Hi Bruno,

to get the output working, both the scap-security-guide
(ComplianceAsCode) and the OpenSCAP tool oscap need to use the same
reference, so that the DISA STIG Viewer output uses the correct link
to the official RHEL7 STIG.

Just have a look at the ssg-rhel7-ds.xml file. The first STIG reference
can be found is the "Disable KDump Kernel Crash Analyzer (kdump)" rule.

<ns10:reference 
href="https://public.cyber.mil/stigs/srg-stig-tools/";>SV-86681r2_rule</ns10:reference>

The identifier for oscap is the used URI and the pointer to the official
STIG is the Rule ID: SV-86681r2_rule.

For me it looks like the used openscap version still uses the old URI.
You can test this by replacing the public.cyber.mil URI with the old
link pointing to iase.disa.mil.

NEW: https://public.cyber.mil/stigs/srg-stig-tools/ 
OLD: http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx

A simple 'sed' substitution command should be sufficient.


Regards,
Alex~

On Fri, Oct 25, 2019 at 08:13:34PM +0000, Bruno Czenczelewski wrote:
> Hi Alex,
> 
> I'm new to this process, so please bear with me. I downloaded 
> 'scap-security-guide-0.1.46.zip' from ComplianceAsCode and used the following 
> command to run the scan:
> sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig 
> --stig-viewer guide-0.1.46_ssg-rhel7-ds_stig-results.xml --report 
> guide-0.1.46_ssg-rhel7-ds_stig-report.xml 
> scap-security-guide-0.1.46/ssg-rhel7-ds.xml
> 
> 
> Output of 'oscap info ssg-rhel7-ds-1.2.xml':
> 
> Document type: Source Data Stream
> Imported: 2019-09-02T07:20:20
> 
> Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel7-xccdf-1.2.xml
> Generated: (null)
> Version: 1.2
> Checklists:
>         Ref-Id: scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml
>                 Status: draft
>                 Generated: 2019-09-02
>                 Resolved: true
>                 Profiles:
>                         Title: DRAFT - ANSSI DAT-NT28 (enhanced)
>                                 Id: 
> xccdf_org.ssgproject.content_profile_anssi_nt28_enhanced
>                         Title: DRAFT - ANSSI DAT-NT28 (high)
>                                 Id: 
> xccdf_org.ssgproject.content_profile_anssi_nt28_high
>                         Title: DRAFT - ANSSI DAT-NT28 (intermediary)
>                                 Id: 
> xccdf_org.ssgproject.content_profile_anssi_nt28_intermediary
>                         Title: DRAFT - ANSSI DAT-NT28 (minimal)
>                                 Id: 
> xccdf_org.ssgproject.content_profile_anssi_nt28_minimal
>                         Title: Unclassified Information in Non-federal 
> Information Systems and Organizations (NIST 800-171)
>                                 Id: xccdf_org.ssgproject.content_profile_cui
>                         Title: PCI-DSS v3.2.1 Control Baseline for Red Hat 
> Enterprise Linux 7
>                                 Id: 
> xccdf_org.ssgproject.content_profile_pci-dss
>                         Title: Standard System Security Profile for Red Hat 
> Enterprise Linux 7
>                                 Id: 
> xccdf_org.ssgproject.content_profile_standard
>                         Title: C2S for Red Hat Enterprise Linux 7
>                                 Id: xccdf_org.ssgproject.content_profile_C2S
>                         Title: Criminal Justice Information Services (CJIS) 
> Security Policy
>                                 Id: xccdf_org.ssgproject.content_profile_cjis
>                         Title: Red Hat Corporate Profile for Certified Cloud 
> Providers (RH CCP)
>                                 Id: 
> xccdf_org.ssgproject.content_profile_rht-ccp
>                         Title: Health Insurance Portability and 
> Accountability Act (HIPAA)
>                                 Id: xccdf_org.ssgproject.content_profile_hipaa
>                         Title: VPP - Protection Profile for Virtualization v. 
> 1.0 for Red Hat Enterprise Linux Hypervisor (RHELH)
>                                 Id: 
> xccdf_org.ssgproject.content_profile_rhelh-vpp
>                         Title: [DRAFT] DISA STIG for Red Hat Enterprise Linux 
> Virtualization Host (RHELH)
>                                 Id: 
> xccdf_org.ssgproject.content_profile_rhelh-stig
>                         Title: DISA STIG for Red Hat Enterprise Linux 7
>                                 Id: xccdf_org.ssgproject.content_profile_stig
>                         Title: NIST National Checklist Program Security Guide
>                                 Id: xccdf_org.ssgproject.content_profile_ncp
>                         Title: OSPP - Protection Profile for General Purpose 
> Operating Systems v4.2.1
>                                 Id: xccdf_org.ssgproject.content_profile_ospp
>                 Referenced check files:
>                         ssg-rhel7-oval.xml
>                                 system: 
> http://oval.mitre.org/XMLSchema/oval-definitions-5
>                         ssg-rhel7-ocil.xml
>                                 system: http://scap.nist.gov/schema/ocil/2
>                         
> https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml
>                                 system: 
> http://oval.mitre.org/XMLSchema/oval-definitions-5
>         Ref-Id: scap_org.open-scap_cref_ssg-rhel7-pcidss-xccdf-1.2.xml
>                 Status: draft
>                 Generated: 2019-09-02
>                 Resolved: true
>                 Profiles:
>                         Title: PCI-DSS v3.2.1 Control Baseline for Red Hat 
> Enterprise Linux 7
>                                 Id: 
> xccdf_org.ssgproject.content_profile_pci-dss_centric
>                 Referenced check files:
>                         ssg-rhel7-oval.xml
>                                 system: 
> http://oval.mitre.org/XMLSchema/oval-definitions-5
>                         ssg-rhel7-ocil.xml
>                                 system: http://scap.nist.gov/schema/ocil/2
>                         
> https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml
>                                 system: 
> http://oval.mitre.org/XMLSchema/oval-definitions-5
> Checks:
>         Ref-Id: scap_org.open-scap_cref_ssg-rhel7-oval.xml
>         Ref-Id: scap_org.open-scap_cref_ssg-rhel7-ocil.xml
>         Ref-Id: scap_org.open-scap_cref_ssg-rhel7-cpe-oval.xml
>         Ref-Id: scap_org.open-scap_cref_ssg-rhel7-oval.xml000
>         Ref-Id: scap_org.open-scap_cref_ssg-rhel7-ocil.xml000
> Dictionaries:
>         Ref-Id: scap_org.open-scap_cref_ssg-rhel7-cpe-dictionary.xml
> 
> 
> 
> 
> 
> Bruno Czenczelewski
> 
> br...@fibermountain.com
> 352 Knotter Drive
> Cheshire, CT06410
> www.fibermountain.com
> P. (203) 806-4040
> C. (203) 806-4040
> F. (845) 358-7882
> 
> Disclaimer: The information contained in this communication is confidential, 
> may be privileged and is intended for the exclusive use of the above named 
> addressee(s). If you are not the intended recipient(s), you are expressly 
> prohibited from copying, distributing, disseminating, or in any other way 
> using any information contained within this communication. If you have 
> received this communication in error, please contact the sender by telephone 
> or by response via mail. We have taken precautions to minimize the risk of 
> transmitting software viruses, but we advise you to carry out your own virus 
> checks on this message, as well as any attachments. We cannot accept 
> liability for any loss or damage caused by software viruses.
> 
> -----Original Message-----
> From: Alexander Bergmann
> Sent: Friday, October 25, 2019 9:36 AM
> To: Bruno Czenczelewski <br...@fibermountain.com>
> Cc: open-scap-list@redhat.com
> Subject: Re: [Open-scap] stig-viewer
> 
> External Email

-- 
Alexander Bergmann <abergm...@suse.com>
Security Engineer, GPG: E30A 65A4 0F50 0066 B2B5  F614 DE54 E875 9FFA 4886
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5, 90409 Nuremberg, Germany
(HRB 36809, AG N├╝rnberg)
Managing Director: Felix Imend├Ârffer

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Reply via email to