On 10/4/16 4:51 PM, Olivier BONHOMME wrote: > Le 04/10/2016 à 16:26, Gabe Alford a écrit : >> > Hello, >> > >> > Both the DISA SRGs and STIGIDs are added to the applicable RHEL/7 content. >> > You can verify this by either `grep -rni 'stigid\|srg' >> > RHEL/7/input/xccdf`, or `grep 'SRG\|RHEL-07' ssg-rhel7-xccdf.xml` >> > Also, when a report is generated with the oscap --report option, the SRG >> > and STIGID identifiers can be viewed in the report. >> > >> > Gabe > Hello Gabe, > > Thanks for your answer. So I tried to write a little script which takes > the XCCDF file downloaded from DISA site and try to find the matching > rules into the RHEL/7/input/xccdf/*.xml files. > > For now, I justed focused on the stigid identifiers not on the SGR ones. > Actually the result is that I have 97 rules matching with the DISA XCCDF > upstream file ? > > Do you think it is a relevant number ? > > Browsing the OPENSCAP XCCDF files I realised that there were some DISA > rules that maybe already covered but there is not actually a stigid > attributed attached to these rules. > > Do you think it can be relevant if I try to complete OPENSCAP XCCDF > files with missing stigid if matches can be found against the DISA XCCDF > upstream file ? Or is it definitely not the process ?
Since you appear to be working from source: `make tables` is your friend :) It'll generate HTML mapping tables, such as these: "What rules map to a given OS SRG?" http://people.redhat.com/swells/scap-security-guide/RHEL/7/output/table-rhel7-srgmap.html "What NIST 800-53 controls are satisfied, and how?" http://people.redhat.com/swells/scap-security-guide/RHEL/7/output/table-rhel7-nistrefs.html
_______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org