Amazon Linux Scap Content

[spensireli]

Description of problem:

I'm trying to make sense of this. Amazon Linux 2 STIG / Scap content exists when you install scap-security-guide from the host, but does not exist in the release package on this Git project.

If you use an amazon linux machine and perform:

yum install scap-security-guide -y

You will see scap content for Amazon Linux in /usr/share/xml/scap/ssg/content:
ssg-amzn2-ds.xml
ssg-amzn2-xccdf.xml

SCAP Security Guide Version:

scap-security-guide-0.1.40-12.amzn2.0.1.1.noarch

Operating System Version:

Amazon Linux 2 - 4.14.225-169.362.amzn2.x86_64

Steps to Reproduce:

1. Launch an Amazon Linux 2 Instance
2. yum install scap-security-guide
3. ls -l /usr/share/xml/scap/ssg/content/ | grep amz
   -rw-r--r--. 1 root root 16894799 Apr 19 2019 ssg-amzn2-ds.xml
   -rw-r--r--. 1 root root 4037917 Apr 19 2019 ssg-amzn2-xccdf.xml
   4 wget https://github.com/ComplianceAsCode/content/releases/download/v0.1.55/scap-security-guide-0.1.55-oval-510.zip
4. unzip scap-security-guide-0.1.55-oval-510.zip
5. ls -l scap-security-guide-0.1.55-oval-5.10/ |grep amz

Actual Results:

Packages ssg-amzn2-ds.xml and ssg-amzn2-xccdf.xml do not exist in the release.

Expected Results:

Packages ssg-amzn2-xccdf.xml and ssg-amzn2-ds.xml exist in the release when pulling via wget.

Additional Information/Debugging Steps:

What is also odd is if you do an oscap info on the package that is pulled down from amazon linux scap-security-guide it shows profiles:

                    Title: DISA STIG for Amazon Linux 2
                            Id: xccdf_org.ssgproject.content_profile_stig-rhel7-disa

Which seems to be incorrect.

[ggbecker]

This is probably developed by some other fork of this project and they haven't contributed back any of this work to upstream. The official ComplianceAsCode project has never had any Amazon Linux 2 content so far. So, I'm afraid we can't do much about it.

I've had this conversation in the past regarding content for Amazon Linux 2. It might interest you if you want to take this effort and propose contents for Amazon Linux 2.

[mattgialelis]

Any idea id there is any plans for the official ComplianceAsCode project to have the Amazon linux 2 varient of checks

[ggbecker]

We don't have any plans to add Amazon Linux content to the project at this moment. This would probably need to be driven by amazon itself or anyone else willing to contribute this new product to the project.

The content itself should be applicable for most of the cases, it's just a matter of creating the new product and making sure that rules are applicable to the new product.

[mattgialelis]

Is there some documentation or a previous PR i could look at if i was considering to contribute this feature?

[ggbecker]

Is there some documentation or a previous PR i could look at if i was considering to contribute this feature?

there is someone adding a new product at this moment: #8566

you can base the work on this PR

[marcusburghardt]

This documentation is also helpful: https://complianceascode.readthedocs.io/en/latest/manual/developer/03_creating_content.html#creating-a-new-product

[ggbecker]

Again, there is the official documentation and a fresh PR that introduced a new product to the project that could be used as a template:

#10548

Feel free to propose a new product.

@marcusburghardt I would consider closing this ticket due to inactivity.

[marcusburghardt]

I agree.