Hello, Thank you for contacting us. There is a few things that you might have done incorrectly.
In SCAP Workbench, after you click on "Customize", you will be prompted for a new profile ID, that will be the ID of your custom profile. Check if you use the new ID, and not the ID of original profile, in your commands. By default, it has "_customized" at the end. (It's possible to change it.) For scanning with customization, oscap needs path to original datastream, a tailoring file, and new profile ID. The correct command to scan would be for example this: oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream_customized --tailoring-file ssg-rhel7-ds-tailoring.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml (I have the tailoring file in current working directory). For generating a customized fix script, again, oscap needs path to original datastream, a tailoring file, and new profile ID. This should work: oscap xccdf generate fix --profile xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream_customized --tailoring-file ssg-rhel7-ds-tailoring.xml --output script.sh /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml Bash is default, so specifying --template is not needed. At least works for me with OpenSCAP 1.2.13. I hope this helped you a little. Best regards Jan Černý Security Technologies | Red Hat, Inc. ----- Original Message ----- > From: "Greg Silverman (CS)" <[email protected]> > To: [email protected] > Sent: Thursday, March 16, 2017 10:15:36 PM > Subject: [Open-scap] customizing remediation > > > > I am missing something when it comes to generating a customized fix script. > > > > 1. In SCAP Workbench I deselect rules I do not want. > > 2. I save the customization file. > > 3. When I scan with the customization file, it still reports evaluation > results on * some * of the rules I deselected. > > 4. When I create the remediation script, with oscap xccdf generate fix , it > generates a fix for the rules mentioned in 3. > > > > This is the command I run > > > > oscap xccdf generate fix --template urn:xccdf:fix:script:sh --profile > xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream --output > my-remediation-script.sh > /usr/share/xml/scap/ssg/content/ssg-rhel7-ds-tailoring.xml > > > > i.e., using the tailored xccdf file. > > > > What am I missing? > > > > Thanks, > > > > Greg Silverman > > Veritas Technologies > > _______________________________________________ > Open-scap-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/open-scap-list _______________________________________________ Open-scap-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/open-scap-list
