Red Hat Bugzilla – Bug 1261642
RFE: Better support for server config checking on Fedora
Last modified: 2017-10-25 09:17:47 EDT
Description of problem:
The rhel files include in the security guide have rules for checking such things as web server config files, but those files don't seem to work on Fedora. scap-workbench won't let you pick them and manually using them with openscap doesn't usefully use the tests on Fedora.
With there being server and cloud versions of Fedora now, I would expect more demand for supporting config testing in the security guide.
Thanks Bruno for this suggestion.
Can you be more specific? What is the example of a check that is missing on Fedora and present on RHEL?
Do you know we have much wider selection of content in Fedora (see `rpm -ql scap-security-guide`)?
What does it mean in technical terms, when you say: 'scap-workbench won't let you pick them'?
Created attachment 1072614 [details]
Scan results as html
I was having trouble with scap-workbench because I picked Fedora on the splash page and then could only choose a Fedora profile.
When I picked a different OS on the splash page and then ran a profile, I got not applicable (or not selected) for the tests.
At least some of the RHEL and CENTOS profiles had more tests than the Fedora profile.
There were a lot more references to httpd in ssg-rhel7-xccdf.xml than in ssg-fedora-xccdf.xml, though there were not many references to these in the RHEL7 profiles. I had expected that some sanity checks on httpd configuration would be in the profiles, but I only saw a check to make sure qpid was disabled.
So it looks like it might be easier to add tests for httpd config to the rhel profiles than to the Fedora profile since the RHEL xccdf file has more infrastructure for this already set up.
Though in practice, we seem to be more interested that CVE patches have been applied than service configuration, and keeping CVE info current in Fedora would be a lot of work.
Looking around some with the customize feature of scap-workbench, there is a web service area in the RHEL profile that can be turned on, but there doesn't seem to be one for Fedora's profile.
Well, I see multiple unrelated issues.
* As for Scap-workbench selection:
- I'll kindly ask Martin if he can see any improvement we can do?
* As for the Fedora content being incomplete.
- SSG upstream makes improvement in Fedora content with each subsequent release. This is however slow process. We can keep this bugzilla to track the progress.
* As for the CVE stream for Fedora.
- This is really unrelated to SSG per se. Please file a bug against Bodhi to generate CVE data or provide an API to build them. open-scap-list will be happy to help Bodhi team design this thing.
Do you think it is reasonable to close this bub once the Fedora content contains all the httpd rules from rhel7 content?
I don't understand the problem with the SCAP Workbench SSG selection dialog. Did you expect to open RHEL7 content and have that content "just work" on Fedora? "notapplicable" results are the expected outcome of this use-case.
Some improvements have been made to the selection dialog recently, see https://github.com/OpenSCAP/scap-workbench/pull/31