Hello,
I am quite new to this. I am trying to figure out how things works and how to use compliance as code. I am interested in STIG compliance.
As recommended, I ran the script called "create_stig_overlay.py". It created a new stig_overly.xml file. The file is interesting as it provide the link between STIG rules and complianceascode rules. Is it correct?
I noticed the script create a one to one relation between rules in STIG and rules in compliance as code.
For instance the first STIG rule: "The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values. "
It mentions ownership and permission. The STIG profile in complianceascode has both rpm_verify_ownership and rpm_verify_permissions.
But the created overlay only map to one of those rule .... and not always the same to the stig rule above.
So my question: is this intended or is there an issue here? Or may be I missed something else?
If you have any comment to help me to progress, I will be gratefull.
Regards,
Marc