On 9/18/14, 5:31 AM, Chen, Wei (Contractor)(CFPB) wrote: > " A profile is just statement about a set of controls: a collection of > controls plus variable settings." > > That brings up another important point regarding the controls. How would one > configure the organizational defined values and feed it to the benchmark? > Obviously, if the profiles are meant to be generic, the values can't be > hardcoded in the OVAL file. You can setup the benchmark like USGCB content > that allows default values to be overridden with external variables, but it > is not as straight forward as one would like. Perhaps another shorthand XML > that takes in organizational values or simply rebuild the SSG content with > custom values?
There are certainly those that clone SSG and rebuild RPMs for distributing on their networks. I think this is largely an artifact of when SSG wasn't shipping natively in RHEL, and a practice that most certainly came about before SCAP Workbench was developed. Check out SCAP Workbench. It provides a GUI tool to tailor your source content (e.g. SSG) and then refine selected rules and values. -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
