Hello Robert,
I don't have good news for you, unfortunately. Migration of
customizations between releases is tricky. As the customization is in
form of diff, if you change the base, it can have unforeseen
consequences. Mostly in form of new rules (added to the base) or new
variables, when in old version the rule had value hardcoded. We also do
not guarantee the rule ids won't change between versions, even though it
shouldn't happen often.
I am not aware of any tool to compare profiles. Personally, I'd just
scan some machine with both versions using --progress to generate
results as one lines. And do a diff of these results...
What you have noticed, the increased amount of items in new save of
customization is a known bug
https://github.com/OpenSCAP/scap-workbench/issues/139
So all considered, I would probably suggest to customize anew.
If I may - can you write improvement ideas to our issue tracker?
https://github.com/OpenSCAP/scap-workbench/issues
Thanks,
Marek
On 05/17/2018 08:07 PM, Robert Sanders wrote:
Hello all,
Short versions: What are best practices/guidance/suggestions for
keeping a customization file while upgrading between OS releases. This
also gets down to determining what has changed between versions.
Long version: We generated our own customization against the RHEL7.3
'STIG for Red Hat Enterprise Linux 7 Server' profile, and are now
migrating to RHEL7.5, which provides the 'DISA STIG FOR Red Hat
Enterprise Linux 7' profile instead. What is involved in having our 7.3
customization file imported correctly and applied to the default
profile, and is there anyway to show a delta between the RHEL7.3 profile
and the RHEL7.5 profile, with or without (preferably with) our
customizations?
Initially on our RHEL7.5 box I tried to invoke 'scap-workbench
OurCustomizationFile.xml', but that resulted in no rules being displayed
(and no warnings/errors either for that matter). This is when I
discovered that RHEL7.3 and RHEL7.5 had different profiles. I wound up
editing our customization file to refer to the RHEL7.5 profile name
instead of the RHEL7.3 name, which appears to work. I did notice when I
save just the customizations again there were substantially more things
in that file than were in the original customizations. Mostly selected
rules and such, but also default values. I *think* all of our mods were
preserved (still digging through), but wonderered about the other new
values.
And as for the last question above - is there a way to compare
'profiles' (with or without customization) to see the differences
between them? Or even load a base profile and have the customizations
highlighted?
-Rob
*Robert Sanders*
Sr. Secure Systems Engineer
*FORCEPOINT***
T+1.703.896.4762
F +1.703.318.5041
www.forcepoint.com
*FORWARD WITHOUT FEAR*
_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list
_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list
