On 03/08/17 15:36, Watson Yuuma Sato wrote:
> On 03/08/17 11:07, Marek Haicman wrote:
>> On 08/03/2017 02:28 AM, Shawn Wells wrote:
>>> Hey Guys
>>>
>>> Just downloaded the RHEL 7.4 installation media and attempted
>>> to use the oscap-anaconda features. Selected "security" during the
>>> installer, and noticed a few things:
>>>
>>> (1) The CUI/NIST 800-171 profile has the description from OSPP:
>>>
>>>
>>> (2) There are multiple RHEL7 STIG options:
>>>
>>>
>>> I'm not sure how/why this is happening.
>>>
>>> The 800-171 profile does extend OSPP. Do we need a "extends" for
>>> the profile description field?
>>>
https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/7/input/...
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> scap-security-guide mailing list --
>>> scap-security-guide(a)lists.fedorahosted.org
>>> To unsubscribe send an email to
>>> scap-security-guide-leave(a)lists.fedorahosted.org
>>>
>> Hey Shawn,
>> ad (2) this is known issue
>>
https://bugzilla.redhat.com/show_bug.cgi?id=1437106
>>
>> For (1) that description is the same that SCAP Workbench displays,
>> and oscap generates from the guides (as can be seen
>>
http://static.open-scap.org/ssg-guides/ssg-rhel7-guide-index.html).
>> Extend concatenates description of extended profile and the
>> extending one. Is it a bug?
> This is not a bug.
> To replace extended description, extending description element should
> have attribute override="true", like the title element has.
Well, this is a bug if description of CUI/NIST 800-171 is not expected
to be appended to description of OSPP Profile.
IMHO it comes down to the profiles not including "override=true" in the
profile descriptions.
Never knew they were needed. How come we didn't have this problem in
earlier editions of oscap-anaconda? The profiles don't seem to have
override=true in the description field, but in prior RHEL releases
things were OK.
--
Shawn Wells
Chief Security Strategist
North America Public Sector
shawn(a)redhat.com | 443-534-0130