mpreisler
commented
8 years ago This looks like a regression either in SSG or in OpenSCAP, we should look into this for the 1.2.13 release IMO.
Closed jan-cerny closed 7 years ago
mpreisler
commented
8 years ago This looks like a regression either in SSG or in OpenSCAP, we should look into this for the 1.2.13 release IMO.
mpreisler
commented
7 years ago SSG started using multple different DISA STIG ID URLs:
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
<reference href="http://iase.disa.mil/stigs/srgs/Pages/index.aspx">SRG-OS-000480-GPOS-00227</reference>
<reference href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021250</reference>The code in HTML report assumes only one of them is used in the entire SCAP content. See:
<xsl:when test="starts-with($href, 'http://iase.disa.mil/')">
<xsl:text>DISA ID</xsl:text>
</xsl:when>I'd say the SSG usage is correct and we should fix the HTML report.
Not sure whether we should group them together or display something like "DISA ID (CCI)", "DISA ID (SRG)". Thoughts?
shawndwells
commented
7 years ago They're all valid identifiers. Perhaps we can update the xsl:when test?
e.g.
http://iase.disa.mil/stigs/cci/Pages/index.aspx --> DISA CCIhttp://iase.disa.mil/stigs/srgs/Pages/index.aspx --> DISA OS SRGhttp://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx --> DISA RHEL7 STIG IDshawndwells
commented
7 years ago (this is the same as https://github.com/OpenSCAP/openscap/issues/621, closing that ticket)
mpreisler
commented
7 years ago Makes sense to me, I will call the last ID DISA STIG ID to avoid being OS specific.
I have scanned a Fedora 25 Server system using OpenSCAP 1.2.12 with SCAP Security Guide 0.1.30 for Fedora (common profile} and I have downloaded and displayed the HTML report of the scan in Firefox.
The problem is that in "Group rules by:" menu i can see "DISA ID" twice.
I have run the scan using this command:
The results and report are attached. attach.tar.gz