[Open-scap] Proper use of oscap xccfg generate guide
Shawn Wells
shawn at redhat.com
Wed Feb 6 03:33:48 UTC 2013
On 2/5/13 8:15 PM, Shawn Wells wrote:
> Within the SSG project we have several profiles:
>> $ grep "<Profile" output/unlinked-rhel6-xccdf.xml
>> <Profile id="test">
>> <Profile id="common">
>> <Profile id="desktop" extends="common">
>> <Profile id="server" extends="common">
>> <Profile id="ftp" extends="server">
>> <!--<Profile id="ftp" extends="server"
>> xmlns="http://checklists.nist.gov/xccdf/1.1" > -->
>> <Profile id="stig-rhel6-server" extends="common">
>
> Historically we've wanted to create one large guide containing all
> rules, and have been using the following command for that. Note the
> "allrules" profile doesn't actually exist, as our understanding is
> that OpenSCAP will generate "allrules" upon receiving a non-existent
> profile name.
>> $ oscap xccdf generate guide --profile allrules
>> $(OUT)/unlinked-rhel6-xccdf-guide.xml > $(OUT)/rhel6-guide.html
>
> I'm now trying to create per-profile guides, e.g.:
>> oscap xccdf generate guide --profile test
>> $(OUT)/unlinked-rhel6-xccdf-guide.xml > $(OUT)/test-guide.html
>> oscap xccdf generate guide --profile stig-rhel6-server
>> $(OUT)/unlinked-rhel6-xccdf-guide.xml >
>> $(OUT)/stig-rhel6-server-guide.html
>
> The "test" profile has 29 rules in it, with "stig-rhel6-server" having
> 252:
>> $ grep "<select idref" ../input/profiles/test.xml | wc -l
>> 29
>>
>> ## stig-rhel6-server extends common, adding them together
>> $ grep "<select idref" ../input/profiles/stig-rhel6-server.xml | wc -l
>> 51
>> [shawn at rhel6 output]$ grep "<select idref"
>> ../input/profiles/common.xml | wc -l
>> 201
>
> The test-guide.html and stig-rhel6-server-guide.html end up having the
> same content as each other, even though they have different rules.
> Additionally, the test and stig-rhel6-server guides are larger
> (filesize) than the "allrules."
>
> I double checked the 'oscap xccdf generate guide --help` output, and I
> appear to be issuing the commands correctly.... but famous last words!
> Any guidance is appreciated.
User error.... I was able to generate a checklist off the
stig-rhel6-server profile:
http://people.redhat.com/swells/scap-security-guide/RHEL6/output/stig-rhel6-server-guide.html#rule-selection
Learned the key difference between a "guide" and a "checklist." My
end-goal is to produce a guide, or a checklist, that shows ONLY the
rules which were selected in the profile. Is that currently possible?
More information about the Open-scap-list
mailing list