This is a pretty newbie question on modifying the checks within SCAP.  The

<Rule id="jboss_eap_vendor_supported" severity="high">
<oval id="jboss_eap_vendor_supported" value="var_jboss_profile" />
<ref srg="SRG-APP-000456-AS-000266" disa="2605" nist=""

checks if a "version.txt" file exists with a version matching a supported
release of Red Hat JBoss Enterprise Application Platform.  This can be
found at scap-security-guide/jboss_eap6/xccdf/application/eap6.xml

I read the DISA STIG requirement to talk to use of unsupported community
JBoss releases such as JBoss AS and WildFly.  Use of JBoss community
software would be a CAT I finding in the STIG.  I created a bash script at
the following location to correctly find and identify JBoss community

This has been tested against 110 community JBoss AS/WildFly releases and 87
enterprise releases.  The repository contains the script and a
test harness.  A comprehensive dataset to test against is available at:

The script looks for marker files that must be present in order to run the
community application server and then examines metadata within those files
to correctly identify them.

QUESTION:  How can I incorporate this into the existing SCAP checks?  I'm
finding the XML schemas a bit daunting to understand and I would also need
to use the script check engine for this.

I'll keep looking at the developer's guide on the website to sort this out
but if anyone is willing to collaborate, I'd greatly appreciate it.

Rich Lucente

Principal Solution Architect

Red Hat Public Sector
<>    M: 240-994-0562
scap-security-guide mailing list --
To unsubscribe send an email to

Reply via email to