[Open-scap] Using profiles not distributed in
Greg Silverman
Greg.Silverman at veritas.com
Fri Feb 8 19:34:56 UTC 2019
Let me ask in a different way.
DISA published xml files with https://iasecontent.disa.mil/stigs/zip/U_Red_Hat_Enterprise_Linux_7_V2R2_STIG_SCAP_1-2_Benchmark.zip. The zip's xml file contains a list of vulnerabilities for RHEL7, the Version 2 Release 2 (V2R2) selection of vulnerabilities. scap-security-guides versions 1.40+ contain a DISA profile and that profile contains the V1R4 list of vulnerabilities.
1. Can oscap v 1.2.17 consume the xml files at the DISA URL and evaluate a RHEL7 machine?
2. How do xml files like the ones at that URL get incorporated in a scap-security-guide, as was done with the DISA V1R4 files?
Thanks,
Greg
Message: 1
Date: Thu, 7 Feb 2019 12:32:31 -0500
From: Shawn Wells <shawn at redhat.com>
To: open-scap-list at redhat.com
Subject: Re: [Open-scap] Using profiles not distributed in
scap-security-guide
Message-ID: <db9c5189-c6e4-bd30-4c79-cb24f353fe80 at redhat.com>
Content-Type: text/plain; charset="windows-1252"; Format="flowed"
On 2/6/19 1:11 PM, Greg Silverman wrote:
>
> We want to use the DISA STIG for RHEL 7 V2R2 profile. The latest
> scap-security-guide RPM has V1R4. How is a profile xml file consumed
> by oscap?
>
Most use cases are covered in the RHEL documentation:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sect-using_oscap
That said, has DISA started to publish OVAL for their content? Was under the impression they did not (only publish XCCDF).
More information about the Open-scap-list
mailing list