On 9/5/17 4:38 AM, Wesley Ceraso Prudencio wrote: > I'm not an expert, but if I got it right, we currently cover approximately > 85% of STIG rules for RHEL7 and 23% for RHEL6.
Something seems off.... In RHEL6, the STIG profile extends the common profile: > $ head -1 stig-rhel6-server-upstream.xml > <Profile id="stig-rhel6-server-upstream" extends="common"> So, adding in rules from 'common' and STIG profiles: > $ grep -v '<!' common.xml | grep true | wc -l > 182 > > $ grep -v '<!' stig-rhel6-* | grep true | wc -l > 68 Then subtracting things that are turned off: > $ grep false stig-rhel6-* | wc -l > 4 = 246 rules. Then compared to RHEL6 STIG from DISA: > $ grep "<Rule" U_RedHat_6_STIG_V1R16_Manual-xccdf.xml | wc -l > 259 246 / 259 = 95% Some gaps are expected (e.g. update 3rd party patches, install 3rd party software), so we'll never have 100% until baseline owners drop such rules. This is common across most third parties (e.g. CIS), not just DISA. ..... now.... ensuring the content of the selected rules aligns between DISA and SSG is another question :) _______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
