Hi Jan, Thanks for taking the time to respond.
But the issue is right now there isn't motivation to do that. Let me > explain - > the Red Hat Enterprise Linux 6 CVE OVAL changes pretty quickly (to my > knowledge > it's updated every 12 hours). So instructing oscap / scap-workbench tools > to > use cached XML file from some chosen location would be prone to "false > sense > of security" (suppose 2 weeks outdated "Red_Hat_Enterprise_Linux_6.xml" > file > that would be used to scan the system in question rather than more recent > one - > this could result in state the system wouldn't be reported as vulnerable to > pretty lot of CVE issues). > The motivation in our case is to have regular scans of machines on an air gapped network using up-to-date (within som reasonable time frame) scanning content. Given that the machines will be offline from the internet there is an acceptable limitation that tey can only be as up to date in packages and scanning content as the frequency of the scheduled maintenance window. Maybe we could consider enhancing the current implementation (to honour > remote OVAL timestamps / MD5 sums and use cached version if possible). > But this: > * First needs scap-workbench RFE ticket, > * Itself is subject of upstream discussion, and can be closed as hard / > impossible to implement properly. > What might be easier is to allow the "save as RPM" option in the SCAP Workbench for saving customizations to fetch any remote resources and package them in the resulting RPM and have the resulting tailoring file point to them with file:// instead. Thoughts?
-- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected] https://github.com/OpenSCAP/scap-security-guide/
