On 3/5/20 1:00 PM, James Cassell wrote:
On Thu, Mar 5, 2020, at 12:57 PM, Jeff Bachtel wrote:
Good day. I am trying to apply current RHEL7 STIG guidance to AWS EC2
instances and have run into issues. Could someone check my conclusions
below and let me know if I missed something?
- OpenSCAP doesn't yet support RHEL7 STIG V2R6 in its in-tree code
(including remediation code)
- The NIST NCP for RHEL7 from
https://github.com/ComplianceAsCode/content/tree/master/rhel7 doesn't
yet include STIG V2R4 remediations
- The actual DISA RHEL7 STIG XCCDF file does not include fixes, such
that OpenSCAP could use it to generate remediation scripts
-https://github.com/MindPointGroup/RHEL7-STIG is probably the best
RHEL7 STIG remediation script that's publicly available
All correct from my perspective.
To the best of our knowledge there haven't been any substantive changes
to the DISA content. At least we haven't been informed of any (eg rule
selections/removals, changing variables like password length, etc).
That said, could be interesting to run the Red Hat provided remediations
and then re-scan with the DISA-provided content. Goal would be to see if
anything fails... in theory showing any gaps between the content.
Would you be interested/able to help do that? Here's the ansible content:
https://galaxy.ansible.com/RedHatOfficial/rhel7_stig
_______________________________________________
scap-security-guide mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
