Thanks for the reply Jan. Comments in-line. On Mon, Jul 8, 2019 at 3:21 AM Jan Cerny <jce...@redhat.com> wrote:
> Hi, > > You need to pass the ID of the customized profile in --profile instead > of the ID of the original profile. > > The ID of the customized profile is the ID that Workbench prompted you > when you clicked on "Customize" button. > By default it's stig-rhel7-disa_customized. You can check by opening > the tailoring file in a text editor and checking "id" attribute of the > "Profile" element. > I updated the profile id and the same result entailed. What solved this issue for me was adding the profile id as well as updating the source security guide from /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml to /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml This allowed my tailoring-file to correctly be applied. Thanks for the help. > > Regards > > On Thu, Jul 4, 2019 at 4:19 PM Kenny Woodson <kwood...@redhat.com> wrote: > > > > I'm attempting to run openscap and I was looking for some assistance for > customizing a security guide. > > > > I would like to disable options from the rhel7-stig-disa security > guide. For example, we do not allow ssh to our image and therefore would > like to disable the check to install the screen package. > > > > I followed the instructions here: > > > https://www.open-scap.org/resources/documentation/customizing-scap-security-guide-for-your-use-case/ > > > > This allowed me to capture the customized tailoring-file. With this > file I attempted to scan our image with the following command: > > > > oscap xccdf eval --profile stig-rhel7-disa \ > > --results /tmp/scap-results.xml \ > > --report /tmp/scap-report.html \ > > --tailoring-file /root/data/ssg-rhel7-ds-aro.xml \ > > --oval-results --fetch-remote-resources \ > > --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml > /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml > > > > I admit that I am new to openscap and I'm not sure I understand each of > the options here but when viewing the results I continue to see that the > screen > > check fails. Is this behavior expected? > > > > Here is the option in my tailoring-file: > > <xccdf:select > idref="xccdf_org.ssgproject.content_rule_package_screen_installed" > selected="false"/> > > > > I would appreciate some assistance or some explanation of how to achieve > a customized security guide. > > > > Thanks, > > kenny > > _______________________________________________ > > Open-scap-list mailing list > > Open-scap-list@redhat.com > > https://www.redhat.com/mailman/listinfo/open-scap-list > > > > -- > Jan Černý > Security Technologies | Red Hat, Inc. >
_______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list