Let me ask in a different way. 

DISA published xml files with  
https://iasecontent.disa.mil/stigs/zip/U_Red_Hat_Enterprise_Linux_7_V2R2_STIG_SCAP_1-2_Benchmark.zip.
 The zip's xml file contains a list of vulnerabilities for RHEL7, the Version 2 
Release 2 (V2R2) selection of vulnerabilities. scap-security-guides versions 
1.40+ contain a DISA profile and that profile contains the V1R4 list of 
vulnerabilities.

1. Can oscap v 1.2.17 consume the xml files at the DISA URL and evaluate a 
RHEL7 machine?
2. How do xml files like the ones at that URL get incorporated in a 
scap-security-guide, as was done with the DISA V1R4 files?

Thanks,

Greg

Message: 1
Date: Thu, 7 Feb 2019 12:32:31 -0500
From: Shawn Wells <sh...@redhat.com>
To: open-scap-list@redhat.com
Subject: Re: [Open-scap] Using profiles not distributed in
        scap-security-guide
Message-ID: <db9c5189-c6e4-bd30-4c79-cb24f353f...@redhat.com>
Content-Type: text/plain; charset="windows-1252"; Format="flowed"


On 2/6/19 1:11 PM, Greg Silverman wrote:
>
> We want to use the DISA STIG for RHEL 7 V2R2 profile. The latest 
> scap-security-guide RPM has V1R4. How is a profile xml file consumed 
> by oscap?
>

Most use cases are covered in the RHEL documentation:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sect-using_oscap

That said, has DISA started to publish OVAL for their content? Was under the 
impression they did not (only publish XCCDF).



_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Reply via email to