'Re: RHEL 7 Draft STIG release'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       scap-security-guide
Subject:    Re: RHEL 7 Draft STIG release
From:       Michael Wahren <mwahren () redhat ! com>
Date:       2016-01-28 3:55:03
Message-ID: -4830776236991994620 () unknownmsgid
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Great Stuff mate!

Sent from Mick on the move

On 28 Jan 2016, at 09:55, Shawn Wells <swells@redhat.com> wrote:



On 1/27/16 2:40 PM, Crawford, Nicholas P CTR USARMY RDECOM CERDEC (US)
wrote:


FYI,


In case any interested parties missed it during the inclement weather
event, DISA has released the Draft STIG for RHEL 7 on 21 Jan.  The comment
period is open until 12 Feb.


http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx



To ease reading, I converted their XML to HTML:
http://people.redhat.com/swells/U_Red_Hat_Enterprise_Linux_7_V1R0-1_Manual_STIG/html_edition.html

There's a high chance members of the OpenSCAP community will click that
link and have a serious case of "WTF is this?"

The RHEL7 STIG and USGCB baselines are to be based on the ~20 configuration
requirements from "Management of Security Functions Behavior" in the NIAP
Operating System Protection Profile:
https://www.niap-ccevs.org/pp/pp_os_v4.0.htm#fmt

Those controls are being implemented in the OSPP profile:
https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/7/input/profiles/ospp-rhel7-server.xml

Prior to the formal recognition/issuance of a STIG or USGCB, a vendor must
complete their Common Criteria Certification. RHEL7 began that process in
June 2014 [0] and is expected to finish shortly.

In preparation for completion of Common Criteria, we sent our configuration
guide (derived from SSG's OSPP profile) to NIST and DISA FSO. Akin to
RHEL6, the arrangement was to use SCAP Security Guide as the upstream for
the STIGs.

You can imagine the surprise when FSO published their draft STIG, which
seems to include the 129 configuration checks from our OSPP profile, but
also tacks on 279 net-new controls.

DISA FSO has been a cooperative partner in opening the STIG process, and
establishing open source principals for STIG development. We're working
with them to see why their draft STIG various so dramatically from the
content that was submitted to them.

In the mean time, it's incredibly important to start reviews of the DISA
draft STIG. This is an opportunity for you to express that you want DISA to
keep using open source developed content, and also to directly address the
random 279 new rules that mysteriously were dropped in. Some are just
blatantly wrong, and appear to be copy/pasted from RHEL5 content!

To facilitate comments, I've shared an edition of the DISA FSO comment
matrix:
http://bit.ly/1QtvF6v

This will become Red Hat's formal feedback to DISA FSO on their draft. If
we all work on a single feedback form, submitted independently through our
own companies, our independent voices for change would be greatly amplified.

There are ~400 controls in DISAs draft. Perhaps we could segment this up,
and take ownership of small chunks? This would ensure the OpenSCAP
community is able to provide feedback by the 12-FEB deadline. Once we're
done with smaller sections, we could review as a whole in a week or two.
Would anyone be up for this?

-Shawn


[0]
https://www.redhat.com/en/about/blog/red-hat-enterprise-linux-7-evaluation-common-criteria-certification
--
SCAP Security Guide mailing list
scap-security-guide@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/scap-security-guide@lists.fedorahosted.org
https://github.com/OpenSCAP/scap-security-guide/

[Attachment #5 (text/html)]

<html><head><meta http-equiv="content-type" content="text/html; \
charset=utf-8"></head><body dir="auto"><div>Great Stuff mate!<br><br>Sent from Mick \
on the move<span style="font-size:13pt">  </span></div><div><br>On 28 Jan 2016, at \
09:55, Shawn Wells &lt;<a href="mailto:swells@redhat.com">swells@redhat.com</a>&gt; \
wrote:<br><br></div><blockquote \
type="cite"><div><span></span><br><span></span><br><span>On 1/27/16 2:40 PM, \
Crawford, Nicholas P CTR USARMY RDECOM CERDEC (US) wrote:</span><br><blockquote \
type="cite"><span></span><br></blockquote><blockquote \
type="cite"><span>FYI,</span><br></blockquote><blockquote \
type="cite"><span></span><br></blockquote><blockquote type="cite"><span>In case any \
interested parties missed it during the inclement weather event, DISA has released \
the Draft STIG for RHEL 7 on 21 Jan.   The comment period is open until 12 \
Feb.</span><br></blockquote><blockquote \
type="cite"><span></span><br></blockquote><blockquote type="cite"><span><a \
href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx</a></span><br></blockquote><blockquote \
type="cite"><span></span><br></blockquote><span></span><br><span>To ease reading, I \
converted their XML to HTML:</span><br><span><a \
href="http://people.redhat.com/swells/U_Red_Hat_Enterprise_Linux_7_V1R0-1_Manual_STIG/ \
html_edition.html">http://people.redhat.com/swells/U_Red_Hat_Enterprise_Linux_7_V1R0-1_Manual_STIG/html_edition.html</a></span><br><span></span><br><span>There&#39;s \
a high chance members of the OpenSCAP community will click that link and have a \
serious case of &quot;WTF is this?&quot;</span><br><span></span><br><span>The RHEL7 \
STIG and USGCB baselines are to be based on the ~20 configuration requirements from \
&quot;Management of Security Functions Behavior&quot; in the NIAP Operating System \
Protection Profile:</span><br><span><a \
href="https://www.niap-ccevs.org/pp/pp_os_v4.0.htm#fmt">https://www.niap-ccevs.org/pp/pp_os_v4.0.htm#fmt</a></span><br><span></span><br><span>Those \
controls are being implemented in the OSPP profile:</span><br><span><a \
href="https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/7/input/profile \
s/ospp-rhel7-server.xml">https://github.com/OpenSCAP/scap-security-guide/blob/master/R \
HEL/7/input/profiles/ospp-rhel7-server.xml</a></span><br><span></span><br><span>Prior \
to the formal recognition/issuance of a STIG or USGCB, a vendor must complete their \
Common Criteria Certification. RHEL7 began that process in June 2014 [0] and is \
expected to finish shortly.</span><br><span></span><br><span>In preparation for \
completion of Common Criteria, we sent our configuration guide (derived from \
SSG&#39;s OSPP profile) to NIST and DISA FSO. Akin to RHEL6, the arrangement was to \
use SCAP Security Guide as the upstream for the \
STIGs.</span><br><span></span><br><span>You can imagine the surprise when FSO \
published their draft STIG, which seems to include the 129 configuration checks from \
our OSPP profile, but also tacks on 279 net-new \
controls.</span><br><span></span><br><span>DISA FSO has been a cooperative partner in \
opening the STIG process, and establishing open source principals for STIG \
development. We&#39;re working with them to see why their draft STIG various so \
dramatically from the content that was submitted to \
them.</span><br><span></span><br><span>In the mean time, it&#39;s incredibly \
important to start reviews of the DISA draft STIG. This is an opportunity for you to \
express that you want DISA to keep using open source developed content, and also to \
directly address the random 279 new rules that mysteriously were dropped in. Some are \
just blatantly wrong, and appear to be copy/pasted from RHEL5 \
content!</span><br><span></span><br><span>To facilitate comments, I&#39;ve shared an \
edition of the DISA FSO comment matrix:</span><br><span><a \
href="http://bit.ly/1QtvF6v">http://bit.ly/1QtvF6v</a></span><br><span></span><br><span>This \
will become Red Hat&#39;s formal feedback to DISA FSO on their draft. If we all work \
on a single feedback form, submitted independently through our own companies, our \
independent voices for change would be greatly \
amplified.</span><br><span></span><br><span>There are ~400 controls in DISAs draft. \
Perhaps we could segment this up, and take ownership of small chunks? This would \
ensure the OpenSCAP community is able to provide feedback by the 12-FEB deadline. \
Once we&#39;re done with smaller sections, we could review as a whole in a week or \
two. Would anyone be up for \
this?</span><br><span></span><br><span>-Shawn</span><br><span></span><br><span></span><br><span>[0] \
<a href="https://www.redhat.com/en/about/blog/red-hat-enterprise-linux-7-evaluation-co \
mmon-criteria-certification">https://www.redhat.com/en/about/blog/red-hat-enterprise-l \
inux-7-evaluation-common-criteria-certification</a></span><br><span>--</span><br><span>SCAP \
Security Guide mailing list</span><br><span><a \
href="mailto:scap-security-guide@lists.fedorahosted.org">scap-security-guide@lists.fedorahosted.org</a></span><br><span><a \
href="https://lists.fedorahosted.org/admin/lists/scap-security-guide@lists.fedorahoste \
d.org">https://lists.fedorahosted.org/admin/lists/scap-security-guide@lists.fedorahosted.org</a></span><br><span><a \
href="https://github.com/OpenSCAP/scap-security-guide/">https://github.com/OpenSCAP/scap-security-guide/</a></span><br></div></blockquote></body></html>



[Attachment #6 (text/plain)]

--
SCAP Security Guide mailing list
scap-security-guide@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/scap-security-guide@lists.fedorahosted.org
https://github.com/OpenSCAP/scap-security-guide/


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic