About 235 comments were sent to DISA. The SCAP Security Guide received about 85 comments - mostly changing SRG IDs and adding in rules that were inherently met and were in the draft STIG but not in the SSG content.
R/ Ted On Thu, Jul 9, 2020 at 7:22 AM Salowitz, Mark A CTR < [email protected]> wrote: > Out of curiosity, how much of a delta between the two? I don’t have cycles > right now to do a side by side comparison. > > > > Thanks, > > > > Mark Salowitz > > > > *From:* Ted Brunell <[email protected]> > *Sent:* Wednesday, July 8, 2020 2:20 PM > *To:* SCAP Security Guide <[email protected]> > *Subject:* [Non-DoD Source] Re: Help needed identifying and correlating > rules in SCAP Security Guide for RHEL8 STIG (draft) > > > > Both sets of content (DISA and SSG) are still considered in draft right > now. The vendor content was sent to DISA in early December for their > review. We were all a little surprised at the draft that was published > since it deviated from what had sent. The STIG IDs were left out of the > SSG content since the STIG IDs are assigned by DISA. Once the STIG content > reaches a final version, the STIG-IDs will be added to the SSG. > > > > For now, the best way of matching the two contents lists is to use the > SRG-ID. It is not perfect, but it will get you close to a match (at least > in the right area). > > > > R/ > > Ted > > > > > > On Wed, Jul 8, 2020 at 12:14 PM N B <[email protected]> wrote: > > I'm in the process of upgrading to RHEL8, and need to analyze the STIG > rules since my project had waivers in place for some of the rules in > earlier RHEL versions. My team would like to use the SCAP Security Guide > as the source of our content for scans, and so the plan was to review the > rules from the SSG's RHEL8 STIG profile. I thought it would be pretty easy > to just get a list of the rules with their ids, titles, and descriptions, > but have run into a couple issues. > > First, I am seeing a lot of differences between the ruleset I can download > directly from DISA (their manual xccdf for RHEL8 STIG - draft) and the > ruleset in the SSG RHEL8 STIG profile. Figured the titles might not have > been brought over from the DISA STIG verbatim, so thought it might be > better to align them by identifier, which leads to the second problem... > > I can't find any identifiers in common between the DISA STIG and the SSG > profile. DISA has indicated that STIG IDs (e.g. RHEL-08-010050) are the > way to go moving forward, and only provides these ids in their draft STIG. > SSG on the other hand, provides CCEs (presumably ones that it generates > from a pool allocated by NIST), vul group ids, and sub-vul rule ids, but > does not appear to provide the STIG IDs (I've looked in the > table-rhel8-nistrefs-stig.html file of the 0.1.50 release and in the scan > report from scanning my system). > > I would appreciate guidance on how to correlate these two sources and > ideally where STIG IDs can be found in SSG STIG content since these seem to > be DISA's preferred identifier going forward. > _______________________________________________ > scap-security-guide mailing list -- > [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > <https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_en-2DUS_project_code-2Dof-2Dconduct_&d=DwMFaQ&c=0NKfg44GVknAU-XkWXjNxQ&r=iohgjlRx8rzsacNUP-p6Uoa5Wl3Ea1utSdxGRRALEQk&m=sdGy1G8a5Pg-_KFRpVWvQfQorKA1z24I9utL6Q96PiU&s=LNsgcXOHmJ5AujgSycl7ZfQLSi0HVp6uCJQ3mnTl0Jk&e=> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > <https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_Mailing-5Flist-5Fguidelines&d=DwMFaQ&c=0NKfg44GVknAU-XkWXjNxQ&r=iohgjlRx8rzsacNUP-p6Uoa5Wl3Ea1utSdxGRRALEQk&m=sdGy1G8a5Pg-_KFRpVWvQfQorKA1z24I9utL6Q96PiU&s=gnT_fjy_R5Gm_q-pp2Nihq3BaVGSqu0Ig9a5AhnAUNg&e=> > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_archives_list_scap-2Dsecurity-2Dguide-40lists.fedorahosted.org&d=DwMFaQ&c=0NKfg44GVknAU-XkWXjNxQ&r=iohgjlRx8rzsacNUP-p6Uoa5Wl3Ea1utSdxGRRALEQk&m=sdGy1G8a5Pg-_KFRpVWvQfQorKA1z24I9utL6Q96PiU&s=CNoVs97PHEb2plx5skEde5OPNMRsf4wqpNvOvme4rhE&e=> > > _______________________________________________ > scap-security-guide mailing list -- > [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] >
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
