[Open-scap] customize scap report
Kenny Woodson
kwoodson at redhat.com
Mon Jul 8 18:33:24 UTC 2019
Thanks for the reply Jan. Comments in-line.
On Mon, Jul 8, 2019 at 3:21 AM Jan Cerny <jcerny at redhat.com> wrote:
> Hi,
>
> You need to pass the ID of the customized profile in --profile instead
> of the ID of the original profile.
>
> The ID of the customized profile is the ID that Workbench prompted you
> when you clicked on "Customize" button.
> By default it's stig-rhel7-disa_customized. You can check by opening
> the tailoring file in a text editor and checking "id" attribute of the
> "Profile" element.
>
I updated the profile id and the same result entailed.
What solved this issue for me was adding the profile id as well as updating
the source security guide from
/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
to
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
This allowed my tailoring-file to correctly be applied.
Thanks for the help.
>
> Regards
>
> On Thu, Jul 4, 2019 at 4:19 PM Kenny Woodson <kwoodson at redhat.com> wrote:
> >
> > I'm attempting to run openscap and I was looking for some assistance for
> customizing a security guide.
> >
> > I would like to disable options from the rhel7-stig-disa security
> guide. For example, we do not allow ssh to our image and therefore would
> like to disable the check to install the screen package.
> >
> > I followed the instructions here:
> >
> https://www.open-scap.org/resources/documentation/customizing-scap-security-guide-for-your-use-case/
> >
> > This allowed me to capture the customized tailoring-file. With this
> file I attempted to scan our image with the following command:
> >
> > oscap xccdf eval --profile stig-rhel7-disa \
> > --results /tmp/scap-results.xml \
> > --report /tmp/scap-report.html \
> > --tailoring-file /root/data/ssg-rhel7-ds-aro.xml \
> > --oval-results --fetch-remote-resources \
> > --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml
> /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
> >
> > I admit that I am new to openscap and I'm not sure I understand each of
> the options here but when viewing the results I continue to see that the
> screen
> > check fails. Is this behavior expected?
> >
> > Here is the option in my tailoring-file:
> > <xccdf:select
> idref="xccdf_org.ssgproject.content_rule_package_screen_installed"
> selected="false"/>
> >
> > I would appreciate some assistance or some explanation of how to achieve
> a customized security guide.
> >
> > Thanks,
> > kenny
> > _______________________________________________
> > Open-scap-list mailing list
> > Open-scap-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/open-scap-list
>
>
>
> --
> Jan Černý
> Security Technologies | Red Hat, Inc.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20190708/b3b1e70d/attachment.htm>
More information about the Open-scap-list
mailing list