Great! I noticed that the stig profile also refines values inherited from the common profile. Thank you again for the help. Once I begin developing my own profile I will share any major modifications or creations.
Luke Kordell ________________________________________ From: [email protected] [[email protected]] on behalf of Shawn Wells [[email protected]] Sent: Wednesday, October 02, 2013 8:22 PM To: [email protected] Subject: Re: EXTERNAL: Re: scan question On 10/2/13 8:04 PM, Kordell, Luke T wrote: Hi, I double-checked to make sure I added the correct line to the guide.xslt file but when I greped the ssg-rhel6=xccdf.xml file it did not return the usgcb file. I wish I could pull the latest update and patches quickly but am unable to do so with my RHEL machine at the moment. If you do a 'git pull', or simply reclone, you'll notice the new profile in there. It should make the next RPM release too. Basically what I'm trying to do is find a good starting-point for a completely customized profile that calls a particular set of rules I will define. I think I need to conduct a little more research to make-sure I fully understand how to use the scripts to generate OVAL content and how to create a profile. I think I have the rule creation/adding part down. Can you point me in the right direction? As always thank you for the assistance! Consider exploring the XCCDF "extends" option, as used in the STIG: https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/RHEL6/input/profiles/stig-rhel6-server.xml Specifically: <Profile id="stig-rhel6-server" extends="common"> The STIG inherits *everything* from the common profile, located here: https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/RHEL6/input/profiles/common.xml Once inherited, anything in the STIG profile takes precedence, allowing for customization of things like password lengh, audit retention, etc. If you wanted to change a refine value, such as maximum age of passwords, simply use a refine-value tag: <refine-value idref="var_acounts_maximum_age_login_defs" selector="5"/> ... which would change the value from the STIG (which is 180 days), to 5 in your custom profile Or perhaps there's a STIG rule which you disagree with, disable it via the selected operator: <select idref="password_require_uppercases" selected="false"/> _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
