I've started doing my own work on this for my program, so I'd love to be involved in the work delegation.
Thanks! Sent from my iPhone > On Jan 27, 2016, at 6:55 PM, Shawn Wells <[email protected]> wrote: > > > >> On 1/27/16 2:40 PM, Crawford, Nicholas P CTR USARMY RDECOM CERDEC (US) wrote: >> >> FYI, >> >> In case any interested parties missed it during the inclement weather event, >> DISA has released the Draft STIG for RHEL 7 on 21 Jan. The comment period >> is open until 12 Feb. >> >> http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx > > To ease reading, I converted their XML to HTML: > http://people.redhat.com/swells/U_Red_Hat_Enterprise_Linux_7_V1R0-1_Manual_STIG/html_edition.html > > There's a high chance members of the OpenSCAP community will click that link > and have a serious case of "WTF is this?" > > The RHEL7 STIG and USGCB baselines are to be based on the ~20 configuration > requirements from "Management of Security Functions Behavior" in the NIAP > Operating System Protection Profile: > https://www.niap-ccevs.org/pp/pp_os_v4.0.htm#fmt > > Those controls are being implemented in the OSPP profile: > https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/7/input/profiles/ospp-rhel7-server.xml > > Prior to the formal recognition/issuance of a STIG or USGCB, a vendor must > complete their Common Criteria Certification. RHEL7 began that process in > June 2014 [0] and is expected to finish shortly. > > In preparation for completion of Common Criteria, we sent our configuration > guide (derived from SSG's OSPP profile) to NIST and DISA FSO. Akin to RHEL6, > the arrangement was to use SCAP Security Guide as the upstream for the STIGs. > > You can imagine the surprise when FSO published their draft STIG, which seems > to include the 129 configuration checks from our OSPP profile, but also tacks > on 279 net-new controls. > > DISA FSO has been a cooperative partner in opening the STIG process, and > establishing open source principals for STIG development. We're working with > them to see why their draft STIG various so dramatically from the content > that was submitted to them. > > In the mean time, it's incredibly important to start reviews of the DISA > draft STIG. This is an opportunity for you to express that you want DISA to > keep using open source developed content, and also to directly address the > random 279 new rules that mysteriously were dropped in. Some are just > blatantly wrong, and appear to be copy/pasted from RHEL5 content! > > To facilitate comments, I've shared an edition of the DISA FSO comment matrix: > http://bit.ly/1QtvF6v > > This will become Red Hat's formal feedback to DISA FSO on their draft. If we > all work on a single feedback form, submitted independently through our own > companies, our independent voices for change would be greatly amplified. > > There are ~400 controls in DISAs draft. Perhaps we could segment this up, and > take ownership of small chunks? This would ensure the OpenSCAP community is > able to provide feedback by the 12-FEB deadline. Once we're done with smaller > sections, we could review as a whole in a week or two. Would anyone be up for > this? > > -Shawn > > > [0] > https://www.redhat.com/en/about/blog/red-hat-enterprise-linux-7-evaluation-common-criteria-certification > -- > SCAP Security Guide mailing list > [email protected] > https://lists.fedorahosted.org/admin/lists/[email protected] > https://github.com/OpenSCAP/scap-security-guide/ -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected] https://github.com/OpenSCAP/scap-security-guide/
