[Open-scap] Proper use of oscap xccfg generate guide

Wed Feb 6 03:33:48 UTC 2013

On 2/5/13 8:15 PM, Shawn Wells wrote:
> Within the SSG project we have several profiles:
>> $ grep "<Profile" output/unlinked-rhel6-xccdf.xml
>>   <Profile id="test">
>>   <Profile id="common">
>>   <Profile id="desktop" extends="common">
>>   <Profile id="server" extends="common">
>>   <Profile id="ftp" extends="server">
>>     <!--<Profile id="ftp" extends="server" 
>> xmlns="http://checklists.nist.gov/xccdf/1.1" > -->
>>   <Profile id="stig-rhel6-server" extends="common">
>
> Historically we've wanted to create one large guide containing all 
> rules, and have been using the following command for that. Note the 
> "allrules" profile doesn't actually exist, as our understanding is 
> that OpenSCAP will generate "allrules" upon receiving a non-existent 
> profile name.
>> $ oscap xccdf generate guide --profile allrules 
>> $(OUT)/unlinked-rhel6-xccdf-guide.xml > $(OUT)/rhel6-guide.html
>
> I'm now trying to create per-profile guides, e.g.:
>> oscap xccdf generate guide --profile test 
>> $(OUT)/unlinked-rhel6-xccdf-guide.xml > $(OUT)/test-guide.html
>> oscap xccdf generate guide --profile stig-rhel6-server 
>> $(OUT)/unlinked-rhel6-xccdf-guide.xml > 
>> $(OUT)/stig-rhel6-server-guide.html
>
> The "test" profile has 29 rules in it, with "stig-rhel6-server" having 
> 252:
>> $ grep "<select idref" ../input/profiles/test.xml | wc -l
>> 29
>>
>> ## stig-rhel6-server extends common, adding them together
>> $ grep "<select idref" ../input/profiles/stig-rhel6-server.xml | wc -l
>> 51
>> [shawn at rhel6 output]$ grep "<select idref" 
>> ../input/profiles/common.xml | wc -l
>> 201
>
> The test-guide.html and stig-rhel6-server-guide.html end up having the 
> same content as each other, even though they have different rules. 
> Additionally, the test and stig-rhel6-server guides are larger 
> (filesize) than the "allrules."
>
> I double checked the 'oscap xccdf generate guide --help` output, and I 
> appear to be issuing the commands correctly.... but famous last words! 
> Any guidance is appreciated. 

User error.... I was able to generate a checklist off the 
stig-rhel6-server profile:
http://people.redhat.com/swells/scap-security-guide/RHEL6/output/stig-rhel6-server-guide.html#rule-selection

Learned the key difference between a "guide" and a "checklist." My 
end-goal is to produce a guide, or a checklist, that shows ONLY the 
rules which were selected in the profile. Is that currently possible?