Differences between revisions 5 and 15 (spanning 10 versions)
Revision 5 as of 2016-12-14 07:38:30
Size: 1161
Editor: ?PetterReinholdtsen
Comment: Link to OVAL information.
Revision 15 as of 2017-04-12 06:58:23
Size: 2607
Editor: ?PhilippeThierry
Comment:
Deletions are marked like this. Additions are marked like this.
Line 5: Line 5:
== TODO ==
Line 6: Line 7:
== TODO ==
Line 8: Line 8:
 * What are Debian CPEs (platform, family?)  * What are Debian CPEs (platform, family?). Many CPEs can be found in the testing security SVN repostory, svn+ssh://svn.debian.org/svn/secure-testing, in the data/CPE/ directory. In addition, some source packages include the known CPEs for the package in debian/upstream/metadata).
Line 12: Line 12:
  * support various guides/test suites for Debian (and others ?)
  * support generated remediation files (ansible, anaconda, puppet, bash) for Debian (and others ?)
Line 13: Line 15:
 * Dashboard   * defining preseeds for hardened config ? (like RHEL kickstart in upstream SCAP security guide) to check security profiles (cf. RHEL/6/tests/kickstart dir in SSG upstream)
 * Dashboard)
Line 24: Line 27:
 * Fix the [[Bug:738199|broken]] OVAL information for Debian
Line 26: Line 28:
 * Package DebianPkg:openscap (Bug:522265)
 * Package scap-workbench (Bug:750138 upload pending)
 * Make sure [[Bug:738199|outdated]] OVAL information for Debian is updated.
 * Package [[https://tracker.debian.org/pkg/openscap|openscap]] (Bug:522265)
 * Package [[https://tracker.debian.org/pkg/scap-workbench|scap-workbench]] (Bug:750138)
 * Package [[https://tracker.debian.org/pkg/scap-security-guide|scap-security-guide]] (Bug:856425)
 * Package [[https://tracker.debian.org/pkg/openscap-daemon|openscap-daemon]] (Bug:860126)

 * Wiki page on using SCAP tools and policies: https://wiki.debian.org/UsingSCAP


== Upstream references sources ==
  * OpenSCAP: [[https://github.com/OpenSCAP/openscap]]
  * SCAP-Workbench: [[https://github.com/OpenSCAP/scap-workbench]]
  * SCAP-security-guide: [[https://github.com/OpenSCAP/scap-security-guide]]
  * OpenSCAP-daemon: [[https://github.com/OpenSCAP/openscap-daemon]]

== debian pkg VCS repositories ==
  * SCAP-security-guide: [[https://github.com/pthierry38/scap-security-guide]]
  * openscap-daemon: [[https://github.com/pthierry38/openscap-daemon]]

Debian SCAP Guide

This page is a TODO/IDEAS list to implement a SCAP guide for Debian. Debian automatically generates and publishes OVAL information for use by SCAP.

TODO

  • Define the Profiles we want.
  • What are Debian CPEs (platform, family?). Many CPEs can be found in the testing security SVN repostory, svn+ssh://svn.debian.org/svn/secure-testing, in the data/CPE/ directory. In addition, some source packages include the known CPEs for the package in debian/upstream/metadata).

  • Define distribution we target (typically: testing then stable)
  • How to let our derivative fork easily?
  • How to cooperate with scap-security-guide
    • support various guides/test suites for Debian (and others ?)
    • support generated remediation files (ansible, anaconda, puppet, bash) for Debian (and others ?)
  • Test infrastructure?
    • defining preseeds for hardened config ? (like RHEL kickstart in upstream SCAP security guide) to check security profiles (cf. RHEL/6/tests/kickstart dir in SSG upstream)
  • Dashboard)
    • Compare: our supported checks, upstream checks, and a wishlist.
    • Each SCAP probe should be tested, both in unstable and testing
    • Each Debian distribution should be evaluated, for each relevant profile.
  • Write docs
  • Define communication channels so contributors can follow and participate (IRC, mailing list, etc.)

Later...

  • Translating the SCAP guide
  • Support older distribution
  • provide framework so maintainers can provide probes in their packages

Done

Upstream references sources

debian pkg VCS repositories