On 10/2/13 8:04 PM, Kordell, Luke T wrote:
Hi,
I double-checked to make sure I added the correct line to the guide.xslt
file but when I greped the ssg-rhel6=xccdf.xml file it did not return the usgcb
file. I wish I could pull the latest update and patches quickly but am unable
to do so with my RHEL machine at the moment.
If you do a 'git pull', or simply reclone, you'll notice the new profile
in there. It should make the next RPM release too.
Basically what I'm trying to do is find a good starting-point for a completely
customized profile that calls a particular set of rules I will define. I think
I need to conduct a little more research to make-sure I fully understand how to
use the scripts to generate OVAL content and how to create a profile. I think I
have the rule creation/adding part down. Can you point me in the right
direction?
As always thank you for the assistance!
Consider exploring the XCCDF "extends" option, as used in the STIG:
https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/RHEL6/input/profiles/stig-rhel6-server.xml
Specifically:
|<Profile id="stig-rhel6-server" extends="common">|
The STIG inherits *everything* from the common profile, located here:
https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/RHEL6/input/profiles/common.xml
Once inherited, anything in the STIG profile takes precedence, allowing
for customization of things like password lengh, audit retention, etc.
If you wanted to change a refine value, such as maximum age of
passwords, simply use a refine-value tag:
|<refine-value idref="var_acounts_maximum_age_login_defs" selector="5"/>|
... which would change the value from the STIG (which is 180 days), to 5
in your custom profile
Or perhaps there's a STIG rule which you disagree with, disable it via
the selected operator:
|<select idref="password_require_uppercases" selected="false"/>|
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
