Still having problems, the generated script is an empty file. Here is the tailoring file I created, ssg-rhel7-ds-tailoring.xml, with the workbench. It is just an example, to verify I can customize the scanning and fix generation. This tailoring should *not* check for install AIDE, and, it should be sure to check for FIPS compliance, and, if possible, fix that:
<?xml version="1.0" encoding="UTF-8"?> <xccdf:Tailoring xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"; id="xccdf_scap-workbench_tailoring_default"> <xccdf:benchmark href="/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml"/> <xccdf:version time="2017-03-17T13:43:12">1</xccdf:version> <xccdf:Profile id="xccdf_com.mycompany_profile_stig-rhel7-server-upstream_customized" extends="xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream"> <xccdf:title xmlns:xhtml="http://www.w3.org/1999/xhtml"; xml:lang="en-US" override="true">STIG for Red Hat Enterprise Linux 7 Server [CUSTOMIZED]</xccdf:title> <xccdf:description xmlns:xhtml="http://www.w3.org/1999/xhtml"; xml:lang="en-US" override="true">This is a *draft* profile for STIG. This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.</xccdf:description> <xccdf:select idref="xccdf_org.ssgproject.content_rule_package_aide_installed" selected="false"/> <xccdf:select idref="xccdf_org.ssgproject.content_rule_aide_build_database" selected="false"/> <xccdf:select idref="xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking" selected="false"/> <xccdf:select idref="xccdf_org.ssgproject.content_group_aide" selected="false"/> <xccdf:select idref="xccdf_org.ssgproject.content_group_remediation_functions" selected="true"/> <xccdf:select idref="xccdf_org.ssgproject.content_group_fips" selected="true"/> <xccdf:select idref="xccdf_org.ssgproject.content_rule_package_dracut-fips_installed" selected="true"/> <xccdf:select idref="xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode" selected="true"/> </xccdf:Profile> </xccdf:Tailoring> I ran this command oscap xccdf generate fix --profile xccdf_com.mycompany_profile_stig-rhel7-server-upstream_customized --tailoring-file ssg-rhel7-ds-tailoring.xml --output script.sh /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml The script.sh file is created, there is no error, but, the file is empty. Why??? -----Original Message----- From: open-scap-list-boun...@redhat.com [mailto:open-scap-list-boun...@redhat.com] On Behalf Of open-scap-list-requ...@redhat.com Sent: Friday, March 17, 2017 9:01 AM To: open-scap-list@redhat.com Subject: Open-scap-list Digest, Vol 96, Issue 8 Send Open-scap-list mailing list submissions to open-scap-list@redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/open-scap-list or, via email, send a message with subject or body 'help' to open-scap-list-requ...@redhat.com You can reach the person managing the list at open-scap-list-ow...@redhat.com When replying, please edit your Subject line so it is more specific than "Re: Contents of Open-scap-list digest..." Today's Topics: 1. customizing remediation (Greg Silverman (CS)) 2. Re: customizing remediation (Jan Cerny) ---------------------------------------------------------------------- Message: 1 Date: Thu, 16 Mar 2017 21:15:36 +0000 From: "Greg Silverman (CS)" <greg.silver...@veritas.com> To: "open-scap-list@redhat.com" <open-scap-list@redhat.com> Subject: [Open-scap] customizing remediation Message-ID: <b4ead41c604b459eb376f7b9e3749...@vrtsxchclupin05.community.veritas.com> Content-Type: text/plain; charset="us-ascii" I am missing something when it comes to generating a customized fix script. 1. In SCAP Workbench I deselect rules I do not want. 2. I save the customization file. 3. When I scan with the customization file, it still reports evaluation results on *some* of the rules I deselected. 4. When I create the remediation script, with oscap xccdf generate fix, it generates a fix for the rules mentioned in 3. This is the command I run oscap xccdf generate fix --template urn:xccdf:fix:script:sh --profile xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream --output my-remediation-script.sh /usr/share/xml/scap/ssg/content/ssg-rhel7-ds-tailoring.xml i.e., using the tailored xccdf file. What am I missing? Thanks, Greg Silverman Veritas Technologies -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://www.redhat.com/archives/open-scap-list/attachments/20170316/38196e81/attachment.html> ------------------------------ Message: 2 Date: Fri, 17 Mar 2017 04:07:02 -0400 (EDT) From: Jan Cerny <jce...@redhat.com> To: "Greg Silverman (CS)" <greg.silver...@veritas.com> Cc: open-scap-list@redhat.com Subject: Re: [Open-scap] customizing remediation Message-ID: <443734437.4096645.1489738022570.javamail.zim...@redhat.com> Content-Type: text/plain; charset=utf-8 Hello, Thank you for contacting us. There is a few things that you might have done incorrectly. In SCAP Workbench, after you click on "Customize", you will be prompted for a new profile ID, that will be the ID of your custom profile. Check if you use the new ID, and not the ID of original profile, in your commands. By default, it has "_customized" at the end. (It's possible to change it.) For scanning with customization, oscap needs path to original datastream, a tailoring file, and new profile ID. The correct command to scan would be for example this: oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream_customized --tailoring-file ssg-rhel7-ds-tailoring.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml (I have the tailoring file in current working directory). For generating a customized fix script, again, oscap needs path to original datastream, a tailoring file, and new profile ID. This should work: oscap xccdf generate fix --profile xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream_customized --tailoring-file ssg-rhel7-ds-tailoring.xml --output script.sh /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml Bash is default, so specifying --template is not needed. At least works for me with OpenSCAP 1.2.13. I hope this helped you a little. Best regards Jan ?ern? Security Technologies | Red Hat, Inc. ----- Original Message ----- > From: "Greg Silverman (CS)" <greg.silver...@veritas.com> > To: open-scap-list@redhat.com > Sent: Thursday, March 16, 2017 10:15:36 PM > Subject: [Open-scap] customizing remediation > > > > I am missing something when it comes to generating a customized fix script. > > > > 1. In SCAP Workbench I deselect rules I do not want. > > 2. I save the customization file. > > 3. When I scan with the customization file, it still reports > evaluation results on * some * of the rules I deselected. > > 4. When I create the remediation script, with oscap xccdf generate fix > , it generates a fix for the rules mentioned in 3. > > > > This is the command I run > > > > oscap xccdf generate fix --template urn:xccdf:fix:script:sh --profile > xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream > --output my-remediation-script.sh > /usr/share/xml/scap/ssg/content/ssg-rhel7-ds-tailoring.xml > > > > i.e., using the tailored xccdf file. > > > > What am I missing? > > > > Thanks, > > > > Greg Silverman > > Veritas Technologies > > _______________________________________________ > Open-scap-list mailing list > Open-scap-list@redhat.com > https://www.redhat.com/mailman/listinfo/open-scap-list ------------------------------ _______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list End of Open-scap-list Digest, Vol 96, Issue 8 ********************************************* _______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
