Hi, You need to pass the ID of the customized profile in --profile instead of the ID of the original profile.
The ID of the customized profile is the ID that Workbench prompted you when you clicked on "Customize" button. By default it's stig-rhel7-disa_customized. You can check by opening the tailoring file in a text editor and checking "id" attribute of the "Profile" element. Regards On Thu, Jul 4, 2019 at 4:19 PM Kenny Woodson <kwood...@redhat.com> wrote: > > I'm attempting to run openscap and I was looking for some assistance for > customizing a security guide. > > I would like to disable options from the rhel7-stig-disa security guide. For > example, we do not allow ssh to our image and therefore would like to disable > the check to install the screen package. > > I followed the instructions here: > https://www.open-scap.org/resources/documentation/customizing-scap-security-guide-for-your-use-case/ > > This allowed me to capture the customized tailoring-file. With this file I > attempted to scan our image with the following command: > > oscap xccdf eval --profile stig-rhel7-disa \ > --results /tmp/scap-results.xml \ > --report /tmp/scap-report.html \ > --tailoring-file /root/data/ssg-rhel7-ds-aro.xml \ > --oval-results --fetch-remote-resources \ > --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml > /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml > > I admit that I am new to openscap and I'm not sure I understand each of the > options here but when viewing the results I continue to see that the screen > check fails. Is this behavior expected? > > Here is the option in my tailoring-file: > <xccdf:select > idref="xccdf_org.ssgproject.content_rule_package_screen_installed" > selected="false"/> > > I would appreciate some assistance or some explanation of how to achieve a > customized security guide. > > Thanks, > kenny > _______________________________________________ > Open-scap-list mailing list > Open-scap-list@redhat.com > https://www.redhat.com/mailman/listinfo/open-scap-list -- Jan Černý Security Technologies | Red Hat, Inc. _______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
