Openscap 0.4.3-1 - How to create own Security Profile?

Hi Guys,

I created my own XCCDF File with scap-workbench, but I cant find an option
on the Plugin to use it with Foreman/Katello, what is my mistake?

thanks,
Christian

Another Question: Is there a way to use also the RHSA stream (Metric/Oval
XML File) for my CentOS Servers as well, or is this also a Limitation like
the Errata Usage?
I tried to replace the platform and cpe string to centos in the XML, but it
seems is not working because I got no failed reports, any feddback is more
then welcome…

Thanks,
Christian

In case someone is interested…

The foreman interface accepts only DataStreams, feature request on
scap-workbench: https://github.com/OpenSCAP/scap-workbench/issues/50
RHSA OVAL will not work on centos. I will not ask CentOS Support, because
it will end up like our known issue for getting Errata´s…

Pulling up this old post, as I've run into the same wall it seems. It
doesn't seem like there's been much movement on this in the past 6 months.
Is there a good way to take an XCCDF and generate a datastream?

I have a similar issue, in that we'd love to use the OpenSCAP Plugin with
the DISA STIG for RHEL - even though we use Scientific, CentOS, and RHEL.
DISA publishes only the XCCDF file, (and please pardon my ignorance) but
it seems that the XCCDF alone is not sufficient to create the datastream.

On a side note, I concur that the oscap tool won't check an XCCDF against
another OS/Version combo, but DISA's scap tool seems to ignore those
details. Using it we're able to get a compliance report on Scientific
Linux 7 using the XCCDF for RHEL 6 (RHEL 7's is not finished yet).

We're using Puppet modules to apply the security policy remediation and
comply with the XCCDF content. Being able to run compliance reports from
within Foreman would be a nice to have feature, I'm just not sure how to
get there from here. Could we get a way to directly use an XCCDF file in
the future?

Thanks!

Hey,
Found this: http://isimluk.livejournal.com/3660.html - hope this helps

>
> Pulling up this old post, as I've run into the same wall it seems. It
> doesn't seem like there's been much movement on this in the past 6 months.
> Is there a good way to take an XCCDF and generate a datastream?
>

You need XCCDF and OVAL to generate a datastream. Check out
http://isimluk.livejournal.com/3660.html for a tutorial.

> I have a similar issue, in that we'd love to use the OpenSCAP Plugin with
> the DISA STIG for RHEL - even though we use Scientific, CentOS, and RHEL.
> DISA publishes only the XCCDF file, (and please pardon my ignorance) but
> it seems that the XCCDF alone is not sufficient to create the datastream.
>

That is correct. XCCDF is a hierachy of rules, each rule references a
check. These checks are usually written in OVAL. You need both XCCDF 1.2
and OVAL to generate a full source datastream.

> On a side note, I concur that the oscap tool won't check an XCCDF against
> another OS/Version combo, but DISA's scap tool seems to ignore those
> details. Using it we're able to get a compliance report on Scientific
> Linux 7 using the XCCDF for RHEL 6 (RHEL 7's is not finished yet).
>

This seems to be related to the CPE applicability check. Each NIST
certified SCAP scanner should check those. There are ways to change the
XCCDF benchmark to avoid the CPE checks but doing that is not recommended.
The benchmarks are developed with assumptions that may not hold true on
different platforms.

> We're using Puppet modules to apply the security policy remediation and
> comply with the XCCDF content. Being able to run compliance reports from
> within Foreman would be a nice to have feature, I'm just not sure how to
> get there from here. Could we get a way to directly use an XCCDF file in
> the future?
>

I think that would be a step back. Source DataStream or SDS is the latest
format. In my opinion it makes more sense to ask DISA to generate a
datastream instead.