Both sets of content (DISA and SSG) are still considered in draft right now. The vendor content was sent to DISA in early December for their review. We were all a little surprised at the draft that was published since it deviated from what had sent. The STIG IDs were left out of the SSG content since the STIG IDs are assigned by DISA. Once the STIG content reaches a final version, the STIG-IDs will be added to the SSG.
For now, the best way of matching the two contents lists is to use the SRG-ID. It is not perfect, but it will get you close to a match (at least in the right area). R/ Ted On Wed, Jul 8, 2020 at 12:14 PM N B <[email protected]> wrote: > I'm in the process of upgrading to RHEL8, and need to analyze the STIG > rules since my project had waivers in place for some of the rules in > earlier RHEL versions. My team would like to use the SCAP Security Guide > as the source of our content for scans, and so the plan was to review the > rules from the SSG's RHEL8 STIG profile. I thought it would be pretty easy > to just get a list of the rules with their ids, titles, and descriptions, > but have run into a couple issues. > > First, I am seeing a lot of differences between the ruleset I can download > directly from DISA (their manual xccdf for RHEL8 STIG - draft) and the > ruleset in the SSG RHEL8 STIG profile. Figured the titles might not have > been brought over from the DISA STIG verbatim, so thought it might be > better to align them by identifier, which leads to the second problem... > > I can't find any identifiers in common between the DISA STIG and the SSG > profile. DISA has indicated that STIG IDs (e.g. RHEL-08-010050) are the > way to go moving forward, and only provides these ids in their draft STIG. > SSG on the other hand, provides CCEs (presumably ones that it generates > from a pool allocated by NIST), vul group ids, and sub-vul rule ids, but > does not appear to provide the STIG IDs (I've looked in the > table-rhel8-nistrefs-stig.html file of the 0.1.50 release and in the scan > report from scanning my system). > > I would appreciate guidance on how to correlate these two sources and > ideally where STIG IDs can be found in SSG STIG content since these seem to > be DISA's preferred identifier going forward. > _______________________________________________ > scap-security-guide mailing list -- > [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] >
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
