Bug 1261642 - RFE: Better support for server config checking on Fedora
RFE: Better support for server config checking on Fedora
Status: NEW
Product: Fedora
Classification: Fedora
Component: scap-security-guide (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Watson Yuuma Sato
Fedora Extras Quality Assurance
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2015-09-09 16:14 EDT by Bruno Wolff III
Modified: 2017-10-25 09:17 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Scan results as html (2.00 MB, text/html)
2015-09-11 14:11 EDT, Bruno Wolff III
no flags Details

  None (edit)
Description Bruno Wolff III 2015-09-09 16:14:01 EDT
Description of problem:
The rhel files include in the security guide have rules for checking such things as web server config files, but those files don't seem to work on Fedora. scap-workbench won't let you pick them and manually using them with openscap doesn't usefully use the tests on Fedora.

With there being server and cloud versions of Fedora now, I would expect more demand for supporting config testing in the security guide.
Comment 1 Šimon Lukašík 2015-09-11 04:37:04 EDT
Thanks Bruno for this suggestion.

Can you be more specific? What is the example of a check that is missing on Fedora and present on RHEL?

Do you know we have much wider selection of content in Fedora (see `rpm -ql scap-security-guide`)?

What does it mean in technical terms, when you say: 'scap-workbench won't let you pick them'?
Comment 2 Bruno Wolff III 2015-09-11 14:11:19 EDT
Created attachment 1072614 [details]
Scan results as html

I was having trouble with scap-workbench because I picked Fedora on the splash page and then could only choose a Fedora profile.

When I picked a different OS on the splash page and then ran a profile, I got not applicable (or not selected) for the tests.

At least some of the RHEL and CENTOS profiles had more tests than the Fedora profile.

There were a lot more references to httpd in ssg-rhel7-xccdf.xml than in ssg-fedora-xccdf.xml, though there were not many references to these in the RHEL7 profiles. I had expected that some sanity checks on httpd configuration would be in the profiles, but I only saw a check to make sure qpid was disabled.

So it looks like it might be easier to add tests for httpd config to the rhel profiles than to the Fedora profile since the RHEL xccdf file has more infrastructure for this already set up.

Though in practice, we seem to be more interested that CVE patches have been applied than service configuration, and keeping CVE info current in Fedora would be a lot of work.
Comment 3 Bruno Wolff III 2015-09-11 14:36:29 EDT
Looking around some with the customize feature of scap-workbench, there is a web service area in the RHEL profile that can be turned on, but there doesn't seem to be one for Fedora's profile.
Comment 4 Šimon Lukašík 2015-09-14 06:18:18 EDT
Well, I see multiple unrelated issues.

 * As for Scap-workbench selection:
   - I'll kindly ask Martin if he can see any improvement we can do?
 * As for the Fedora content being incomplete.
   - SSG upstream makes improvement in Fedora content with each subsequent release. This is however slow process. We can keep this bugzilla to track the progress.
 * As for the CVE stream for Fedora.
   - This is really unrelated to SSG per se. Please file a bug against Bodhi to generate CVE data or provide an API to build them. open-scap-list will be happy to help Bodhi team design this thing.

Do you think it is reasonable to close this bub once the Fedora content contains all the httpd rules from rhel7 content?

Comment 5 Martin Preisler 2015-09-14 07:01:02 EDT
I don't understand the problem with the SCAP Workbench SSG selection dialog. Did you expect to open RHEL7 content and have that content "just work" on Fedora? "notapplicable" results are the expected outcome of this use-case.

Some improvements have been made to the selection dialog recently, see https://github.com/OpenSCAP/scap-workbench/pull/31

Note You need to log in before you can comment on or make changes to this bug.