Re: [Open-scap] Wish to disable check or remediation of STIG rules to remove X Windows and to use smart card

[Boucher, William]

In SCAP Workbench, After selecting the profile (in my case, DISA STIG for RHEL 
7), click the "Customize" button to the right on the profile selection 
pulldown. This opens up a new window, where you can click on checkboxes to the 
left of listed controls to either add checks of those controls (put check in 
checkbox) or remove them (remove check in checkbox). When things are customized 
to your specifications click "OK" and you will see the string "(CUSTOMIZED)" 
added to the selected profile. You can now save the customization in a 
tailoring file via the " File->Save Customization Only" pulldown (so you can 
load it again later or use it in a command-line oscap call). Now when you run 
the scan your customizations will be applied.

William B. Boucher, BSEE
Embedded Systems Software Engineer
Information Systems Security Manager
MZA Associates Corporation
4900 Lang Ave. NE, Suite 100
Albuquerque, NM 87109-9708
Phone: 505.245.9970 x166
Fax: 505.245.9971
Cell: 505.459.7620
william.bouc...@mza.com<mailto:william.bouc...@mza.com>

From: open-scap-list-boun...@redhat.com 
[mailto:open-scap-list-boun...@redhat.com] On Behalf Of Shawn Wells
Sent: Tuesday, June 25, 2019 10:09 AM
To: open-scap-list@redhat.com
Subject: Re: [Open-scap] Wish to disable check or remediation of STIG rules to 
remove X Windows and to use smart card



On 6/25/19 11:36 AM, Boucher, William wrote:
I figured it out!



That's great! To help others down the road who may have a similar issue, what 
was the fix?
___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] Wish to disable check or remediation of STIG rules to remove X Windows and to use smart card

[Shawn Wells]

On 6/25/19 11:36 AM, Boucher, William wrote:


I figured it out!



That's great! To help others down the road who may have a similar issue, 
what was the fix?


___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] Wish to disable check or remediation of STIG rules to remove X Windows and to use smart card

[Boucher, William]

I figured it out!

Thanks,

--Bill

William B. Boucher, BSEE
Embedded Systems Software Engineer
Information Systems Security Manager
MZA Associates Corporation
4900 Lang Ave. NE, Suite 100
Albuquerque, NM 87109-9708
Phone: 505.245.9970 x166
Fax: 505.245.9971
Cell: 505.459.7620
william.bouc...@mza.com<mailto:william.bouc...@mza.com>

From: open-scap-list-boun...@redhat.com 
[mailto:open-scap-list-boun...@redhat.com] On Behalf Of Boucher, William
Sent: Monday, June 24, 2019 1:52 PM
To: open-scap-list@redhat.com
Subject: [Open-scap] Wish to disable check or remediation of STIG rules to 
remove X Windows and to use smart card

Hi Folks,

I've got a machine running Scap Workbench on another remote/networked machine. 
Both are CentOS 7.5. I set up Workbench to SSH to the remote box as root (for 
now root ssh login is enabled on both machines), using CentOS 7 content.  I 
selected DISA STIG for Red Hat Enterprise Linux 7. Within the displayed rules 
there are two I need to ignore. I need X Windows and cannot use a smart card 
(or any multifactor) in the system I want to remediate.

So the "Remove the X Windows Package Group" & "Enable Smart Card Login" need to 
be tailored out somehow so remediation won't implement those controls.

(I'm assuming the "Enable the GNOME3 Login Smartcard Authentication", "Install 
Smart Card Packages For Multifactor Authentication" & "Configure Smart Card 
Certificate Status Checking" rules can be left in place if "Enable Smart Card 
Login" isn't set up.)

I cannot see an easy way in Workbench to just tell it to ignore a selected rule.

What do I need to do to keep remediation from implementing these rules?

Thank you,

--Bill

William B. Boucher, BSEE
Embedded Systems Software Engineer
Information Systems Security Manager
MZA Associates Corporation
4900 Lang Ave. NE, Suite 100
Albuquerque, NM 87109-9708
Phone: 505.245.9970 x166
Fax: 505.245.9971
Cell: 505.459.7620
william.bouc...@mza.com<mailto:william.bouc...@mza.com>

___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

[Open-scap] Wish to disable check or remediation of STIG rules to remove X Windows and to use smart card

[Boucher, William]

Hi Folks,

I've got a machine running Scap Workbench on another remote/networked machine. 
Both are CentOS 7.5. I set up Workbench to SSH to the remote box as root (for 
now root ssh login is enabled on both machines), using CentOS 7 content.  I 
selected DISA STIG for Red Hat Enterprise Linux 7. Within the displayed rules 
there are two I need to ignore. I need X Windows and cannot use a smart card 
(or any multifactor) in the system I want to remediate.

So the "Remove the X Windows Package Group" & "Enable Smart Card Login" need to 
be tailored out somehow so remediation won't implement those controls.

(I'm assuming the "Enable the GNOME3 Login Smartcard Authentication", "Install 
Smart Card Packages For Multifactor Authentication" & "Configure Smart Card 
Certificate Status Checking" rules can be left in place if "Enable Smart Card 
Login" isn't set up.)

I cannot see an easy way in Workbench to just tell it to ignore a selected rule.

What do I need to do to keep remediation from implementing these rules?

Thank you,

--Bill

William B. Boucher, BSEE
Embedded Systems Software Engineer
Information Systems Security Manager
MZA Associates Corporation
4900 Lang Ave. NE, Suite 100
Albuquerque, NM 87109-9708
Phone: 505.245.9970 x166
Fax: 505.245.9971
Cell: 505.459.7620
william.bouc...@mza.com

___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list