OSCAP Profile Selection - Documentation

tech109 · January 30, 2024, 6:47pm

Referencing the following document:
https://docs.rockylinux.org/books/disa_stig/disa_stig_part2/

When the scan is generated using the following command, how did you determine to select “stig” as the --profile option? When I run the “info” command on the ssg-rl8-ds.xml file, “stig” is not listed under profiles.

“sudo oscap xccdf eval --report unit-test-disa-scan.html --profile stig /usr/share/xml/scap/ssg/content/ssg-rl8-ds.xml”

I tried the same command using a benchmark file from cyber.mil, and it failed unless I selected an actual profile listed within the xml file.

Thanks.

atomicturtle · January 30, 2024, 11:16pm

Youd look at the value after the profile section, so if you look at these

oscap info /usr/share/xml/scap/ssg/content/ssg-rl8-ds.xml

(trimmed for viewability)
Title: DISA STIG for Red Hat Enterprise Linux 8
Id: xccdf_org.ssgproject.content_profile_stig
Title: DISA STIG with GUI for Red Hat Enterprise Linux 8
Id: xccdf_org.ssgproject.content_profile_stig_gui

the part you cut off from that is following the profile_ in the Id: section, so the values are “stig” and “stig_gui” respectively. You should see a pretty big list of from info, if you arent you may have a bad /usr/share/xml/scap/ssg/content/ssg-rl8-ds.xml

system · March 30, 2024, 11:17pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.