[prev in list] [next in list] [prev in thread] [next in thread] 

List:       scap-security-guide
Subject:    Re: EXTERNAL: Re: RHEL 7 Draft STIG release
From:       "Albrecht, Thomas C" <thomas.c.albrecht () lmco ! com>
Date:       2016-01-27 23:59:03
Message-ID: 2ECA1537-E92A-4AF1-A834-70702895EA3A () lmco ! com
[Download RAW message or body]

I've started doing my own work on this for my program, so I'd love to be involved in \
the work delegation. 

Thanks!

Sent from my iPhone

> On Jan 27, 2016, at 6:55 PM, Shawn Wells <swells@redhat.com> wrote:
> 
> 
> 
> > On 1/27/16 2:40 PM, Crawford, Nicholas P CTR USARMY RDECOM CERDEC (US) wrote:
> > 
> > FYI,
> > 
> > In case any interested parties missed it during the inclement weather event, DISA \
> > has released the Draft STIG for RHEL 7 on 21 Jan.  The comment period is open \
> > until 12 Feb. 
> > http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx
> 
> To ease reading, I converted their XML to HTML:
> http://people.redhat.com/swells/U_Red_Hat_Enterprise_Linux_7_V1R0-1_Manual_STIG/html_edition.html
>  
> There's a high chance members of the OpenSCAP community will click that link and \
> have a serious case of "WTF is this?" 
> The RHEL7 STIG and USGCB baselines are to be based on the ~20 configuration \
> requirements from "Management of Security Functions Behavior" in the NIAP Operating \
> System Protection Profile: https://www.niap-ccevs.org/pp/pp_os_v4.0.htm#fmt
> 
> Those controls are being implemented in the OSPP profile:
> https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/7/input/profiles/ospp-rhel7-server.xml
>  
> Prior to the formal recognition/issuance of a STIG or USGCB, a vendor must complete \
> their Common Criteria Certification. RHEL7 began that process in June 2014 [0] and \
> is expected to finish shortly. 
> In preparation for completion of Common Criteria, we sent our configuration guide \
> (derived from SSG's OSPP profile) to NIST and DISA FSO. Akin to RHEL6, the \
> arrangement was to use SCAP Security Guide as the upstream for the STIGs. 
> You can imagine the surprise when FSO published their draft STIG, which seems to \
> include the 129 configuration checks from our OSPP profile, but also tacks on 279 \
> net-new controls. 
> DISA FSO has been a cooperative partner in opening the STIG process, and \
> establishing open source principals for STIG development. We're working with them \
> to see why their draft STIG various so dramatically from the content that was \
> submitted to them. 
> In the mean time, it's incredibly important to start reviews of the DISA draft \
> STIG. This is an opportunity for you to express that you want DISA to keep using \
> open source developed content, and also to directly address the random 279 new \
> rules that mysteriously were dropped in. Some are just blatantly wrong, and appear \
> to be copy/pasted from RHEL5 content! 
> To facilitate comments, I've shared an edition of the DISA FSO comment matrix:
> http://bit.ly/1QtvF6v
> 
> This will become Red Hat's formal feedback to DISA FSO on their draft. If we all \
> work on a single feedback form, submitted independently through our own companies, \
> our independent voices for change would be greatly amplified. 
> There are ~400 controls in DISAs draft. Perhaps we could segment this up, and take \
> ownership of small chunks? This would ensure the OpenSCAP community is able to \
> provide feedback by the 12-FEB deadline. Once we're done with smaller sections, we \
> could review as a whole in a week or two. Would anyone be up for this? 
> -Shawn
> 
> 
> [0] https://www.redhat.com/en/about/blog/red-hat-enterprise-linux-7-evaluation-common-criteria-certification
>                 
> --
> SCAP Security Guide mailing list
> scap-security-guide@lists.fedorahosted.org
> https://lists.fedorahosted.org/admin/lists/scap-security-guide@lists.fedorahosted.org
>  https://github.com/OpenSCAP/scap-security-guide/
--
SCAP Security Guide mailing list
scap-security-guide@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/scap-security-guide@lists.fedorahosted.org
https://github.com/OpenSCAP/scap-security-guide/


[prev in list] [next in list] [prev in thread] [next in thread]