/root/openscap_data
by Mike Johnston
I'm a new to this project and have always done my SCAP lock downs with
kickstart scripts up until now. This looks to be something I switched to a
long time ago.
In the environment I work in, I need to make custom ISO installation disks
to send out to the field. I've been testing out the 'addon
xccdf_org.ssgproject.content_profile_stig-rhel7-disa' security profile and
then made a custom tailored XML following the guidelines keep a few things
on that were being removed. My problem is that now that I have my
'ssg-rhel7-ds-tailoring.xml' file, where do I put it in my kickstart
image? I've tried copying it in the post -nochroot section of my kickstart
to /tmp/openscap_data and /root/openscap_data and neither of those
worked.
Can someone tell me or show me where in the guide it show where it's
supposed to go?
This is what my kickstart looks like:
-------------------------------------
%post --nochroot
cp /run/install/repo/hardening/ssg-rhel7-ds-tailoring.xml
/root/openscap_data/
%addon org_fedora_oscap
content-type = scap-security-guide
profile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa
tailoring-path=ssg-rhel7-ds-tailoring.xml
%end
-------------------------------------
Thanks for all the work...this is a great project.
5 years
Generate '--stig-viewer' results from '--results-arf' output
by James Cassell
Hello,
I see that I can generate a report after the fact by using the 'oscap generate report' command with the results xml. Can I generate STIG Viewer-compatible output after the fact, as well?
My use case is to run the ssg benchmark against a RHEL 6 system that has a old version of openscap, then move those results to a system with the current version to do the conversion.
I've also had to do this with a RHEL 7.3 system, in which case I was able to workaround the issues by re-building the newest openscap SRPM against RHEL 7.3, but that's not a very clean solution and results in an unsupported package being installed on the system.
Is there a template somewhere that will allow the 'oscap generate custom' output the equivalent of '--stig-viewer' from a results xml file?
Thanks for any insight!
V/r,
James Cassell
5 years, 1 month
Strip down XML output (XCCDF,OVAL,DS)
by Alexander Bergmann
Hi everyone,
I'm currently checking if it is possible to strip down everything
unneeded from a generated XCCDF, OVAL or DS file or to include just the
needed rules and OVAL definitions for a certain profile during
generation.
For example:
When I generate the rhel7/sle12 output after running the cmake script,
all profiles are included inside the XCCDF and DS files.
Furthermore all OVAL definitions get included even if they are not part
of any listed profile. I understand that this are two pair shoes. I'm
just curious if there is a way to limit the OVAL output only to those
definitions that are actually needed for the defined profiles.
So, is it possible to limit the output generation to a single profile
and to limit the OVAL output as well?
This is interesting especially for the DS output where I want to have a
small file with all needed tests and definitions for just one profile.
Any hint or direction is appreciated. ;)
Regards,
Alex~
--
Alexander Bergmann <abergmann(a)suse.com>, Security Engineer, GPG:9FFA4886
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg)
5 years, 1 month
