Red Hat Security: Linux in Physical, Virtual, and Cloud

The SCAP Security Guide provides profiles for verifying system compliance against standards that are established by governmental or other organizations. For example, the PCI-DSS profile tests compliance against the rules mandated by the Payment Card Industry Security Standards Council.

However, in the real world, situations vary. Most profiles in the SCAP Security Guide are meant as a catalog, not a checklist, and satisfying every item might not be sensible or even possible in many operational scenarios.

Your organization, auditors, or other stakeholders might not require your systems to comply with every item that is specified in a particular profile. Instead, you might be required to comply with a specific subset of the profile. Some rules might not apply in your environment, and other rules that are not in the profile might be required. You might also need to increase or decrease the values that are used for certain checks; for example, the maximum password age or the minimum password length that are permitted.

With the SCAP Workbench utility, you can create custom profiles. As a starting point, select an existing profile that you adjust by selecting and clearing compliance rules. Then, save your new profile in an XML tailoring file that you can copy to the systems to scan.

Creating a Tailoring File

Run the scap-workbench command to start SCAP Workbench and to create your profile customization. You can use the SCAP Workbench tool on your local workstation and copy the resulting XML tailoring file to the systems that you want to scan.

From the main SCAP Workbench window, select the profile on which you want to base your customization and then click Customize.

Figure 9.7: Main SCAP Workbench window

Next, give your new profile an identifier. You must use a particular format for the identifier. The Customize Profile dialog provides guidance for creating correctly formatted identifiers.

Figure 9.8: Creating a custom profile identifier

In the customization window, select the rules to use for your customized profile. The rules that are already selected come from the profile that you initially chose.

In the left pane, you can make the following adjustments:

• Select or clear rules

• Adjust parameters for some of these rules

The following image highlights the rule selection. Inspect the information that is provided in the right pane: Selected Item Properties, Description, Security Identifiers, and Depends on Values. These values represent information that is related to the specific rule that is selected.

Figure 9.9: Policy customization rule selection

The following image highlights a parameter value that is associated with the selected rule. Inspect the information that is provided in the right pane. In the Modify Value section, you can change the value of the highlighted parameter.

Figure 9.10: Policy customization parameter selection

In the previous image, the Set Existing Passwords Maximum Age rule is selected. You can customize this rule by modifying the maximum password age setting. In this example, the maximum age for a password is set to 60 days.

When done, click OK to return to the main window. Click File → Save Customization Only to save your customization file.

Before you scan a system with your tailoring file, you must perform the following actions:

To scan the system with your tailoring file, run the oscap xccdf eval command as usual, and use the correct data stream file. Use the --tailoring-file option to specify your tailoring file. The --profile option must specify the identifier of your custom profile.

[root@host ~]# oscap xccdf eval \
    --profile custom_profile_ID \
    --tailoring-file tailoring_file.xml \
    --results result_file.xml \
    /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml