forked from sealingtech/CLIP
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathHelp-Use-Cases.txt
63 lines (50 loc) · 2.99 KB
/
Help-Use-Cases.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
CLIP targets several usage scenarios - each interacts and leverages CLIP in
different ways. Please review the use cases described below to better
understand how you can best use CLIP.
===================================================
1. Developer starting from scratch
A developer starting from scratch will leverage all of the features available
in CLIP:
- Remediation content (validated snapshots from Aqueuduct)
- Audit content (validated XCCDF & OVAL snapshots from SCAP Security Guide)
- Build system:
- mock for rolling RPMs from source
- Pungi for rolling installation ISOs
- Configuration management friendly yum repos and package lists
Developers starting from scratch should insert any new sources into the
packages/ directory. This source will be rolled up into RPMs, placed into yum
repositories, and can then be included and used in a kickstart ending up in the
installed system.
===================================================
2. Developer with existing custom yum repositories but needs help rolling ISOs
This developer already has packages and yum repositories, but will use the
following CLIP features:
- Remediation content (validated snapshots from Aqueuduct)
- Audit content (validated XCCDF & OVAL snapshots from SCAP Security Guide)
- Build system:
- Pungi for rolling installation ISOs
- Configuration management friendly yum repos and package lists
This developer uses the CLIP build system to roll ISOs with the remediation
content, audit content, and existing custom packages present. This developer
must add an entry to CONFIG_REPOS that points to the developer’s custom yum
repo. Once the repo is added to the configuration file the developer will
modify the kickstart adding to add the custom packages. The custom packages
will be installed and rolling ISOs.
===================================================
3. Developer who only wants the remediation and audit content
These developers already have packages and yum repositories and can already
roll ISOs. They only want to leverage the following features:
- Remediation content (validated snapshots from Aqueuduct)
- Audit content (validated XCCDF & OVAL snapshots from SCAP Security Guide)
NOTE: Tresys recommends moving to the CLIP build system, which was developed
based on our experiences developing cross domain solutions. One of the issues
we frequently encounter is the lack of reproducibility of builds. This build
system allows you to roll RPMs in mock eliminating build host dependencies. It
allows you to version the packages used to roll an RPM. It manages yum
repositories and carries patched versions of ISO generation tools to address a
number of problems in those tools.
If the developer chooses to only use the remediation and audit content as
described in the third scenario, the developer must roll the needed RPMs by
running "$ make scap-security-guide-rpm" and "$ make aqueduct-rpm". The
generated RPMs will be placed in repos/clip-repo. You can then copy the RPMs
into into the build environment and roll ISOs.