Hello, I thought it would be useful to generate an "all_rules" profile to help us in the requirements-gathering phase of a profile development. To create this profile I grepped the .xml files contained in the system and services directories for "Rule id=" and used the output to create an all_rules profile. The all_rules profile and CS2 profile list 388 rules while the STIG lists 389. I expected the all_rules profile to have more rules than either since it should contain at least all the rules called by both CS2 and the STIG. Are there rules in other directories, or am I missing something else?
I have been comparing SECSCN output to the STIG and CS2 profiles and thus-far it has raised a couple questions. First SECSCN lists the bash commands it uses to gather its results and lists the exact reasons for a failed test. Are there plans to include this capability in the future or would this be handled by a scanning automation tool like oscap? What component of SCAP and/or OVAL is linked to bash? Is it possible to get access to this underlying source-code for modification purposes? Luke K _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
