As original author of SCAPtimony, I feel urged to come in and say here
is my $0.02 coin.
After spending some time on OpenSCAP development, I started wondering
where all the results of the scans go. I thought there has to be immense
need to make sense of the data organizations have and make a use of it.
For instance scan-result-diff in Satellite 5 was highly regarded at the
time. The other idea was to waive certain rule on certain system. And
there were more ideas like that.
Unfortunately, SCAPtimony project did not receive a traction I hoped
for. And hence the development stopped. Later on, Satellite 6 absorbed
SCAPtimony code, so community can no longer leverage what they did since.
To this day, I am surprised there is no lean and functional microservice
to store, query and postprocess SCAP results. I am still ready, to make
the SCAPtimony fly, but I would need a funding.
The standardization was also mentioned in the thread, so let me share my
view on that as well. I think the standardization is great in theory. I
was huge fun of standardizations after coming out from uni. However,
after few years I realized that it is extremely hard to write standards
that are comprehensive and usable at the same time.
The way you can write good standard is to learn first. Let the
businesses or independent actors come up with few solutions, notice
similarities, standardize them. Let the businesses adopt that and
To return back to the topic. Parsing XML to SQL models/tables is great
idea and many freshmen would certainly love to jump on it. My gut tells
me, however, this is not the best (or sensible) way. I sometimes
struggle to describe why my gut says what it says, but consider
following: If I were founding start-up on building SCAP database, I
would surely not be parsing entities to SQL for sure.
On 01/31/2018 10:22 PM, Luke Salsich wrote:
> Hey all,
> I've been using OpenSCAP for a while on our servers and really
> appreciate what it does.
> I've been looking around for a way to store scan results and then query
> them and I can't seem to locate any plugins or apps which do this other
> than SCAPTimony.
> SCAPTimony sounds great, but I'm not sure it's currently maintained and
> I don't really want to dive into Foreman just to store Oscap results.
> What does the community use for this kind of scan / report storing and
> We're currently using Ansible AWX to run scans and to manage
> remediation. Love to find a way to pull that XML into a central
> Thanks very much.
> Luke Salsich
> Open-scap-list mailing list
Open-scap-list mailing list