SSG M1 Objectives
by Kevin Spargur
Hey all,
I've done a quick review of the SSG as far as were we stand in
comparison milestone 1 objectives. We are missing roughly 195/634 or
about 31% of the line items needed to meet milestone 1. The exact line
items missing are specified in the attached. I've opened tickets for
each piece up on the SSG site
(https://fedorahosted.org/scap-security-guide/report/2). If your
working on a section it would be great if you took the ticket so we can
try and avoid duplication of effort where possible.
Thanks,
Kevin Spargur
12 years
coming soon: consistency checking scripts
by Jeffrey Blank
We'll shortly be committing a script to do checking for consistency
between our OVAL and XCCDF. This should detect situations such as:
1)
a reference from an XCCDF rule to an OVAL definition that doesn't exist.
2)
an XCCDF rule exists (and is used in a profile) but doesn't include any
reference to a check.
3)
mismatch between filename and OVAL definition name (as this is an
important convention for our approach to modular definitions)
4)
others?
--
___________________________
Jeffrey Blank
410-854-8675
Global Mitigations
NSA Information Assurance
12 years
[patch] Ident element should represent a single identifier.
by Šimon Lukašík
Attached please find a patch to split up multiple values within single
ident element. It avoids things like the following
<ident system="http://cce.mitre.org">
4360-4,4378-6,4492-5,4263-0,3502-2,4449-5,
4361-2,4427-1,4321-6,4339-8,4105-3,3718-4
</ident>
The separations will also help applications (Spacewalk for example) with
data processing, storing to database, etc.
Thank You.
--
Simon Lukasik
12 years
Content of Ident elements
by Šimon Lukašík
Hello list,
In the current content there seems to be mixed two approaches how to
devise the ident:
(1) <ident system="http://cce.mitre.org">4365-3</ident>
(2) <ident system="http://cce.mitre.org">CCE-4112-9</ident>
I would like to not mix two. For instance usgsb-for-rhel5-desktop uses
exclusively the latter one. Even thought in the second approach there
seems to be kind of duplicity, I prefer it.
Would be a patch converting (1) to (2) acceptable for you?
--
Simon Lukasik
12 years
severity tags assigned to all Rules
by Jeffrey Blank
Just in case anyone was curious, severity tags are now assigned to all
Rules. This should help ensure that the content meets the needs of
customers who require this.
Earlier, "high" and "medium" values were manually added to the severity
attribute for each XCCDF Rule (in line with corresponding DIACAP
definitions and influenced by previous STIGs).
For other Rules (the majority), the shorthand2xccdf.xslt transform was
tweaked to automatically add severity="low" if no severity was
specified. So the default case should be easy for authoring.
This could easily be shown in the html tables ("spreadsheets" if you
wish) too..
Jeff
12 years, 1 month
PATCHes followup, new dist dir to support packaging
by Jeffrey Blank
Hello all,
In keeping with the goal of Shawn's recent patch submissions, I added a
"dist" directory and placed some of the new information there. This
should put us on a patch to providing an RPM form of our output (and the
directories there should clarify our goals as well).
Note that the files in the "output" directory are not necessarily final
output, and at this time some of the scripts assume that they live in a
flat directory. The files in output may be further transformed (or may
in fact be final output). Lifting from "output" into "dist" shoud
signify an intent to distribute as final product.
Thanks,
Jeff
12 years, 1 month
