Classification: UNCLASSIFIED
Caveats: NONE
I remember that there were issues with the SSG content and RHEL6 (due to SCC
not supporting a sufficient version of...XCCDF? SCAP?). But previously, I
could still use SCC with the SSG content; it would just generate a few more
false positives than using OpenSCAP. Admittedly, it has been a while since
I tried.
Now, when trying SCC 3.1.2, I can't make it run at all. After importing the
zip file (generated from git) and selecting the stig-rhel6-server-upstream
profile, a scan finishes almost immediately with:
The SCAP content stream <ssg-rhel6-> is not applicable to this
platform per the CPE definitions
I've tried on both RHEL6 Workstation and Server, and I've also tried
stripping the <platform> information from the XML files.
I'm attempting this for two reasons, as otherwise I'm perfectly happy
scanning with OpenSCAP. SCC has the ability to run a check on a single rule
at a time, which is useful. Also, I have an inspection soon, and they may
want me to use it.
--
Ray Shaw (Contractor, STG)
Army Research Laboratory
CIO, Unix Support
Classification: UNCLASSIFIED
Caveats: NONE