Re: [Open-scap] customize scap report

[Kenny Woodson]

Thanks for the reply Jan.  Comments in-line.

On Mon, Jul 8, 2019 at 3:21 AM Jan Cerny  wrote:

> Hi,
>
> You need to pass the ID of the customized profile in --profile instead
> of the ID of the original profile.
>
> The ID of the customized profile is the ID that Workbench prompted you
> when you clicked on "Customize" button.
> By default it's stig-rhel7-disa_customized. You can check by opening
> the tailoring file in a text editor and checking "id" attribute of the
> "Profile" element.
>
I updated the profile id and the same result entailed.

What solved this issue for me was adding the profile id as well as updating
the source security guide from
/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
to
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

This allowed my tailoring-file to correctly be applied.

Thanks for the help.

>
> Regards
>
> On Thu, Jul 4, 2019 at 4:19 PM Kenny Woodson  wrote:
> >
> > I'm attempting to run openscap and I was looking for some assistance for
> customizing a security guide.
> >
> > I would like to disable options from the rhel7-stig-disa security
> guide.  For example, we do not allow ssh to our image and therefore would
> like to disable the check to install the screen package.
> >
> > I followed the instructions here:
> >
> https://www.open-scap.org/resources/documentation/customizing-scap-security-guide-for-your-use-case/
> >
> > This allowed me to capture the customized tailoring-file.  With this
> file I attempted to scan our image with the following command:
> >
> > oscap xccdf eval   --profile stig-rhel7-disa  \
> >  --results /tmp/scap-results.xml \
> >  --report /tmp/scap-report.html \
> >  --tailoring-file /root/data/ssg-rhel7-ds-aro.xml \
> >  --oval-results --fetch-remote-resources  \
> >  --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml
> /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
> >
> > I admit that I am new to openscap and I'm not sure I understand each of
> the options here but when viewing the results I continue to see that the
> screen
> > check fails.  Is this behavior expected?
> >
> > Here is the option in my tailoring-file:
> >  idref="xccdf_org.ssgproject.content_rule_package_screen_installed"
> selected="false"/>
> >
> > I would appreciate some assistance or some explanation of how to achieve
> a customized security guide.
> >
> > Thanks,
> > kenny
> > ___
> > Open-scap-list mailing list
> > Open-scap-list@redhat.com
> > https://www.redhat.com/mailman/listinfo/open-scap-list
>
>
>
> --
> Jan Černý
> Security Technologies | Red Hat, Inc.
>
___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] openscap for windows?

[Matěj Týč]

Hello, it is technically possible to compile and execute the OpenSCAP 
scanner itself on Windows natively, but the ComplianceAsCode project 
doesn't supply Windows content. In other words, if the content is what 
holds you back, we can't help you with that.


It looks like that you are able to run the scanner, but just to be sure, 
you can grab a build of OpenSCAP scanner here:


https://github.com/OpenSCAP/openscap/releases/download/1.3.1/OpenSCAP-1.3.1-win32.msi

On 04. 07. 19 8:53, Maurizio Pagani wrote:


Hi everybody,

Is possible use openscap for windows?

I'm searching some things online, but anything tell me how 
install/configure/execute openscap on windows


I downloaded OpenScap WorkBench, but there is not the windows content 
(only for Linux distro)


but i need to know if is possible download the content for windows and 
add to openscap workbench (windows edition)


thanks in advance for your support

*Maurizio*


 
	Mail priva di virus. www.avast.com 
 



<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list
___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list