz-txt-link-abbreviated" href="mailto:tmey@lisag.de">tmey@lisag.de</a> wrote:<br>
    </div>
    <blockquote cite="mid:20150603062330.491411703@mail.linux-ag.de"
      type="cite"><br>
      <br>
      <blockquote type="cite" style="color: #000000;">
        <blockquote type="cite" style="color: #000000;">
          <blockquote type="cite" style="color: #000000;">>
            <br>
            >[snip]
            <br>
            >
            <br>
            >Because there are different definitions in the Scap
            Security Guide
            <br>
            for RHEL7
            <br>
            >and there is no possibility to choose different checks
            inside the
            <br>
            same rule,
            <br>
            >depending on platform.
            <br>
            >
            <br>
            >Anyway:
            <br>
            >If I'm generating the guide, I'll get the
            <description>, <fixtext>
            <br>
            and so on
            <br>
            >for both rules.
            <br>
            >Is there an option, to generate the guide only for the
            rules,
            <br>
            applicaple to
            <br>
            >an specific platform?
            <br>
          </blockquote>
          This is not possible right now but would be relatively simple
          to
          <br>
          implement.
          <br>
          I recommend creating a feature request on customer portal.
          <br>
        </blockquote>
        <br>
        If the XCCDF is the same (e.g. "set grub password"), you can
        adjust your
        <br>
        OVAL to behave differently on RHEL6 vs RHEL7 using criterion
        checks.
        <br>
      </blockquote>
      Thanks for the advice. W'll do it with our own OVAL. But we're
      using the Scap Security Guide for RHEL6 and RHEL7. And they're
      have different OVAL-files with the same namespace and interfering
      objectnumbers....
      <br>
      <span class="moz-smiley-s2" title=":("><span>:(</span></span>
      <br>
      Maybe I'll write a script to merge them...
      <br>
    </blockquote>
    <br>
    If I understand correctly, it sounds like you are going to use SSG
    XCCDF, but with your own OVAL. If that's the case -- can you fully
    share what your attempting to do, and what lead you down creating
    your own OVAL? If you're going to write your own OVAL anyway,
    there's definitely opportunity to collaborate upstream on combining
    RHEL6/RHEL7 OVAL content where applicable :)<br>
    <br>
    For sample code, checkout the shared accounts_password_pam_retry.xml
    OVAL: <br>
<a class="moz-txt-link-freetext" href="https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/oval/accounts_password_pam_retry.xml">https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/oval/accounts_password_pam_retry.xml</a><br>
    <br>
    Note how the criteria operators group checks into RHEL6, RHEL7, and
    Fedora:<br>
<a class="moz-txt-link-freetext" href="https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/oval/accounts_password_pam_retry.xml#L12#L25">https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/oval/accounts_password_pam_retry.xml#L12#L25</a><br>
    <br>
    The logic is something like...<br>
    if rhel6; rule
    <meta charset="utf-8">
    test_password_pam_cracklib_retry must pass;<br>
    elseif rhel7; rule test_password_pam_pwquality_retry must pass;<br>
    elseif fedora; rule test_password_pam_pwquality_retry must pass<br>
    <br>
  </body>
</html>