Let me ask in a different way. DISA published xml files with https://iasecontent.disa.mil/stigs/zip/U_Red_Hat_Enterprise_Linux_7_V2R2_STIG_SCAP_1-2_Benchmark.zip. The zip's xml file contains a list of vulnerabilities for RHEL7, the Version 2 Release 2 (V2R2) selection of vulnerabilities. scap-security-guides versions 1.40+ contain a DISA profile and that profile contains the V1R4 list of vulnerabilities.
1. Can oscap v 1.2.17 consume the xml files at the DISA URL and evaluate a RHEL7 machine? 2. How do xml files like the ones at that URL get incorporated in a scap-security-guide, as was done with the DISA V1R4 files? Thanks, Greg Message: 1 Date: Thu, 7 Feb 2019 12:32:31 -0500 From: Shawn Wells <sh...@redhat.com> To: email@example.com Subject: Re: [Open-scap] Using profiles not distributed in scap-security-guide Message-ID: <db9c5189-c6e4-bd30-4c79-cb24f353f...@redhat.com> Content-Type: text/plain; charset="windows-1252"; Format="flowed" On 2/6/19 1:11 PM, Greg Silverman wrote: > > We want to use the DISA STIG for RHEL 7 V2R2 profile. The latest > scap-security-guide RPM has V1R4. How is a profile xml file consumed > by oscap? > Most use cases are covered in the RHEL documentation: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sect-using_oscap That said, has DISA started to publish OVAL for their content? Was under the impression they did not (only publish XCCDF). _______________________________________________ Open-scap-list mailing list Openfirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/open-scap-list