Hi..was reading your post. One of the questions I pondered was whether or not you would use the same approach on your classified systems, or would you restrict your philosophy to just the unclassed world? I’m soooo trying to find something that will work across both.
Margaret M. Sanders ISSO/ATA Southwest Research Institute From: [email protected] [mailto:[email protected]] On Behalf Of Burns, Robert K (US SSA) Sent: Tuesday, February 25, 2014 5:57 PM To: SCAP Security Guide Subject: RE: SSG for RHEL 6 (UNCLASSIFIED) I’m currently the Navy Validator on a large system accreditation. We have 3 RHEL 6 instances in our system. We are using the RHEL 6 SCAP tool as an aid in our testing. We run it first and then import the results into the DISA STIG viewer. We then complete the process manually. Thus the SCAP tool is really just an aid to the manual process. I have spot verified the SCAP tool to convince myself as the validator that it is a reasonable tool for this use. Actually, this is the process for any SCAP tool because as I understand it, no SCAP completely covers a STIG and some manual steps must be done to complete a STIG test. Bottom line from my reporting standpoint, we completed the STIG manually with some support from scripts, in the case of RHEL 6 it’s provided by RH and not DISA. This is exactly the same tact we take with our Solaris 10/11 instances. We have SCAP for Solaris 10 from DISA which covers some STIG checks, we have our own in house scripts which cover more STIG checks that the SCAP tool does not, and we have some manual checks. There is no SCAP tool for Solaris 11 so we have built our own scripts to do that checking. But again, bottom line, these are manual STIG checks with scripts that automate some of it. So it does not bother me that it’s not “official” from DISA as long as I think the scripts are valid and accurate. It would bother me if I could not get these from Redhat though. Regards, Robert Burns Fully Qualified Navy Validator (FQNV) #I0225 From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Shawn Wells Sent: Tuesday, February 25, 2014 2:47 PM To: [email protected]<mailto:[email protected]> Subject: Re: SSG for RHEL 6 (UNCLASSIFIED) On 2/25/14, 3:44 PM, Bailey, Christopher D CTR USARMY AMRDEC (US) wrote: Does anyone know if there's been an official approval from DISA for the use of SSG content and the openSCAP utility on RHEL 6 systems for providing official vulnerability reports to IA inspectors? Our local IA folks tell us that SCC is the only DISA approved/provided product that we can use for scanning our systems and providing scan results to IA for inspection and analysis. However, SCC only provides content up to RHEL 5, which is of no help with RHEL 6. We have our own homemade script for scanning, but that's only good for in-house use. We need something for producing official SCAP formatted vulnerability reports. We believe our best option for automated scanning is the openSCAP tool with SSG content, which is what we want to use, but there doesn't seem to be any official acceptance for its use. Basically, my IA folks want to see something in writing from DISA that says they officially approve the use of SSG content and the openSCAP tool for proving IA compliance on RHEL 6 systems. I know that the DISA FSO is working closely with Red Hat on SSG, but I can't find anything like an official release from DISA. Short answer: You won't find anything official yet. Long answer: NSA IAD delegates responsibility for DoD STIG work to DISA FSO. Ultimately DISA FSO is the authoritative repo for STIGs. However, it's important to note that the STIGs are DISA FSO's selection of NIST 800-53 controls aligned with refine values (e.g. password lengths). The STIG itself is now expressed in XCCDF, aka it's just a policy document. Programs have independence on how to meet this policy, and C&A shops have free range on how to verify compliance. SSG was formed to fuse policy (XCCDF) with automation (OVAL) development. DISA FSO calls out that SSG is the policy upstream in Section 1.1 of the STIG Overview [1], which reads: The consensus content was developed using an open-source project called SCAP Security Guide. The project’s website is https://fedorahosted.org/scap-security-guide/. Except for differences in formatting to accommodate the DISA STIG publishing process, the content of the RHEL6 STIG should mirror the SCAP Security Guide content with only minor divergence as updates from multiple sources work through the consensus process Because of this upstream nature, many DAAs and C&A teams allow the direct usage of SSG to ensure they're receiving the latest in policy and automation content. Anyway, your direct questions: (1) OpenSCAP vs SPAWAR SCC vs other SCAP interpreters NIST maintains the official U.S. Government listing of validated SCAP scanners (for all operating systems). Today there are no certified SCAP scanners for RHEL6. Nothing. Period. List online @ http://nvd.nist.gov/scapproducts.cfm. On March 13, 2013, Red Hat publicly disclosed that OpenSCAP was undergoing the SCAP 1.2 certification process. I can't immediately find public information on our status, however those who can comment lurk on the list (Grubb, Jan, Peter, etc). The original PR @ http://www.redhat.com/about/news/archive/2013/3/red-hat-openscap-under-evaluation-to-meet-scap-1-2-nist-standard Because OpenSCAP is shipped within RHEL (thus supported directly by Red Hat), and we're undergoing SCAP 1.2 certification work, most DAA/C&A shops allow its use. SSG also enjoys a create relationship with Jack Vander Pol, Doug Tanner, and all the SPAWAR SCC guys. I'm currently testing their SCC 3.1.2 RC2 release. Note, however, SPAWAR SCC has never been evaluated by NIST as a Linux SCAP scanner. While not NIST evaluated, SPAWAR does provide (in house) support for RHEL5 and 6. You can review their NIST evaluation @ http://nvd.nist.gov/validation_spawar.cfm. (2) Formal status of SSG - As mentioned above, SSG serves as the upstream for DISA FSO content. FSO is currently working through independent testing of SSG OVAL content. Once complete, FSO will publish to their website. They've no current estimated completion date. Would suggest you ping them directly to show customer demand: [email protected]<mailto:[email protected]> - NSA IAD is also using SSG to publish their SNAC guide. Jeff Blank & I chatted on the phone this afternoon about just this.... he promised a direct response to the list later today/tomorrow. In short, Jeff's been very public that the RHEL6 SNAC Guide will be directly derived from SSG. - Red Hat plans to upgrade SSG from EPEL and ship directly within RHEL 6.6+. If you are interested in this happening, PLEASE open an RFE with Red Hat (I can help with this offline). Once shipped within RHEL, SSG will be the official body of SCAP content supported by Red Hat. Progress in this area can be tracked publicly: https://bugzilla.redhat.com/show_bug.cgi?id=1038655 Hopefully this helps you a bit, while waiting for Jeff and FSO to chime in. [1] Authoritative copies within the DISA FSO zip file. However, a direct link to my convienent copy: http://people.redhat.com/swells/rhel6stig/U_RedHat_6_V1R2_Overview.pdf
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
