Hello Ray, thank you for checking with us (and sorry for late reply).
----- Original Message ----- > From: "Ray V CTR USARMY ARL Shaw (US)" <[email protected]> > To: "SCAP Security Guide" <[email protected]> > Sent: Tuesday, July 1, 2014 5:36:24 PM > Subject: RE: RHEL7 scanning (UNCLASSIFIED) > > Classification: UNCLASSIFIED > Caveats: NONE > > Hope I'm not being a bother, but if possible, would someone mind weighing in > on this? Scanning on RHEL7 isn't particularly useful right now, and we'd > like to lock it down as soon as possible. > > Thanks, > > -- > Ray Shaw (Contractor, STG) > Army Research Laboratory > CIO, Unix Support > > > > -----Original Message----- > > From: Shaw, Ray V CTR USARMY ARL (US) > > Sent: Tuesday, June 24, 2014 10:31 AM > > To: 'SCAP Security Guide' > > Subject: RHEL7 scanning (UNCLASSIFIED) > > > > Classification: UNCLASSIFIED > > Caveats: NONE > > > > By default, it looks like only the partition checks are enabled when > > scanning with the stig-rhel7-server-upstream profile (on RHEL7). If I > > edit > > the profile to enable all of the ones that RHEL6 has enabled (and then > > remove the few that don't exist for RHEL7), I get a total of 56 checks. > > > > [If anyone is curious, out of the box it passes 35 and fails 21, > > assuming > > it's partitioned correctly.] > > > > We're starting on RHEL7 to prepare our configuration management system, > > etc. > > for when 7 is blessed and we can deploy it, and of course STIGs are a > > big > > part of that. Is it reasonable to expect that they will closely > > parallel > > the RHEL6 STIG? Permissions/ownership, audit rules, sysctl, GDM, etc. There definitely is motivation the RHEL-7 content to cover same areas of the system as RHEL-6 one was / is doing (plus add specific rules for the enhancements / new features that appeared in RHEL-7). Of course this effort will take some time, therefore I would not want to promise any ETAs / time periods to you. Couple of the reasons for the delayed RHEL-7 content delivery: * existing RHEL-6 rules need to be re-tested against RHEL-7 system (if they still work properly), * some features / capabilities will require OVAL language enhancements (this process by itself takes some time), * the newly introduced features will require completely new rules to be written. In short yes, there definitely is willingness RHEL-7 content to be as much capable as currently the RHEL-6 one is. But I would like to avoid to need to express some statements, when this will happen (basically the community can expect the RHEL-7 content to be improved in the upcoming releases). That's fwiw regarding SCAP content author PoV. For the timeline / updates regarding official RHEL-7 STIG content evolution (& locations for its download etc.), please ask Shawn <- Shawn can you possibly weigh on this? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team > > > > Thanks, > > > > -- > > Ray Shaw (Contractor, STG) > > Army Research Laboratory > > CIO, Unix Support > > > > > > > > Classification: UNCLASSIFIED > > Caveats: NONE > > > > > Classification: UNCLASSIFIED > Caveats: NONE > > > > -- > SCAP Security Guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > https://github.com/OpenSCAP/scap-security-guide/ -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
