On Mon, Oct 9, 2017 at 2:14 PM, Shawn Wells <[email protected]> wrote:
> > > On 10/9/17 1:19 PM, Wesley Ceraso Prudencio wrote: > > Hi all, > > I noticed something strange in the information we have about the STIG > Profiles. The problem is that what we internally refer as "Stig ID" is > actually the STIG Rule "Version", it seems like "RHEL-7-01010101", meanwhile, > we just ignore the real id of the STIG Rule that seems like "SV-86473r2_rule". > > When SSG is built, this id (version actually) is output as a Rule reference, > for example: > "<reference href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx"; > <http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx>>RHEL-07-010010</reference>" > > Although this "Version" is different for each Rule, it does not change when > there is new revision, meaning that we are not able to tell which revision of > a rule we are evaluating based on this field, on the other hand, the real id > gets incremented when there is a new revision for that rule, for example > "SV-86473r2_rule" becomes "SV-86473r3_rule". > > I'm currently trying to enable OpenSCAP to output the result of a scanning in > a way the STIG Viewer is able to read it and populate a checklist, but it > only understands the real id. Unfortunatelly, there is no place, except for > comments, where I can get this id. > > A workaround for my development is to create another tag (probably a > reference) in the Rule with the actual STIG id, but I'd like to hear from you > if someone know the story behind this before I move on. > > > I don't really know what is fact vs fiction anymore, but from my version > of reality wayyyy back when SSG started DoD accreditors were asking for the > RHEL-06-XXXXX identifiers (and we carried that forward to RHEL7 content). > > IMHO there is no consistency between users and various tools on the usage > between RHEL-07-#### and the SV-#####r#_rule tags. We should support both > -- especially if it means progress with STIG Viewer. > I have yet to see accreditors ask for SV- rule tags. I guess it happens in some circles, but the RHEL identifiers were the ones that I have always seen referenced. Of course when RMF came into the picture, it was all about NIST mappings and very little about STIG identifiers.
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
