Hello RHEL community. As a matter of opinion, I think we should focus on RHEL 7. Is there any content for SELinux? David Oliva -----Original Message----- From: Shawn Wells <sh...@redhat.com> To: open-scap-list <open-scap-list@redhat.com> Sent: Tue, Sep 5, 2017 11:20 am Subject: Re: [Open-scap] [open-scap] scan percentage with respect to rules specified by STIG
On 9/5/17 4:38 AM, Wesley Ceraso Prudencio wrote:> I'm not an expert, but if I got it right, we currently cover approximately 85% of STIG rules for RHEL7 and 23% for RHEL6.Something seems off....In RHEL6, the STIG profile extends the common profile:> $ head -1 stig-rhel6-server-upstream.xml> <Profile id="stig-rhel6-server-upstream" extends="common">So, adding in rules from 'common' and STIG profiles:> $ grep -v '<!' common.xml | grep true | wc -l> 182>> $ grep -v '<!' stig-rhel6-* | grep true | wc -l> 68Then subtracting things that are turned off:> $ grep false stig-rhel6-* | wc -l> 4= 246 rules.Then compared to RHEL6 STIG from DISA:> $ grep "<Rule" U_RedHat_6_STIG_V1R16_Manual-xccdf.xml | wc -l> 259246 / 259 = 95%Some gaps are expected (e.g. update 3rd party patches, install 3rd partysoftware), so we'll never have 100% until baseline owners drop suchrules. This is common across most third parties (e.g. CIS), not just DISA...... now.... ensuring the content of the selected rules aligns betweenDISA and SSG is another question :)_______________________________________________Open-scap-list mailing listOpen-scap-list@redhat.comhttps://www.redhat.com/mailman/listinfo/open-scap-list
_______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list