Re: alternatives to STIG Viewer once Oracle JDK 8 / JavaFX 8 is EOL in January 2019?

Thu, 29 Nov 2018 19:22:50 -0800 


On 11/29/18 5:54 PM, Trevor Vaughan wrote:

The issue is less the automation (that's easy) and more that it isn't 
actually a codified standard.


Could these be expressed as OCIL?

https://csrc.nist.gov/projects/security-content-automation-protocol/specifications/ocil


For example, here's the codified OCIL for manual inspection to make sure 
/var/log/httpd is 0700 or less permissive :

        <ns0:questionnaire 
id="ocil:ssg-dir_perms_var_log_httpd_ocil:questionnaire:1">
          <ns0:title>Set Permissions on the /var/log/httpd/ 
Directory</ns0:title>

          <ns0:actions>
<ns0:test_action_ref>ocil:ssg-dir_perms_var_log_httpd_action:testaction:1</ns0:test_action_ref>
          </ns0:actions>
        </ns0:questionnaire>
.....

        <ns0:boolean_question_test_action 
id="ocil:ssg-dir_perms_var_log_httpd_action:testaction:1" 
question_ref="ocil:ssg-dir_perms_var_log_httpd_question:question:1">

          <ns0:when_true>
            <ns0:result>PASS</ns0:result>
          </ns0:when_true>
          <ns0:when_false>
            <ns0:result>FAIL</ns0:result>
          </ns0:when_false>
        </ns0:boolean_question_test_action>
..........

        <ns0:boolean_question 
id="ocil:ssg-dir_perms_var_log_httpd_question:question:1">
          <ns0:question_text>Run the following command to check the 
mode of the httpd log

directory:
$ ls -l /var/log/ | grep httpd
Log directory must be mode 0700 or less permissive.
            Is it the case that it is more permissive?
            </ns0:question_text>
        </ns0:boolean_question>



If these manual checks can be coded in OCIL they can be included in 
SCAP-based reports natively.



Also means we could create an organizational answers file, such as "Do 
you do backups?" that Tom mentioned earlier in the thread. 
Organizational answers could automatically be incorporated into the 
results files.







I'll hop onto the STIG feedback space on SoftwareForge and see if they 
have a schema anywhere. The last time I asked, there wasn't one, but 
that was quite some time ago.

Thanks Trevor!
_______________________________________________
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org
To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org
























					Reply via email to