On 2/8/19 2:34 PM, Greg Silverman wrote:
Let me ask in a different way.
DISA published xml files
The zip's xml file contains a list of vulnerabilities for RHEL7, the Version 2
Release 2 (V2R2) selection of vulnerabilities. scap-security-guides versions
1.40+ contain a DISA profile and that profile contains the V1R4 list of
1. Can oscap v 1.2.17 consume the xml files at the DISA URL and evaluate a
DISA only publishes what's called XCCDF -- essentially, human-readable
prose. DISA does not publish any automation that would result in a
pass/fail configuration scan.
The most any SCAP tool could do with this content, including OpenSCAP,
would be to transform it from XML to HTML to ease reading:
$ oscap xccdf generate guide \
2. How do xml files like the ones at that URL get incorporated in a
scap-security-guide, as was done with the DISA V1R4 files?
Unfortunately DISA does not coordinate their content with DoD, NIST,
NSA, or even Red Hat. These parties only find out about DISA's content
when it's made publicly available.
And also unfortunately, DISA does not provide a changelog of what was
changed. That means someone needs to go through the DISA content and
compare it by hand. From there a series of tickets are opened to discuss
Once that ticket queue is resolved, the two bodies of content will be in
Open-scap-list mailing list