[Open-scap] customize scap report

Kenny Woodson kwoodson at redhat.com
Mon Jul 8 18:33:24 UTC 2019 

Thanks for the reply Jan.  Comments in-line.

On Mon, Jul 8, 2019 at 3:21 AM Jan Cerny <jcerny at redhat.com> wrote:

> Hi,
>
> You need to pass the ID of the customized profile in --profile instead
> of the ID of the original profile.
>
> The ID of the customized profile is the ID that Workbench prompted you
> when you clicked on "Customize" button.
> By default it's stig-rhel7-disa_customized. You can check by opening
> the tailoring file in a text editor and checking "id" attribute of the
> "Profile" element.
>
I updated the profile id and the same result entailed.

What solved this issue for me was adding the profile id as well as updating
the source security guide from
/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
to
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

This allowed my tailoring-file to correctly be applied.

Thanks for the help.

>
> Regards
>
> On Thu, Jul 4, 2019 at 4:19 PM Kenny Woodson <kwoodson at redhat.com> wrote:
> >
> > I'm attempting to run openscap and I was looking for some assistance for
> customizing a security guide.
> >
> > I would like to disable options from the rhel7-stig-disa security
> guide.  For example, we do not allow ssh to our image and therefore would
> like to disable the check to install the screen package.
> >
> > I followed the instructions here:
> >
> https://www.open-scap.org/resources/documentation/customizing-scap-security-guide-for-your-use-case/
> >
> > This allowed me to capture the customized tailoring-file.  With this
> file I attempted to scan our image with the following command:
> >
> > oscap xccdf eval   --profile stig-rhel7-disa  \
> >  --results /tmp/scap-results.xml \
> >  --report /tmp/scap-report.html \
> >  --tailoring-file /root/data/ssg-rhel7-ds-aro.xml \
> >  --oval-results --fetch-remote-resources  \
> >  --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml
> /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
> >
> > I admit that I am new to openscap and I'm not sure I understand each of
> the options here but when viewing the results I continue to see that the
> screen
> > check fails.  Is this behavior expected?
> >
> > Here is the option in my tailoring-file:
> >     <xccdf:select
> idref="xccdf_org.ssgproject.content_rule_package_screen_installed"
> selected="false"/>
> >
> > I would appreciate some assistance or some explanation of how to achieve
> a customized security guide.
> >
> > Thanks,
> > kenny
> > _______________________________________________
> > Open-scap-list mailing list
> > Open-scap-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/open-scap-list
>
>
>
> --
> Jan Černý
> Security Technologies | Red Hat, Inc.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20190708/b3b1e70d/attachment.htm>

More information about the Open-scap-list mailing list