On 7/1/14, 12:03 PM, Jan Lieskovsky wrote:
Hello Ray,
thank you for checking with us (and sorry for late reply).
----- Original Message -----
>From: "Ray V CTR USARMY ARL Shaw (US)"<[email protected]>
>To: "SCAP Security Guide"<[email protected]>
>Sent: Tuesday, July 1, 2014 5:36:24 PM
>Subject: RE: RHEL7 scanning (UNCLASSIFIED)
>
>Classification: UNCLASSIFIED
>Caveats: NONE
>
>Hope I'm not being a bother, but if possible, would someone mind weighing in
>on this? Scanning on RHEL7 isn't particularly useful right now, and we'd
>like to lock it down as soon as possible.
>
>Thanks,
>
>--
>Ray Shaw (Contractor, STG)
>Army Research Laboratory
>CIO, Unix Support
>
>
> >-----Original Message-----
> >From: Shaw, Ray V CTR USARMY ARL (US)
> >Sent: Tuesday, June 24, 2014 10:31 AM
> >To: 'SCAP Security Guide'
> >Subject: RHEL7 scanning (UNCLASSIFIED)
> >
> >Classification: UNCLASSIFIED
> >Caveats: NONE
> >
> >By default, it looks like only the partition checks are enabled when
> >scanning with the stig-rhel7-server-upstream profile (on RHEL7). If I
> >edit
> >the profile to enable all of the ones that RHEL6 has enabled (and then
> >remove the few that don't exist for RHEL7), I get a total of 56 checks.
> >
> >[If anyone is curious, out of the box it passes 35 and fails 21,
> >assuming
> >it's partitioned correctly.]
> >
> >We're starting on RHEL7 to prepare our configuration management system,
> >etc.
> >for when 7 is blessed and we can deploy it, and of course STIGs are a
> >big
> >part of that. Is it reasonable to expect that they will closely
> >parallel
> >the RHEL6 STIG? Permissions/ownership, audit rules, sysctl, GDM, etc.
There definitely is motivation the RHEL-7 content to cover same areas of the
system as RHEL-6 one was / is doing (plus add specific rules for the
enhancements /
new features that appeared in RHEL-7).
Of course this effort will take some time, therefore I would not want to promise
any ETAs / time periods to you. Couple of the reasons for the delayed RHEL-7
content
delivery:
* existing RHEL-6 rules need to be re-tested against RHEL-7 system (if they
still work
properly),
* some features / capabilities will require OVAL language enhancements (this
process
by itself takes some time),
* the newly introduced features will require completely new rules to be written.
In short yes, there definitely is willingness RHEL-7 content to be as much
capable as
currently the RHEL-6 one is. But I would like to avoid to need to express some
statements,
when this will happen (basically the community can expect the RHEL-7 content to
be
improved in the upcoming releases).
That's fwiw regarding SCAP content author PoV. For the timeline / updates
regarding official RHEL-7
STIG content evolution (& locations for its download etc.), please ask Shawn
<- Shawn can you possibly weigh on this?
I've been speaking with DISA FSO, and have the new RHEL7 OS SRG
requirements. Will get them posted this afternoon (US Eastern) with a
proper writeup of where things are headed.
--
SCAP Security Guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/
