How do we handle Fedora content currently? #7490

alexhaydock · 2021-08-30T19:41:46Z

alexhaydock
Aug 30, 2021

I've been having a look at the Fedora content with the aim of applying one of the generic profiles during install via Kickstart. The OSPP profile looks like a nice base to start from.

Unfortunately, the Anaconda OpenSCAP addon doesn't seem to work on Fedora 34:

%addon org_fedora_oscap
        content-type = scap-security-guide
        profile = xccdf_org.ssgproject.content_profile_ospp
%end

This doesn't seem to run the actual hardening step during the install and when I look I'm guessing this is down to the fact that the Fedora product seems to only match on the CPE for Fedora 32:

content/products/fedora/product.yml

Lines 19 to 23 in 0b542bf

    
           cpes: 
        
             - fedora: 
        
                 name: "cpe:/o:fedoraproject:fedora:32" 
        
                 title: "Fedora 32" 
        
                 check_id: installed_OS_is_fedora

Having a look at the actual reference material for the OSPP profile, the contents don't seem to be version-specific to any particular OS, and the controls are more generic.

So, with that in mind, how are we handling updating CPEs for the Fedora content? It seems to me that (in theory) we should just be able to add new CPE versions any time new Fedora versions are released in the section of the product.yml file I highlighted above - at least until some sort of major breaking change is made either to the guidance, or within Fedora.

It seems to me that if we could expand the CPE range for Fedora, it would enable this easy method of native hardening during Kickstart using the scap-security-guide package. I'm guessing maybe this just hasn't been done because there's not a huge amount of demand for compliance-based hardening on such a fast-moving target like Fedora.

Or am I missing something here about how Fedora content is handled and versioned?

jan-cerny · 2021-09-10T14:23:36Z

jan-cerny
Sep 10, 2021
Maintainer

Fedora content should be applicable to currently supported versions of Fedora. Unfortunately, we don't actively manage it, it seems that for most of the contributors Fedora content is a low priority at this moment. The missing CPEs are a bug and the CPE range should be extended.

3 replies

alexhaydock Sep 10, 2021
Author

If that's a bug and not intentional then I can take this one, since I have an entirely selfish interest in making it easier to enable OSPP hardening on Fedora 😉

jan-cerny Sep 13, 2021
Maintainer

Great! I believe it's a bug and it isn't intentional.

alexhaydock Sep 13, 2021
Author

I gave this a go as #7546. Hopefully I'm on the right track.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How do we handle Fedora content currently? #7490

{{title}}

Replies: 1 comment 3 replies

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

How do we handle Fedora content currently? #7490

alexhaydock Aug 30, 2021

Replies: 1 comment · 3 replies

jan-cerny Sep 10, 2021 Maintainer

alexhaydock Sep 10, 2021 Author

jan-cerny Sep 13, 2021 Maintainer

alexhaydock Sep 13, 2021 Author

alexhaydock
Aug 30, 2021

Replies: 1 comment 3 replies

jan-cerny
Sep 10, 2021
Maintainer

alexhaydock Sep 10, 2021
Author

jan-cerny Sep 13, 2021
Maintainer

alexhaydock Sep 13, 2021
Author