Adding new or modifying  rules in Security Content Automation Protocol (SCAP) Security Guide (SSG)

Deorali used Ask the Experts™
Hi Experts,

I am investigating  SCAP to automate security checks for Red Hat.  I am using SCAP Workbench to perform configuration and vulnerability scans on the systems.  Selected Security Profile does not meet my requirements. I need to either add new rules or modify the existing rules on the profile. I have not able to figure out how to do that locally.

Please let me know if this is possible.

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
btanExec Consultant
Distinguished Expert 2018

you probably can take a look at this but do note that WB only supports opening XCCDF, Source DataStream, SCAP RPM files or their bzip2 variants

... and there are also other template compliant to standard (esp for audit checks) and from community.
USGCB for RHEL5 - XCCDF and OVAL, only suitable for RHEL5.
SCE Community Content - Uses SCE, only suitable for Fedora.

But In understand there is limitation or in future plan for WB e.g
Future plans
Proper tailoring

Currently, SCAP Workbench doesn’t follow the specification when it comes to XCCDF profile tailoring. It changes profiles directly instead of tailoring them even though the feature is called Tailoring in the tool. The new workbench will work with tailoring files and will correctly inherit the profile to tailor it.
This has been enabled by improvements in openscap that allows profile inheritance and name shadowing.

Hence, if you find the limited tailoring as posted in first link guide is lacking, then it means to get really into hands-on and produce your XCCDF using OpenSCAP toolkit (or the openscap-utils package in specific), then create the SCAP content (XCCDF benchmark) based on OVAL language to execute the scan checks. WB is a sort of GUI OVAL interpreter that can still takes XCCDF and there is also the oscap that is more console based to run the XCCDF policies. You can check out this example for the hands-on


There is not much document available as to how  to create your own SCAP content.  Profiles / template available does not fully meet my needs. I need to either add new rules or modify the existing rule. If any one here know how to do it and done before, please I need your help.

btanExec Consultant
Distinguished Expert 2018

The scapworkbench has customised profile, so you meant not able to meet your needs then this requires actually changing the xccdf rule in xml itself in the last link shared in previous post. You meant even customisation also does not fit your use case..will help if you can share more specific in use case.


That's correct btan.

Say for example, DOD's STIG RHEL6 profile uses McAfee as antivirus software and I use ClamAV. I need to be able change this rule to use ClamAV. This is just one case but I have lot more.
Exec Consultant
Distinguished Expert 2018
Looks like non-trivial. I suggest that you see this workshop pdf which stated the req and guidance under the "CONTENT CUSTOMIZATION" section
Using the template above, create a rule which:
1. Has an XCCDF rule id of “package_scap-security-guide_installed” with a severity of “high”
2. Has a human readable title of 'Install SCAP Security Guide”
3. Outlines a method to install SSG. For example, “yum install scap-security-guide”
4. States that “if SCAP Security Guide is not installed” this is a finding
5. Includes the proper package name, scap-security-guide, in the package check macro
6. Includes rational on why the SSG project is awesome, and should be installed
7. Corresponds to a (currently non-existent) OVAL rule named “package_scap-security-guide_installed”

Through this workshop we've made several modifications to the SSG source code. Specifically:
1. Creation of a new XCCDF rule, package_scap-security-guide_installed, which was placed into RHEL6/input/system/software/integrity.xml.
2. Creation of a new OVAL rule, package_scap-security-guide_installed.xml, which also involved updating the OVAL template file RHEL6/input/checks/templates/packages_installed.csv.
3. Modification of the STIG profile, located at RHEL6/input/profiles/stig-rhel6-server.xml.

SCAP Security Guide
provides practical security hardening advice for Red Hat products, and also links it to compliance requirements in order to ease deployment activities, such as certification and accreditation.
It also shared the online Guide to the Secure Configuration of Red Hat Enterprise Linux 6 that include the example you stated (under "CCE-27529-7" -

I suggest instead join their mailing list and sought help from their community of developer instead. pardon me as I am not into depth for such customisation

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial