4

I've downloaded the DISA_STIG for Windows 7 from https://www.stigviewer.com/stig/windows_7/ (XML version) and tried to evaluate my desktop with OSCAP 1.3.0 for windows, with the command:

oscap xccdf eval --profile MAC-3_Public --results windows7.html disa-stig-windows7.xml

The OSCAP tool didn't complain about the file, but all checks returned the result notchecked with the warning:

Skipping rule that requires an unregistered check system or incorrect content reference to evaluate. Please consider providing a valid SCAP/OVAL instead of _chk` (where check_name is the name of the check within the xccdf file)

What should I do in order to run a successful evaluation?

alecxe
  • 71
  • 1
  • 2
  • 16
Zottmann
  • 41
  • 2

1 Answers1

1

the XML provided in the reference doesn't contain automated checks (e.g.: OVAL), it seems there are only manual checks. Looking at system attributes of check elements, I noted something strange, it seems to be defining an ID for the check, instead of defining the checking system to use, as every rule has a different checking system.

What you need is a benchmark with automated checks.

Yuuma
  • 36
  • 2
  • Hi! Thanks for your input! I´m new to SCAP, so I would have never noticed the "system" attributes. Do you know any other source of Windows 7 checklists? Aside from this one that I´ve mentioned in my original question I´ve only found references to checklists at NIST´s Computer Security Resource Center (CSRC - https://csrc.nist.gov) but they are currently not available due to the lapse in government funding (as shown in https://csrc.nist.gov/CSRC/media/Projects/United-States-Government-Configuration-Baseline/data/content/scap/oval510/Win7-2.0.5.1.zip). – Zottmann Jan 02 '19 at 15:49