On 4/17/17 3:28 PM, Major Hayden wrote: > On 04/17/2017 12:42 PM, [email protected] wrote: >> My name is Tim Bradt. I am software developer at Signature Research, Inc. I >> have been charged with getting SCAP up and running on some of our systems. >> >> We are running Arch Linux. I was wondering what the process would be for >> porting the RHEL7 guide to Arch as we need the DISA STIG for system approval. > Hello Tim, > > As others have mentioned already, the big job is to get an actual standard > assembled for Arch Linux. Once that's done, writing SCAP content or other > scripts is much more straightforward. > > We've tried to tackle a translation of the RHEL 7 STIG into something that > works for CentOS 7 and Ubuntu 16.04: > > https://github.com/openstack/openstack-ansible-security > https://docs.openstack.org/developer/openstack-ansible-security/ > > (There's also a RHEL 6 STIG implementation for Ubuntu 14.04, but we're > deprecating that now.) > > Some of that work may help you figure out how to translate the RHEL 7 STIG > requirements for Arch Linux. Feel free to reach out if you need pointers.
Operating System STIGs are derived from DISA's Operating Systems Security Requirements Guide: http://iase.disa.mil/stigs/os/general/Pages/index.aspx To get started, download a copy and map what controls are possible on Arch. For example, password complexity requirements can be met, however anything relating to cryptography/FIPS cannot. Once you down-select the list of controls you can begin authoring configuration guidance. That is done with XCCDF in the OpenSCAP/SSG project. The build system is extensible enough that when a configuration rule overlaps with RHEL (e.g., something with PAM), we can tag the existing content and associate it with both RHEL and Arch. Same with the OVAL content. New XCCDF+OVAL can be generated for Arch-specific things. The process is a bit mundane... but iterate through and you'll generate a configuration guide for Arch. I don't really have a feel for how different Arch is than mainline linux - but would wager this would be mostly a policy mapping exercise vs having to create lots of Arch-specific SCAP content.
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
