Let me ask in a different way. 

DISA published xml files with  
 The zip's xml file contains a list of vulnerabilities for RHEL7, the Version 2 
Release 2 (V2R2) selection of vulnerabilities. scap-security-guides versions 
1.40+ contain a DISA profile and that profile contains the V1R4 list of 

1. Can oscap v 1.2.17 consume the xml files at the DISA URL and evaluate a 
RHEL7 machine?
2. How do xml files like the ones at that URL get incorporated in a 
scap-security-guide, as was done with the DISA V1R4 files?



Message: 1
Date: Thu, 7 Feb 2019 12:32:31 -0500
From: Shawn Wells <sh...@redhat.com>
To: open-scap-list@redhat.com
Subject: Re: [Open-scap] Using profiles not distributed in
Message-ID: <db9c5189-c6e4-bd30-4c79-cb24f353f...@redhat.com>
Content-Type: text/plain; charset="windows-1252"; Format="flowed"

On 2/6/19 1:11 PM, Greg Silverman wrote:
> We want to use the DISA STIG for RHEL 7 V2R2 profile. The latest 
> scap-security-guide RPM has V1R4. How is a profile xml file consumed 
> by oscap?

Most use cases are covered in the RHEL documentation:

That said, has DISA started to publish OVAL for their content? Was under the 
impression they did not (only publish XCCDF).

Open-scap-list mailing list

Reply via email to