<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> <meta name="Generator" content="Microsoft Exchange Server"> <style></style> </head> <body> <meta content="text/html; charset=UTF-8"> <style type="text/css" style="">  </style> <div dir="ltr"> <div id="x_divtagdefaultwrapper" dir="ltr" style="font-size:12pt; color:#000000; font-family:Calibri,Helvetica,sans-serif"> <p>That file is the benchmark, not the manual STIG. oscap can scan with that. Here's what I did to scan it:</p> <p><br> </p> <p></p> <div>wget https://iasecontent.disa.mil/stigs/zip/U_Red_Hat_Enterprise_Linux_7_V2R2_STIG_SCAP_1-2_Benchmark.zip</div> <div><span style="font-size:12pt">unzip U_Red_Hat_Enterprise_Linux_7_V2R2_STIG_SCAP_1-2_Benchmark.zip </span><br> </div> <div><span style="font-size:12pt">oscap info U_Red_Hat_Enterprise_Linux_7_V2R2_STIG_SCAP_1-2_Benchmark.xml </span><br> </div> <div><span style="font-size:12pt">oscap xccdf eval --profile xccdf_mil.disa.stig_profile_MAC-1_Classified --results results.xml U_Red_Hat_Enterprise_Linux_7_V2R2_STIG_SCAP_1-2_Benchmark.xml </span><br> </div> <div><br> </div> The "info" line is just to get the profile name. If you have these memorized you can skip it. The fourth line spits out results both to the screen and to an XML file. If you want an html report, you can use "oscap xccdf generate report" on the results.xml file and it will make an HTML report. <p></p> <p><br> </p> <p>Be aware that sometimes not everything in the DISA manual STIGs are in their benchmarks. If you rely on just DISA benchmarks you might miss required configurations.</p> </div> <hr tabindex="-1" style="display:inline-block; width:98%"> <div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> open-scap-list-bounces@redhat.com <open-scap-list-bounces@redhat.com> on behalf of Shawn Wells <shawn@redhat.com><br> <b>Sent:</b> Friday, February 8, 2019 3:45:55 PM<br> <b>To:</b> open-scap-list@redhat.com<br> <b>Subject:</b> Re: [Open-scap] Using profiles not distributed in</font> <div> </div> </div> </div> <font size="2"><span style="font-size:10pt;"> <div class="PlainText"><br> On 2/8/19 2:34 PM, Greg Silverman wrote:<br> > Let me ask in a different way.<br> ><br> > DISA published xml files withhttps://iasecontent.disa.mil/stigs/zip/U_Red_Hat_Enterprise_Linux_7_V2R2_STIG_SCAP_1-2_Benchmark.zip. The zip's xml file contains a list of vulnerabilities for RHEL7, the Version 2 Release 2 (V2R2) selection of vulnerabilities. scap-security-guides versions 1.40+ contain a DISA profile and that profile contains the V1R4 list of vulnerabilities.<br> ><br> > 1. Can oscap v 1.2.17 consume the xml files at the DISA URL and evaluate a RHEL7 machine?<br> <br> <br> DISA only publishes what's called XCCDF -- essentially, human-readable <br> prose. DISA does not publish any automation that would result in a <br> pass/fail configuration scan.<br> <br> The most any SCAP tool could do with this content, including OpenSCAP, <br> would be to transform it from XML to HTML to ease reading:<br> <br> $ oscap xccdf generate guide \<br> U_Red_Hat_Enterprise_Linux_7_V2R2_STIG_SCAP_1-2_Benchmark.xml \<br> > ~/disa-guide.html<br> <br> <br> > 2. How do xml files like the ones at that URL get incorporated in a scap-security-guide, as was done with the DISA V1R4 files?<br> <br> Manually.<br> <br> Unfortunately DISA does not coordinate their content with DoD, NIST, <br> NSA, or even Red Hat. These parties only find out about DISA's content <br> when it's made publicly available.<br> <br> And also unfortunately, DISA does not provide a changelog of what was <br> changed. That means someone needs to go through the DISA content and <br> compare it by hand. From there a series of tickets are opened to discuss <br> alignment:<br> <br> <a href="https://github.com/ComplianceAsCode/content/issues?q=is%3Aissue+is%3Aopen+label%3A%22DISA+Content+Issues%22">https://github.com/ComplianceAsCode/content/issues?q=is%3Aissue+is%3Aopen+label%3A%22DISA+Content+Issues%22</a><br> <br> Once that ticket queue is resolved, the two bodies of content will be in <br> alignment.<br> <br> <br> _______________________________________________<br> Open-scap-list mailing list<br> Open-scap-list@redhat.com<br> <a href="https://www.redhat.com/mailman/listinfo/open-scap-list">https://www.redhat.com/mailman/listinfo/open-scap-list</a><br> </div> </span></font> </body> </html>