Thanks for the comments guys. It helps me understand where things are and where they might be going.
For me, I would write a (initial) user story much along the lines of: "I would like to be able to parse oscap results into a MySQL database so that I can compare specific aspects of these results to others from the same server or from other servers." I word it like this because I (personally) am not looking for a larger application framework (user interface, authentication, etc) that has to come along with the central database. I also like the idea of not being tied to one database engine and/or using a standardized API, but an API sounds like a few stories down the road. Anyway, I'm grateful for the thoughts. I was initially just checking to make sure that before I start working on converting the XML to SQL (probably with xslt and Python) that someone else hasn't already done that. I hate it when I build something only to find out later that someone in the community has already built it (and probably way better). --------------- Luke Salsich On Wed, Jan 31, 2018 at 5:42 PM, Trevor Vaughan <[email protected]> wrote: > Is OpenControl decided on? > > It's not an approved standard from NIST, there seem to be standards in > place, or being developed, that would support what it's trying to do, and > it's *extremely* loosely defined to the point of constant > misinterpretation. (Please let's not go down the route of "the > implementation is the standard", that way lies madness of the 90's). > > I also still have had issues with actually maintaining the content once is > has been reasonably formed in the first place. > > Though the controls are *extremely* odious, it seems like the tooling > needs to go into the content management experience as opposed to a git > workflow that we expect ISSOs to be able to use (I simply haven't found it > yet). > > I LOVE the idea, but the practical execution and maintenance over time has > yet to be proven. > > On the centralized DB idea, it's XML, import translations to SQL (or > anything else) should be an XSLT away! > > I don't think that dictating any database in particular is a good idea for > SCAP but I do think that making it easy to put the data into processable > chunks would be a good idea. That said, it's pretty easy to parse the XML > and I think some consolidated libs in the most common languages would go a > long way (Python, Ruby, PERL(maybe?), SQL99+ standard output for automatic > DB creation in <DB of choice>). > > Thinking about this, it might be nice to have a standardized SCAP server > with a standardized API for queries. That I could 100% get behind so that > everything could be vendor agnostic. > > Thanks, > > Trevor > > On Wed, Jan 31, 2018 at 4:45 PM, Shawn Wells <[email protected]> wrote: > >> >> >> On 1/31/18 10:22 PM, Luke Salsich wrote: >> >> Hey all, >> >> I've been using OpenSCAP for a while on our servers and really appreciate >> what it does. >> >> I've been looking around for a way to store scan results and then query >> them and I can't seem to locate any plugins or apps which do this other >> than SCAPTimony. >> >> SCAPTimony sounds great, but I'm not sure it's currently maintained and I >> don't really want to dive into Foreman just to store Oscap results. >> >> What does the community use for this kind of scan / report storing and >> querying? >> >> We're currently using Ansible AWX to run scans and to manage remediation. >> Love to find a way to pull that XML into a central database....... >> >> >> This week was DevConf in Brno [0] and this very topic came up multiple >> times! The quick answer being broad agreement that "yes this must happen." >> >> There are partner projects like Foreman (upstream) and Satellite >> (downstream) which integrate scanning into their embedded databases. In >> general there is a desire to unify SCAP with OpenControl for central >> reporting though. >> >> Many are in transit from Brno back home over the next few days, or >> recovering locally from staying out all night for the past week :) Some >> responses might be slightly delayed because of this. >> >> If you could have database integration with SCAP.... what all would you >> want it to do? Could you help the community form a few user stories? >> >> >> [0] https://devconf.cz/cz/2018 >> >> _______________________________________________ >> scap-security-guide mailing list -- [email protected] >> rahosted.org >> To unsubscribe send an email to scap-security-guide-leave@list >> s.fedorahosted.org >> >> > > > -- > Trevor Vaughan > Vice President, Onyx Point, Inc > (410) 541-6699 x788 <(410)%20541-6699> > > -- This account not approved for unencrypted proprietary information -- > > _______________________________________________ > Open-scap-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/open-scap-list >
_______________________________________________ Open-scap-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/open-scap-list
