Great! I noticed that the stig profile also refines values inherited from the common
profile. Thank you again for the help. Once I begin developing my own profile I will share
any major modifications or creations.
Luke Kordell
________________________________________
From: scap-security-guide-bounces(a)lists.fedorahosted.org
[scap-security-guide-bounces(a)lists.fedorahosted.org] on behalf of Shawn Wells
[shawn(a)redhat.com]
Sent: Wednesday, October 02, 2013 8:22 PM
To: scap-security-guide(a)lists.fedorahosted.org
Subject: Re: EXTERNAL: Re: scan question
On 10/2/13 8:04 PM, Kordell, Luke T wrote:
Hi,
I double-checked to make sure I added the correct line to the guide.xslt file but
when I greped the ssg-rhel6=xccdf.xml file it did not return the usgcb file. I wish I
could pull the latest update and patches quickly but am unable to do so with my RHEL
machine at the moment.
If you do a 'git pull', or simply reclone, you'll notice the new profile in
there. It should make the next RPM release too.
Basically what I'm trying to do is find a good starting-point for a completely
customized profile that calls a particular set of rules I will define. I think I need to
conduct a little more research to make-sure I fully understand how to use the scripts to
generate OVAL content and how to create a profile. I think I have the rule creation/adding
part down. Can you point me in the right direction?
As always thank you for the assistance!
Consider exploring the XCCDF "extends" option, as used in the STIG:
https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/RHEL6/inpu...
Specifically:
<Profile id="stig-rhel6-server" extends="common">
The STIG inherits *everything* from the common profile, located here:
https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/RHEL6/inpu...
Once inherited, anything in the STIG profile takes precedence, allowing for customization
of things like password lengh, audit retention, etc.
If you wanted to change a refine value, such as maximum age of passwords, simply use a
refine-value tag:
<refine-value idref="var_acounts_maximum_age_login_defs"
selector="5"/>
... which would change the value from the STIG (which is 180 days), to 5 in your custom
profile
Or perhaps there's a STIG rule which you disagree with, disable it via the selected
operator:
<select idref="password_require_uppercases" selected="false"/>