Robert, Thank you for this information, I have been impatiently waiting for a DISA released RHEL6 STIG Benchmark to run with SCC, and had been working through the manual STIG in its absence. It is good to know that CA/ODAA will accept a non-DISA option.
I see where to acquire the NIST RH6 STIG v1r2, but you also noted in a prior email in this chain '...RHEL 6...provided by RH...'; is this a better option or is NIST version preferred? If answer is RH, where is this found? Thanks, v/r David Moessbauer (410) 627-5633 (M) The Information contained in or attached to this communication may be confidential and privileged proprietary intended only for the individual/s or entity to whom/which it is addressed. Any unauthorized use, distribution, copying or disclosure of this information is strictly prohibited. If you have received this communication in error please contact the sender immediately and delete from your system. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Burns, Robert K (US SSA) Sent: Wednesday, February 26, 2014 11:54 AM To: [email protected] Subject: (nwl) RE: SSG for RHEL 6 (UNCLASSIFIED) Chris, The below, sent to me by a colleague of mine, seems to address your question: Per the guidance from NIST National Vulnerability Database (NVD) website (http://web.nvd.nist.gov/view/ncp/repository/glossary?cid=1#Authority) we are allowed to use Vendor produced SCAP content in the absence of "Governmental Authority" checklists. The link above will take you to the source, but I copied & pasted the verbiage below: Authority The organization responsible for producing the original security configuration guidance represented by the checklist. Authorities are ranked according to their "Authority Type." Within the NCP website authorities are grouped with their authority types through the syntax of Authority Type: Authority. If it is not clear which checklists(s) should be analyzed, users from Federal civilian agencies should first search for checklists produced by authorities of type "Governmental Authority." If "Governmental Authority" produced checklists exist the user should first search for NIST-produced checklists, which are tailored for civilian agency use. If no NIST-produced checklist is available, then agency-produced checklists from the Defense Information Systems Agency (DISA) or the National Security Agency (NSA) should be used. If no "Governmental Authority" checklists exist the user should search for checklists produced by authorities of type "Software Vendor." If none of these checklists exist the user should search for checklists produced by authorities of type "Third Party." Authority Type Type of organization that lends its authority to the checklist. The three types are Governmental Authority, Software Vendor, and Third Party (e.g., security organizations). Regards, Robert -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Bailey, Christopher D CTR USARMY AMRDEC (US) Sent: Tuesday, February 25, 2014 12:45 PM To: [email protected] Subject: SSG for RHEL 6 (UNCLASSIFIED) Classification: UNCLASSIFIED Caveats: NONE Does anyone know if there's been an official approval from DISA for the use of SSG content and the openSCAP utility on RHEL 6 systems for providing official vulnerability reports to IA inspectors? Our local IA folks tell us that SCC is the only DISA approved/provided product that we can use for scanning our systems and providing scan results to IA for inspection and analysis. However, SCC only provides content up to RHEL 5, which is of no help with RHEL 6. We have our own homemade script for scanning, but that's only good for in-house use. We need something for producing official SCAP formatted vulnerability reports. We believe our best option for automated scanning is the openSCAP tool with SSG content, which is what we want to use, but there doesn't seem to be any official acceptance for its use. Basically, my IA folks want to see something in writing from DISA that says they officially approve the use of SSG content and the openSCAP tool for proving IA compliance on RHEL 6 systems. I know that the DISA FSO is working closely with Red Hat on SSG, but I can't find anything like an official release from DISA. Thanks. Classification: UNCLASSIFIED Caveats: NONE _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
