Hi Greg,
On 17/03/17 21:06, Greg Silverman (CS) wrote:
Still having problems, the generated script is an empty file.
Here is the tailoring file I created, ssg-rhel7-ds-tailoring.xml, with the
workbench. It is just an example, to verify I can customize the scanning and
fix generation. This tailoring should *not* check for install AIDE, and, it
should be sure to check for FIPS compliance, and, if possible, fix that:
<?xml version="1.0" encoding="UTF-8"?>
<xccdf:Tailoring xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2";
id="xccdf_scap-workbench_tailoring_default">
<xccdf:benchmark href="/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml"/>
<xccdf:version time="2017-03-17T13:43:12">1</xccdf:version>
<xccdf:Profile id="xccdf_com.mycompany_profile_stig-rhel7-server-upstream_customized"
extends="xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream">
<xccdf:title xmlns:xhtml="http://www.w3.org/1999/xhtml"; xml:lang="en-US"
override="true">STIG for Red Hat Enterprise Linux 7 Server [CUSTOMIZED]</xccdf:title>
<xccdf:description xmlns:xhtml="http://www.w3.org/1999/xhtml"; xml:lang="en-US"
override="true">This is a *draft* profile for STIG. This profile is being developed under the DoD consensus
model to become a STIG in coordination with DISA FSO.</xccdf:description>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_package_aide_installed"
selected="false"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_aide_build_database"
selected="false"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking"
selected="false"/>
<xccdf:select idref="xccdf_org.ssgproject.content_group_aide"
selected="false"/>
<xccdf:select idref="xccdf_org.ssgproject.content_group_remediation_functions"
selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_group_fips"
selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_package_dracut-fips_installed"
selected="true"/>
<xccdf:select idref="xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode"
selected="true"/>
</xccdf:Profile>
</xccdf:Tailoring>
I ran this command
oscap xccdf generate fix --profile
xccdf_com.mycompany_profile_stig-rhel7-server-upstream_customized
--tailoring-file ssg-rhel7-ds-tailoring.xml --output script.sh
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
The script.sh file is created, there is no error, but, the file is empty. Why???
Could you please check the version of OpenSCAP you are using?
I have tested your customization and command with OpenSCAP version
1.2.10, and the remediation script is generated empty, but with version
1.2.13, the latest upstream, the remediation script is ok.
--
Watson Sato
Security Technologies | Red Hat, Inc
_______________________________________________
Open-scap-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/open-scap-list
