<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hello Leon,</p>
<p>thank you very much for contacting us. I think I have some good
news as well as not that good news for you.</p>
<p>If I understand you correctly, your goal was to improve the Bash
profile script. If you install the scap-security-guide package,
the script is located at</p>
<p>/usr/share/scap-security-guide/bash/fedora-script-standard.sh</p>
<p>I assume you are talking about this file.</p>
<p>If I understand it, you analysed the file and optimized it.
That's helpful, thank you for that.</p>
<p>Let's make some things clear - Openscap is a scanner. The script
that you probably analyzed is part of scap-security-guide package,
the upstream project is here:</p>
<p><a class="moz-txt-link-freetext" href="https://github.com/ComplianceAsCode/content/find/master">https://github.com/ComplianceAsCode/content/find/master</a><br>
</p>
<p>Unfortunately, we can't easily use your modified script in the
project.<br>
</p>
<p>Each profile (the standard profile) in your case, is composed of
many rules. Most of these rules have Bash remediations - small
pieces of Bash code which make the system compliant with one
particular rule. For example</p>
<p><a class="moz-txt-link-freetext" href="https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh">https://github.com/ComplianceAsCode/content/blob/master/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh</a></p>
<p>Rules in the project try to be failry generic, independent of
Linux distros or distro versions. That means that they might not
be written in the most effective way possible.</p>
<p>During the build process, all the Bash remediations of rules
included in certain profile are combined into the Bash script
which you decided to analyze.</p>
<p>This ensures that any change in Bash remediation can be done in
only one place and it will appear on many places in the project,
including above mentioned Bash script.</p>
<p>That unfortunately means, that direct usage of your script is not
possible.</p>
<p>However, you might have probably discovered some ways how to make
such remediations more effective. That is always welcomed.</p>
<p>Would you be willing to suggest improvements to individual Bash
remediations in form of PR in to the Compliance as Code project?
If you keep track of changes which you performed, it could be
failry easy.<br>
</p>
<p>We will be glad to review your changes.<br>
</p>
<p>Speaking about mailing lists... you can use this one, although it
is focused mainly on the Openscap scanner.</p>
<p>There is another list focused on the content, which might be more
appropriate.</p>
<p><a class="moz-txt-link-freetext" href="https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide">https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide</a></p>
<p>Or we can talk directly in Github discussions:</p>
<p><a class="moz-txt-link-freetext" href="https://github.com/ComplianceAsCode/content/discussions">https://github.com/ComplianceAsCode/content/discussions</a></p>
<p>Feel free to ask if you need more information.</p>
<p>Best regards,</p>
<p>Vojta<br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">Dne 02. 03. 21 v 12:29 Leon Imširović
napsal(a):<br>
</div>
<blockquote type="cite"
cite="mid:CA+EPRM51L6+4_w3Nu1Y=Y-XugbdC03qx_J9Qy0vmpyU3+rKVYw@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Hello everyone,
<div><br>
</div>
<div>I hope you are all well for this corona time. <br>
</div>
<div><br>
</div>
<div>Let me get to the point right away. </div>
<div><br>
</div>
<div>For the topic of my dissertation I took OPENSCAP and for
the goal of my work I set to security scan and secure Fedora
31 as much as possible. </div>
<div><br>
</div>
<div>
<p class="MsoNormal"
style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif">I
used a Standard System Security Profile for Fedora (80).
scanned
the system and got results that were bad. I scanned with
Scap Workbench</p>
<p class="MsoNormal"
style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif"> </p>
<p class="MsoNormal"
style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif">After
that, I decided to make my own Bash script that will
solve all these security vulnerabilities. I finally
succeeded after several
months !! I compared my script to yours which was offered as
a solution in remediation
role and mine gives much better results,
have 8 times less lines of code, and is much easier to
understand.</p>
<p class="MsoNormal"
style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif"><br>
</p>
<p class="MsoNormal"
style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif">Attached
is the listed bash script called Final.sh</p>
<p class="MsoNormal"
style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif"><br>
</p>
<p class="MsoNormal"
style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif"><span
style="font-size:11pt">I would love if it is possible for
you to let me
know if you can check it out and give your opinion a</span><span
style="font-size:11pt">nd maybe even include it in the
Open Scap, </span><span style="font-size:11pt">and give
some confirmation of what was done.</span><br>
</p>
<p class="MsoNormal"
style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif"><span
style="font-size:11pt"><br>
</span></p>
<p class="MsoNormal"
style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif"><span
style="font-size:11pt">Your opinion means a lot to me.</span></p>
<p class="MsoNormal"
style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif"><span
style="font-size:11pt"><br>
</span></p>
<p class="MsoNormal"
style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif"><span
style="font-size:11pt">Thank You,</span></p>
<p class="MsoNormal"
style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif"><span
style="font-size:11pt">Leon Imsirovic</span></p>
<p class="MsoNormal"
style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif"><span
style="font-size:11pt">Software Enginner in ATOS</span></p>
<p class="MsoNormal"
style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif"><span
style="font-size:11pt"><br>
</span></p>
<p class="MsoNormal"
style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif"><span
style="font-size:11pt">PS: </span><span
style="font-size:11pt">I didn’t know who to send these
results to so I
decided here.</span><span style="font-size:11pt"><br>
</span></p>
<p class="MsoNormal"
style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif"><br>
</p>
<p class="MsoNormal"
style="margin:0in;font-size:11pt;font-family:Calibri,sans-serif"><br>
</p>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Open-scap-list mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Open-scap-list@redhat.com">Open-scap-list@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://listman.redhat.com/mailman/listinfo/open-scap-list">https://listman.redhat.com/mailman/listinfo/open-scap-list</a></pre>
</blockquote>
</body>
</html>