On 02/02/2018 03:18 PM, Luke Salsich wrote:
> Hi Simon,
> I am surprised that SCAPtimony did not get traction as well.
> when you say
> "To this day, I am surprised there is no lean and functional microservice
> to store, query and postprocess SCAP results.
> What would you suggest? I ask because it seems like there is a
> discussion about a lean microservice (to start with) and then a
> discussion about a larger application or framework which can then make
> use of the stored data. Personally, I don't think these two discussions
> conflict. I think they are describing the first small step to a
> microservice and then maybe to something larger after that.
When I said `that I am surprised that there is no lean and functional
microservice to stre query and postprocess SCAP results` I was trying to
imply that the task is really not that hard.
Take SCAPtimony and you are pretty close. I think its about 1 month of
fulltime developer time (assuming she really knows what she is doing and
she can afford to not look at mails, ignore sprints, scrums, managers,
re-orgs and other urgent non-important things).
> But I would be interested to hear your thoughts on this.
> Luke Salsich
> On Fri, Feb 2, 2018 at 8:21 AM, Šimon Lukašík <sluka...@redhat.com
> <mailto:sluka...@redhat.com>> wrote:
> As original author of SCAPtimony, I feel urged to come in and say here
> is my $0.02 coin.
> After spending some time on OpenSCAP development, I started wondering
> where all the results of the scans go. I thought there has to be immense
> need to make sense of the data organizations have and make a use of it.
> For instance scan-result-diff in Satellite 5 was highly regarded at the
> time. The other idea was to waive certain rule on certain system. And
> there were more ideas like that.
> Unfortunately, SCAPtimony project did not receive a traction I hoped
> for. And hence the development stopped. Later on, Satellite 6 absorbed
> SCAPtimony code, so community can no longer leverage what they did
> To this day, I am surprised there is no lean and functional microservice
> to store, query and postprocess SCAP results. I am still ready, to make
> the SCAPtimony fly, but I would need a funding.
> The standardization was also mentioned in the thread, so let me share my
> view on that as well. I think the standardization is great in theory. I
> was huge fun of standardizations after coming out from uni. However,
> after few years I realized that it is extremely hard to write standards
> that are comprehensive and usable at the same time.
> The way you can write good standard is to learn first. Let the
> businesses or independent actors come up with few solutions, notice
> similarities, standardize them. Let the businesses adopt that and
> iterate again.
> To return back to the topic. Parsing XML to SQL models/tables is great
> idea and many freshmen would certainly love to jump on it. My gut tells
> me, however, this is not the best (or sensible) way. I sometimes
> struggle to describe why my gut says what it says, but consider
> following: If I were founding start-up on building SCAP database, I
> would surely not be parsing entities to SQL for sure.
> On 01/31/2018 10:22 PM, Luke Salsich wrote:
> > Hey all,
> > I've been using OpenSCAP for a while on our servers and really
> > appreciate what it does.
> > I've been looking around for a way to store scan results and then
> > them and I can't seem to locate any plugins or apps which do this
> > than SCAPTimony.
> > SCAPTimony sounds great, but I'm not sure it's currently
> maintained and
> > I don't really want to dive into Foreman just to store Oscap results.
> > What does the community use for this kind of scan / report storing and
> > querying?
> > We're currently using Ansible AWX to run scans and to manage
> > remediation. Love to find a way to pull that XML into a central
> > database.......
> > Thanks very much.
> > ---------------
> > Luke Salsich
> > _______________________________________________
> > Open-scap-list mailing list
> > Openfirstname.lastname@example.org <mailto:Openemail@example.com>
> > https://www.redhat.com/mailman/listinfo/open-scap-list
Open-scap-list mailing list