763
Comment: Initial commit!
|
2181
|
Deletions are marked like this. | Additions are marked like this. |
Line 3: | Line 3: |
This page is a TODO/IDEAS list to implement a SCAP guide for Debian. |
This page is a TODO/IDEAS list to implement a SCAP guide for Debian. Debian automatically generates and publishes [[https://www.debian.org/security/oval/|OVAL information]] for use by SCAP. |
Line 7: | Line 6: |
Line 8: | Line 8: |
* What are Debian CPEs (platform, family?) | * What are Debian CPEs (platform, family?). Many CPEs can be found in the testing security SVN repostory, svn+ssh://svn.debian.org/svn/secure-testing, in the data/CPE/ directory. In addition, some source packages include the known CPEs for the package in debian/upstream/metadata). |
Line 12: | Line 12: |
* support various guides/test suites for Debian (and others ?) * support generated remediation files (ansible, anaconda, puppet, bash) for Debian (and others ?) |
|
Line 13: | Line 15: |
* Dashboard | * defining preseeds for hardened config ? (like RHEL kickstart in upstream SCAP security guide) to check security profiles (cf. RHEL/6/tests/kickstart dir in SSG upstream) * Dashboard) |
Line 18: | Line 21: |
* Define communication channels so contributors can follow and participate (IRC, mailing list, etc.) | |
Line 23: | Line 27: |
== Done == * Make sure [[Bug:738199|outdated]] OVAL information for Debian is updated. * Package [[https://tracker.debian.org/pkg/openscap|openscap]] (Bug:522265) * Package [[https://tracker.debian.org/pkg/scap-workbench|scap-workbench]] (Bug:750138) * Package [[https://tracker.debian.org/pkg/scap-security-guide|scap-security-guide]] (Bug:856425) (in NEW) == Upstream references sources == * OpenSCAP: [[https://github.com/OpenSCAP/openscap]] * SCAP-Workbench: [[https://github.com/OpenSCAP/scap-workbench]] * SCAP-security-guide: [[https://github.com/OpenSCAP/scap-security-guide]] |
Debian SCAP Guide
This page is a TODO/IDEAS list to implement a SCAP guide for Debian. Debian automatically generates and publishes OVAL information for use by SCAP.
TODO
- Define the Profiles we want.
What are Debian CPEs (platform, family?). Many CPEs can be found in the testing security SVN repostory, svn+ssh://svn.debian.org/svn/secure-testing, in the data/CPE/ directory. In addition, some source packages include the known CPEs for the package in debian/upstream/metadata).
- Define distribution we target (typically: testing then stable)
- How to let our derivative fork easily?
- How to cooperate with scap-security-guide
- support various guides/test suites for Debian (and others ?)
- support generated remediation files (ansible, anaconda, puppet, bash) for Debian (and others ?)
- Test infrastructure?
- defining preseeds for hardened config ? (like RHEL kickstart in upstream SCAP security guide) to check security profiles (cf. RHEL/6/tests/kickstart dir in SSG upstream)
- Dashboard)
- Compare: our supported checks, upstream checks, and a wishlist.
- Each SCAP probe should be tested, both in unstable and testing
- Each Debian distribution should be evaluated, for each relevant profile.
- Write docs
- Define communication channels so contributors can follow and participate (IRC, mailing list, etc.)
Later...
- Translating the SCAP guide
- Support older distribution
- provide framework so maintainers can provide probes in their packages
Done
Make sure outdated OVAL information for Debian is updated.
Package scap-workbench (750138)
Package scap-security-guide (856425) (in NEW)
Upstream references sources
OpenSCAP: https://github.com/OpenSCAP/openscap
SCAP-Workbench: https://github.com/OpenSCAP/scap-workbench
SCAP-security-guide: https://github.com/OpenSCAP/scap-security-guide