From Openscap

Contribute

Plans

short term goals

• SCAP 1.2 USGCB Scanner
  • OVAL 5.10 - http://oval.mitre.org/language/version5.10/#new
    • 29004 prevent use of empty filename entities when not using xsi:nil='true' or var_ref
    • 27593 add support for a unique function
    • 27587 add support for a count function
    • 31008 update the linux-def:iflisteners_test such that only applications bound to ethernet interfaces are considered
    • 29906 rpmverify: allow the filepath entity to refer to directories
    • 30485 add enumeration values to the linux-def:EntityStateFileSystemTypeType and linux-sc:EntityItemFileSystemTypeType enumerations
    • 30418 Add 'applicability_check' attribute to Criteria, Criterion, & Extend_Definition.
    • 30044 Need to support empty value in filename entities when operation=pattern match
    • 30364 change the unix-def:sysctl_item/value entity such that it has a maxOccurs='unbounded'
    • 29512 Need a none-of-the-above value for linux-sc:EntityStateFileSystemTypeType
    • 29911 add FileBehaviors to the selinuxsecuritycontext_object
    • 29511 Need a none-of-the-above value for lin-def:EntityStateFileSystemTypeType
    • 29708 add an enumeration value for MySQL to the various EngineType enumerations associated with the sql57_test
    • 30138 the datatype of the user_id entity in the linux-def:iflisteners_test and the linux-sc:iflisteners_item should be an int
    • 31389 deprecate the include_group behavior wherever the resolve_group behavior is deprecated
    • 30926 investigate the current state of implementing the operations for the fileset_revision datatype
    • 29010 consider the outstanding issues associated with the mask attribute
    • 25830 clarify the interpretation of filesystem searching behaviors
    • 31762 the name entity in the rpm-based tests does not uniquely identify an rpm on the system
    • 31761 allow for the ability to map between the linux-def:rpminfo_test and the linux-def:rpmverifyfile_test and linux-def:rpmverifypackage_test
    • 31729 change all uses of the xsd:any element from @processContents="skip" to @processContents="lax"
    • 31582 product_name in the GeneratorType SHOULD be a CPE Name
    • 29970 Split rpmverify test into two tests
    • 32092 document the status to use when the information for an entity is not set
    • 31870 file behavior documentation clarifications
    • 28515 Clarify documentation of oval-def:object element
    • 27859 clarify the ambiguity in the EntityBaseType documentation
    • 30045 schematron rule prevents the use of an empty value in the user_id and group_id entities
    • 29491 clarify unix-def:runlevel_test documentation
    • 30046 we need to document the unix-def:password_object, unix-def:password_state, and unix-sc:password_item constructs
    • 29338 further discuss and specify the variable_instance attribute
    • 30893 we need to document the result of evaluating a deprecated definition
    • 30857 clarify set operators' documentation
    • 29912 fix the inconsistent documentation regarding the status of entities where xsi:nil="true"
    • 30102 document usage of Asset Identificaiton (AI) in OVAL
    • 30013 discuss and clarify the documentation changes made to oval-sc:ObjectType (tracker items 24219 and 24220) during the OVAL 5.7 release
  • XCCDF 1.2
    • support extended metadata usage
    • dc-status
    • negate
    • complex-value
    • support overlapping selector scopes
    • check-import
    • deprecate impact-metric
    • deprecate rule-result
    • deprecate Group extension (attributes "abstract" and "extends")
    • support Tailoring document
    • support Benchmark.ManualTailoring step
    • support @multi-check attribute
    • xccdf:Rule/rule-result property "ident" (element) - can contain custom attributes from external namespaces
  • CPE 2.3
    • @id in Benchmark, Rule, Group, Value, Profile, TextResult and Tailoring has a strict format
    • support @target-id-ref
    • predefined scoring models
    • deprecate cpe-list
    • deprecate platform-definitions
    • deprecate Platform-Specification
  • OCIL 2.0
    • create sample OCIL content
    • parse OCIL into internal model
    • incorporate OCIL into XCCDF driven evaluation
• Script Check Engine (SCE)
  • experimental support
  • sample policy for fedora
  • scap-workbench integration
  • sandbox
• improve documentation
  • puppet/openvas integration
  • environment variables
  • how to debug
  • how to use First Aid Kit remote scan
  • how to use oscap tool in cron job or init.d service
• Bugs to fix:
  • duplicate code in OVAL bz#567696

long term goals

• Pass SCAP Validation Program
• Integration with system management solution
  • spacewalk
  • puppet
  • foreman
  • nagios
• selinux context for openscap probes

Bug and Feature Tracking

We use Red Hat's bugzilla to track bugs and features. Fill out this from please and choose openscap as a component.

Submitting Changes

OpenSCAP is licensed under the LGPL. By submitting a patch for inclusion in OpenSCAP, you are agreeing to license your changes under the LGPL.

Changes to the repository are submitted via patches on the OpenSCAP mailing list. The best way to prepare the patch is to get fresh copy of git repository:

git clone git://git.fedorahosted.org/openscap.git

commit the change locally and use:

git-format-patch -1 commit-id

to export the patch. commit-id is the commit number of the checkin you want to send (use 'git log' to see it).