[prev in list] [next in list] [prev in thread] [next in thread]
List: scap-security-guide
Subject: Re: EXTERNAL: Re: RHEL 7 Draft STIG release
From: "Albrecht, Thomas C" <thomas.c.albrecht () lmco ! com>
Date: 2016-01-27 23:59:03
Message-ID: 2ECA1537-E92A-4AF1-A834-70702895EA3A () lmco ! com
[Download RAW message or body]
I've started doing my own work on this for my program, so I'd love to be involved in \
the work delegation.
Thanks!
Sent from my iPhone
> On Jan 27, 2016, at 6:55 PM, Shawn Wells <swells@redhat.com> wrote:
>
>
>
> > On 1/27/16 2:40 PM, Crawford, Nicholas P CTR USARMY RDECOM CERDEC (US) wrote:
> >
> > FYI,
> >
> > In case any interested parties missed it during the inclement weather event, DISA \
> > has released the Draft STIG for RHEL 7 on 21 Jan. The comment period is open \
> > until 12 Feb.
> > http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx
>
> To ease reading, I converted their XML to HTML:
> http://people.redhat.com/swells/U_Red_Hat_Enterprise_Linux_7_V1R0-1_Manual_STIG/html_edition.html
>
> There's a high chance members of the OpenSCAP community will click that link and \
> have a serious case of "WTF is this?"
> The RHEL7 STIG and USGCB baselines are to be based on the ~20 configuration \
> requirements from "Management of Security Functions Behavior" in the NIAP Operating \
> System Protection Profile: https://www.niap-ccevs.org/pp/pp_os_v4.0.htm#fmt
>
> Those controls are being implemented in the OSPP profile:
> https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/7/input/profiles/ospp-rhel7-server.xml
>
> Prior to the formal recognition/issuance of a STIG or USGCB, a vendor must complete \
> their Common Criteria Certification. RHEL7 began that process in June 2014 [0] and \
> is expected to finish shortly.
> In preparation for completion of Common Criteria, we sent our configuration guide \
> (derived from SSG's OSPP profile) to NIST and DISA FSO. Akin to RHEL6, the \
> arrangement was to use SCAP Security Guide as the upstream for the STIGs.
> You can imagine the surprise when FSO published their draft STIG, which seems to \
> include the 129 configuration checks from our OSPP profile, but also tacks on 279 \
> net-new controls.
> DISA FSO has been a cooperative partner in opening the STIG process, and \
> establishing open source principals for STIG development. We're working with them \
> to see why their draft STIG various so dramatically from the content that was \
> submitted to them.
> In the mean time, it's incredibly important to start reviews of the DISA draft \
> STIG. This is an opportunity for you to express that you want DISA to keep using \
> open source developed content, and also to directly address the random 279 new \
> rules that mysteriously were dropped in. Some are just blatantly wrong, and appear \
> to be copy/pasted from RHEL5 content!
> To facilitate comments, I've shared an edition of the DISA FSO comment matrix:
> http://bit.ly/1QtvF6v
>
> This will become Red Hat's formal feedback to DISA FSO on their draft. If we all \
> work on a single feedback form, submitted independently through our own companies, \
> our independent voices for change would be greatly amplified.
> There are ~400 controls in DISAs draft. Perhaps we could segment this up, and take \
> ownership of small chunks? This would ensure the OpenSCAP community is able to \
> provide feedback by the 12-FEB deadline. Once we're done with smaller sections, we \
> could review as a whole in a week or two. Would anyone be up for this?
> -Shawn
>
>
> [0] https://www.redhat.com/en/about/blog/red-hat-enterprise-linux-7-evaluation-common-criteria-certification
>
> --
> SCAP Security Guide mailing list
> scap-security-guide@lists.fedorahosted.org
> https://lists.fedorahosted.org/admin/lists/scap-security-guide@lists.fedorahosted.org
> https://github.com/OpenSCAP/scap-security-guide/
--
SCAP Security Guide mailing list
scap-security-guide@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/scap-security-guide@lists.fedorahosted.org
https://github.com/OpenSCAP/scap-security-guide/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic