All, Our program is currently working through the architecting of the next release, and the decision point is upon us WRT OS version - RHEL6 or RHEL7. One significant factor (at least from a cybersecurity perspective, is the ability to efficiently / effectively conduct STIG reviews via the SCAP tools.
This said, is there any place I could ascertain the projected release of the RHEL 7 Benchmarks? I apologize if this is not the appropriate venue for such a question, or if it is so obviously in front of me I should already know, but honestly I have not closely monitored this feed of late, since I have been stuck in the RHEL 5 world and trying to keep the system secure in that context. Thanks, From: Shawn Wells [mailto:[email protected]] Sent: Thursday, July 20, 2017 10:56 AM To: [email protected] Subject: Re: Loss of EL7 STIG profiles On 7/20/17 3:57 AM, Chuck Atkins wrote: I've been using the SCAP Security Guide for the past two years to manage the lock down and deployment of EL7 machines in our lab and one of the best features I've seen is the move from a single "STIG for Red Hat Enterprise Linux" profile targeting servers to three separate profiles for Server, Server with GUI, and Workstation. I just used the EL7 STIG Workstation profile this week with the SSG in the EL7 repos. It's extremely useful to me since all of our machines are used as workstations, not servers, so to have a profile that works out of the box without needing to do excessive customization, and in turn, justification of said customizations is very handy. So imagine my surprise and dismay when I used the most recent release from the Copr repo and discovered that my convenient separate profiles were now all gone to align with the recently released singular DISA server profile. Are there any plans with the various contributors involved (RH, DoD, others, etc.) to re-work the server STIG profile again to have a separate upstream-supported STIG profile for Workstation usage? Having it in previous releases has proven to be an extremely useful feature and I would hate to see it regress back to "Linux is just for servers". The profile split started when DISA wanted to include desktop configuration checks in their RHEL7 STIG. In theory this was ideal, however no desktop content existed. DISA wanted to independently verify all desktop hardening recommendations from DoD, NSA, Red Hat, and those that were already in SSG. This was taking months... IIRC, over 6+ months were spent waiting for DISA to validate various controls. In phone calls, we went back and forth over what should and should not be included. Agreements that were made somehow ended up not being included in DISA's incremental drafts -- and we'd have to start the dialogs all over. We got to the point where our collaborators at DISA agreed to release a "RHEL7 Base STIG," and a future "RHEL7 Base+Desktop" would be released at a future date. This would allow something to be published rapidly. Our DISA collaborators agreed on this approach and ran it up their management chain. That was when (in SSG) we split the profiles. Unfortunately, a few weeks later, we learned that someone in upper management at DISA disagreed. They decided waiting for all desktop settings to be included in DISA's content was the right approach. In part this is understandable... they knew getting an incremental DISA STIG release would take at least a year because of their processes. Ultimately DISA ended up releasing a combined Server+Desktop STIG. Perhaps due to the incredible pressure to just release something, they left off dozens of desktop related checks. Top of mind examples: - Blank the screen saver - Use encrypted X11 forwarding - Enforce login retries when using a GUI - Disable WiFi - Disable geolocation DISA stated they would "rebase" their content on recommendations provided to them by DISA, NIST, NSA, and Red Hat. That was over 6 months ago now and no updates are planned. If having DISA release updated content is important to you, I'd recommend reaching out to them directly. For now, the "stig-rhel7-disa" profile aligns to DISA's content..... even if their requirement coverage is incomplete. The SSG content does differ from DISA's in that we use correct file paths to evaluate configuration settings and ensured the values (e.g. on/off) are appropriate. There are something like 50-75 bugs in DISA's content that have been fixed (or never even present) in SSG. You can find that profile here: https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/7/input/profiles/stig-rhel7-disa.xml In the mean time, we've moved forward with other DoD elements to align a US Government-wide baseline that incorporated DoD, Intelligence, and Civilian configuration requirements. That is reflected in the ospp-rhel7 profile: https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/7/input/profiles/ospp-rhel7.xml Which maps to the following This baseline implements configuration requirements from the following documents: - Committee on National Security Systems Instruction No. 1253 (CNSSI 1253) - NIST Controlled Unclassified Information (NIST 800-171) - NIST 800-53 control selections for MODERATE impact systems (NIST 800-53) - U.S. Government Configuration Baseline (USGCB) - NIAP Protection Profile for General Purpose Operating Systems v4.0 (OSPP v4.0) - DISA Operating System Security Requirements Guide (OS SRG) The ospp-rhel7 profile contains *all* the desktop checks that currently exist, whereas the DISA profile leaves them off (because DISA leaves them off in their content). Hopefully it'll be useful for you.
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
