[Open-scap] customizing remediation

Jan Cerny jcerny at redhat.com
Fri Mar 17 08:07:02 UTC 2017 

Hello,

Thank you for contacting us.
There is a few things that you might have done incorrectly.

In SCAP Workbench, after you click on "Customize", you will be prompted
for a new profile ID, that will be the ID of your custom profile.
Check if you use the new ID, and not the ID of original profile, in your
commands. By default, it has "_customized" at the end. (It's possible
to change it.)

For scanning with customization, oscap needs path to original datastream,
a tailoring file, and new profile ID. The correct command to scan
would be for example this:

oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream_customized --tailoring-file ssg-rhel7-ds-tailoring.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

(I have the tailoring file in current working directory).

For generating a customized fix script, again, oscap needs path to
original datastream, a tailoring file, and new profile ID.
This should work:

oscap xccdf generate fix --profile xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream_customized --tailoring-file ssg-rhel7-ds-tailoring.xml --output script.sh /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

Bash is default, so specifying --template is not needed. At least works for me with OpenSCAP 1.2.13.

I hope this helped you a little.

Best regards

Jan Černý
Security Technologies | Red Hat, Inc.





----- Original Message -----
> From: "Greg Silverman (CS)" <Greg.Silverman at veritas.com>
> To: open-scap-list at redhat.com
> Sent: Thursday, March 16, 2017 10:15:36 PM
> Subject: [Open-scap] customizing remediation
> 
> 
> 
> I am missing something when it comes to generating a customized fix script.
> 
> 
> 
> 1. In SCAP Workbench I deselect rules I do not want.
> 
> 2. I save the customization file.
> 
> 3. When I scan with the customization file, it still reports evaluation
> results on * some * of the rules I deselected.
> 
> 4. When I create the remediation script, with oscap xccdf generate fix , it
> generates a fix for the rules mentioned in 3.
> 
> 
> 
> This is the command I run
> 
> 
> 
> oscap xccdf generate fix --template urn:xccdf:fix:script:sh --profile
> xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream --output
> my-remediation-script.sh
> /usr/share/xml/scap/ssg/content/ssg-rhel7-ds-tailoring.xml
> 
> 
> 
> i.e., using the tailored xccdf file.
> 
> 
> 
> What am I missing?
> 
> 
> 
> Thanks,
> 
> 
> 
> Greg Silverman
> 
> Veritas Technologies
> 
> _______________________________________________
> Open-scap-list mailing list
> Open-scap-list at redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list

More information about the Open-scap-list mailing list