I'm attempting to run openscap and I was looking for some assistance for
customizing a security guide.

I would like to disable options from the rhel7-stig-disa security guide.
For example, we do not allow ssh to our image and therefore would like to
disable the check to install the screen package.

I followed the instructions here:
https://www.open-scap.org/resources/documentation/customizing-scap-security-guide-for-your-use-case/

This allowed me to capture the customized tailoring-file.  With this file I
attempted to scan our image with the following command:

oscap xccdf eval   --profile stig-rhel7-disa  \
 --results /tmp/scap-results.xml \
 --report /tmp/scap-report.html \
 --tailoring-file /root/data/ssg-rhel7-ds-aro.xml \
 --oval-results --fetch-remote-resources  \
 --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml
/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

I admit that I am new to openscap and I'm not sure I understand each of the
options here but when viewing the results I continue to see that the screen
check fails.  Is this behavior expected?

Here is the option in my tailoring-file:
    <xccdf:select
idref="xccdf_org.ssgproject.content_rule_package_screen_installed"
selected="false"/>

I would appreciate some assistance or some explanation of how to achieve a
customized security guide.

Thanks,
kenny
_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Reply via email to