Any new OpenSCAP / SSG presentations?
by Shawn Wells
Realize the 'Conference Presentations' page on the OpenSCAP/SSG wiki has
gotten a bit stale.
Anyone present on OpenSCAP or SSG things lately? Would love to see
community presentations get added to the wiki!
Feel free to edit the wiki directly (just add a change note), or reply
on-list with your presentation date/title/link and I'll add it for you :)
6 years, 10 months
Audit Offloading in the EL7 STIG
by Trevor Vaughan
So, I was digging through and found the following:
RHEL-07-030300
The operating system must off-load audit records onto a different system or
media from the system being audited.
and
RHEL-07-030310
The operating system must encrypt the transfer of audit records off-loaded
onto a different system or media from the system being audited.
This poses a real problem since there are pretty much limitless methods to
meet this requirement and, given that actual proof is multi-node, this is
going to be *really* difficult to evaluate properly.
As much as I like auditd, I don't care for the thought of the network
blocking all of my operations, so I've opted to pass it along to syslog. My
syslog is then TLS encrypted to the various shipping points. This obviously
meets the requirement, and I can automatically test that configuration in
my code but I feel like this is yet another place where we're going to have
difficulty with the SSG.
I also noticed that this one hasn't been implemented in the SSG and I'm
guessing that this is why.
What are the plans for things like this moving forward?
Thanks,
Trevor
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --
6 years, 10 months
Thoughts on RHEL-07-020600-690?
by Sean
Hi SCAP folks...
I am curious what anyone working on the RHEL 7 STIG Alignment or
remediation thinks about these controls relating to "interactive user" home
directories. Is this something you see fit to implement through a
remediation script? It's one thing to setup a new system that complies
with these rules before new users start using it, but running a script to
correct this kind of stuff on an existing system seems like inviting a lot
of trouble.
Also, clearly there is nothing new in these controls specific to RHEL7,
should we expect to see these controls pushed into the RHEL6 STIG too?
Thanks for your thoughts!
--Sean
6 years, 10 months