[Open-scap] Using the 'STIG ID' value to identify a rule

Alexander Bergmann abergmann at suse.com
Mon May 17 15:57:49 UTC 2021 

Hi Terry,

I haven't checked the code in detail (yet), but as far as I can tell
there is now way to select a rule via a present reference.

The STIG ID is listed as a reference inside the Rule statement itself.
>From the technical point it should be possible to implement such a
feature inside OpenSCAP, but I'm not sure if this is desirable. A
reference is simply not a clear identifier. Some references will also be
used several times in different rules.

<xccdf-1.2:Rule id="xccdf_org.ssgproject.content_rule_installed_OS_is_vendor_supported" selected="false" severity="high"> 
...
  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">SLES-12-010000</xccdf-1.2:reference>
...
</xccdf-1.2:Rule>

>From the SCAP point of view, STIG is only one profile of many.

Maybe one way to explore would be the use of CCEs as a direct rule
identifier. We assign CCEs to each STIG requirement 1:1 and they are
listed inside the OpenSCAP output.

Title   The Installed Operating System Is Vendor Supported
Rule xccdf_org.ssgproject.content_rule_installed_OS_is_vendor_supported
Ident   CCE-83001-8
Result  pass

So may that would be something for a future release.


Regards,
Alex~

On Fri, May 14, 2021 at 05:45:59PM +0000, Lemons, Terry wrote:
> Internal Use - Confidential
> 
> Hi
> 
> I recently learned about OpenSCAP, and it seems to fill a need in my team. My team needs to address (close) all of the rules in the SLES 12 STIG on our product. It seems that using oscap, along with the most-recent 'scap-security-guide' (which appears to cover 146 SLES 12 STIG rules), will allow me to see which rules are open ('oscap xccdf eval') and to implement changes to close those rules ('oscap xccdf eval -remediate').
> 
> I know that I can use the '-rule' option to specify the name of a single rule to evaluate or remediate.
> 
> Our group identifies rules to be fixed, in our work management system and other systems, by the SLES 12 STIG 'STIG ID' value (ex., SLES-12-010000). I tried to use this value in the '-rule' option, and it failed to identify/find that rule.
> 
> How can I make oscap operate on a rule identified by 'STIG ID' value (or, even better, on a file containing a list of 'STIG ID' rules?
> 
> Thanks!
> tl
> 
> Terry Lemons
> 
> [DellEMC_Logo_Hz_Blue_rgb_10percent]
> Data Management
> Infrastructure Solutions Group
> 
> 176 South Street, MS 2/B-34
> Hopkinton MA 01748
> terry.lemons at dell.com<mailto:terry.lemons at dell.com>
> 



> _______________________________________________
> Open-scap-list mailing list
> Open-scap-list at redhat.com
> https://listman.redhat.com/mailman/listinfo/open-scap-list


-- 
Alexander Bergmann <abergmann at suse.com>
Security Engineer, GPG: E30A 65A4 0F50 0066 B2B5  F614 DE54 E875 9FFA 4886
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5, 90409 Nuremberg, Germany
(HRB 36809, AG Nürnberg)
Managing Director: Felix Imendörffer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20210517/c9086823/attachment.sig>

More information about the Open-scap-list mailing list