Re: [Open-scap] customize scap report
Thanks for the reply Jan. Comments in-line. On Mon, Jul 8, 2019 at 3:21 AM Jan Cerny wrote: > Hi, > > You need to pass the ID of the customized profile in --profile instead > of the ID of the original profile. > > The ID of the customized profile is the ID that Workbench prompted you > when you clicked on "Customize" button. > By default it's stig-rhel7-disa_customized. You can check by opening > the tailoring file in a text editor and checking "id" attribute of the > "Profile" element. > I updated the profile id and the same result entailed. What solved this issue for me was adding the profile id as well as updating the source security guide from /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml to /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml This allowed my tailoring-file to correctly be applied. Thanks for the help. > > Regards > > On Thu, Jul 4, 2019 at 4:19 PM Kenny Woodson wrote: > > > > I'm attempting to run openscap and I was looking for some assistance for > customizing a security guide. > > > > I would like to disable options from the rhel7-stig-disa security > guide. For example, we do not allow ssh to our image and therefore would > like to disable the check to install the screen package. > > > > I followed the instructions here: > > > https://www.open-scap.org/resources/documentation/customizing-scap-security-guide-for-your-use-case/ > > > > This allowed me to capture the customized tailoring-file. With this > file I attempted to scan our image with the following command: > > > > oscap xccdf eval --profile stig-rhel7-disa \ > > --results /tmp/scap-results.xml \ > > --report /tmp/scap-report.html \ > > --tailoring-file /root/data/ssg-rhel7-ds-aro.xml \ > > --oval-results --fetch-remote-resources \ > > --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml > /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml > > > > I admit that I am new to openscap and I'm not sure I understand each of > the options here but when viewing the results I continue to see that the > screen > > check fails. Is this behavior expected? > > > > Here is the option in my tailoring-file: > > idref="xccdf_org.ssgproject.content_rule_package_screen_installed" > selected="false"/> > > > > I would appreciate some assistance or some explanation of how to achieve > a customized security guide. > > > > Thanks, > > kenny > > ___ > > Open-scap-list mailing list > > Open-scap-list@redhat.com > > https://www.redhat.com/mailman/listinfo/open-scap-list > > > > -- > Jan Černý > Security Technologies | Red Hat, Inc. > ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
Re: [Open-scap] customize scap report
Hi, You need to pass the ID of the customized profile in --profile instead of the ID of the original profile. The ID of the customized profile is the ID that Workbench prompted you when you clicked on "Customize" button. By default it's stig-rhel7-disa_customized. You can check by opening the tailoring file in a text editor and checking "id" attribute of the "Profile" element. Regards On Thu, Jul 4, 2019 at 4:19 PM Kenny Woodson wrote: > > I'm attempting to run openscap and I was looking for some assistance for > customizing a security guide. > > I would like to disable options from the rhel7-stig-disa security guide. For > example, we do not allow ssh to our image and therefore would like to disable > the check to install the screen package. > > I followed the instructions here: > https://www.open-scap.org/resources/documentation/customizing-scap-security-guide-for-your-use-case/ > > This allowed me to capture the customized tailoring-file. With this file I > attempted to scan our image with the following command: > > oscap xccdf eval --profile stig-rhel7-disa \ > --results /tmp/scap-results.xml \ > --report /tmp/scap-report.html \ > --tailoring-file /root/data/ssg-rhel7-ds-aro.xml \ > --oval-results --fetch-remote-resources \ > --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml > /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml > > I admit that I am new to openscap and I'm not sure I understand each of the > options here but when viewing the results I continue to see that the screen > check fails. Is this behavior expected? > > Here is the option in my tailoring-file: > idref="xccdf_org.ssgproject.content_rule_package_screen_installed" > selected="false"/> > > I would appreciate some assistance or some explanation of how to achieve a > customized security guide. > > Thanks, > kenny > ___ > Open-scap-list mailing list > Open-scap-list@redhat.com > https://www.redhat.com/mailman/listinfo/open-scap-list -- Jan Černý Security Technologies | Red Hat, Inc. ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
[Open-scap] customize scap report
I'm attempting to run openscap and I was looking for some assistance for customizing a security guide. I would like to disable options from the rhel7-stig-disa security guide. For example, we do not allow ssh to our image and therefore would like to disable the check to install the screen package. I followed the instructions here: https://www.open-scap.org/resources/documentation/customizing-scap-security-guide-for-your-use-case/ This allowed me to capture the customized tailoring-file. With this file I attempted to scan our image with the following command: oscap xccdf eval --profile stig-rhel7-disa \ --results /tmp/scap-results.xml \ --report /tmp/scap-report.html \ --tailoring-file /root/data/ssg-rhel7-ds-aro.xml \ --oval-results --fetch-remote-resources \ --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml I admit that I am new to openscap and I'm not sure I understand each of the options here but when viewing the results I continue to see that the screen check fails. Is this behavior expected? Here is the option in my tailoring-file: I would appreciate some assistance or some explanation of how to achieve a customized security guide. Thanks, kenny ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
