Marek, Thank you for your reply. While I understand how it can be difficult to compare between versions, I've found it very useful to do so. I've written a very rough hack (as in, one step better than a stone axe) that will compare multiple profile/content pairs, and/or customizations. This includes trying to apply one customization to a more recent profile/content. It basically loops over the rules, showing where any of the input files 'differ'. Isn't perfect, but it does help highlight places where things have issues. If my management allows, I may make this available to the community. I have seen the issue regarding update to a tailoring file. I'd actually gotten to the point of manually tweaking my tailoring file as I need to make changes, using an 'expendable' tailoring file to get the new lines. Do you know if this is on the list of things to be fixed at some point?
Sincerely, Rob Sanders Robert Sanders Sr. Secure Systems Engineer FORCEPOINT T +1.703.896.4762 F +1.703.318.5041 www.forcepoint.com FORWARD WITHOUT FEAR ________________________________________ From: Marek Haicman [[email protected]] Sent: Friday, June 01, 2018 3:19 PM To: [email protected] Cc: Robert Sanders Subject: EXTERNAL: Re: [Open-scap] SCAP customizations and OS migrations Hello Robert, I don't have good news for you, unfortunately. Migration of customizations between releases is tricky. As the customization is in form of diff, if you change the base, it can have unforeseen consequences. Mostly in form of new rules (added to the base) or new variables, when in old version the rule had value hardcoded. We also do not guarantee the rule ids won't change between versions, even though it shouldn't happen often. I am not aware of any tool to compare profiles. Personally, I'd just scan some machine with both versions using --progress to generate results as one lines. And do a diff of these results... What you have noticed, the increased amount of items in new save of customization is a known bug https://github.com/OpenSCAP/scap-workbench/issues/139 So all considered, I would probably suggest to customize anew. If I may - can you write improvement ideas to our issue tracker? https://github.com/OpenSCAP/scap-workbench/issues Thanks, Marek On 05/17/2018 08:07 PM, Robert Sanders wrote: > Hello all, > Short versions: What are best practices/guidance/suggestions for > keeping a customization file while upgrading between OS releases. This > also gets down to determining what has changed between versions. > > Long version: We generated our own customization against the RHEL7.3 > 'STIG for Red Hat Enterprise Linux 7 Server' profile, and are now > migrating to RHEL7.5, which provides the 'DISA STIG FOR Red Hat > Enterprise Linux 7' profile instead. What is involved in having our 7.3 > customization file imported correctly and applied to the default > profile, and is there anyway to show a delta between the RHEL7.3 profile > and the RHEL7.5 profile, with or without (preferably with) our > customizations? > > Initially on our RHEL7.5 box I tried to invoke 'scap-workbench > OurCustomizationFile.xml', but that resulted in no rules being displayed > (and no warnings/errors either for that matter). This is when I > discovered that RHEL7.3 and RHEL7.5 had different profiles. I wound up > editing our customization file to refer to the RHEL7.5 profile name > instead of the RHEL7.3 name, which appears to work. I did notice when I > save just the customizations again there were substantially more things > in that file than were in the original customizations. Mostly selected > rules and such, but also default values. I *think* all of our mods were > preserved (still digging through), but wonderered about the other new > values. > > And as for the last question above - is there a way to compare > 'profiles' (with or without customization) to see the differences > between them? Or even load a base profile and have the customizations > highlighted? > > -Rob > > > *Robert Sanders* > > Sr. Secure Systems Engineer > > *FORCEPOINT*** > > T+1.703.896.4762 > > F +1.703.318.5041 > > www.forcepoint.com > > > *FORWARD WITHOUT FEAR* > > > > _______________________________________________ > Open-scap-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/open-scap-list > _______________________________________________ Open-scap-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/open-scap-list
