scap-security-guide@lists.fedorahosted.org

7 participants
3 discussions

by Watson Sato

Hello, Security Content for el7 and el8 systems are not the same, for example, there is support for crypto-policies in el8, and method to enable FIPS mode is different for each. And currently "rhv4 <https://github.com/ComplianceAsCode/content/tree/master/rhv4>" product is focused on el7, and it is expected to be supported for quite some time. Question: How can we better support el8 based hosts? One way is to "split" rhv4 product into two, creating one product for el7 based hosts and another for el8 based hosts. At the moment, the contents for RHV and RHEL are very similar, but as content for RHV improves there may be the need for RHV specific content. This approach would allow freedom for RHV content to grow and become specific as needed, while sharing content with their respective base enterprise linuxes. Thoughts? -- Watson Sato Security Technologies | Red Hat, Inc

4 years

4
5
0 / 0

Question about the 'remediation script' sections

by Trevor Vaughan

I was looking at updating some of these but do they have to be 100% self contained? Obviously, some items are quite complex and there is code to do what is required, but I'm not sure how detailed we want to go. Thanks, Trevor -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 -- This account not approved for unencrypted proprietary information --

4 years, 1 month

5
10
0 / 0

NIAP OSPP/Draft RHEL8 STIG ansible plays - disabled options for virtual guests and docker containers

by Link, Henry L II CTR USN NIWC ATLANTIC SC (USA)

Good afternoon! I am new to this list, and would normally lurk a bit more first, but I have a question I am hoping the community might be able to help me with. I have been reviewing the ansible playbook content for the NIAP OSPP for RHEL 8 on the following site: https://static.open-scap.org/ssg-guides/ssg-rhel8-guide-index.html And I came across what has been labeled the "[DRAFT] DISA STIG for Red Hat Enterprise Linux 8" It just so happens to mirror the NIAP OSPP guidance, no surprise there for a first draft. However, a large number of the tasks in the playbook are restricted with the WHEN statement: - when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" These filters are from the original NIAP OSPP ansible guidance as well. Does anyone have an understanding why these tasks are filtered out for virtual machines? The text guidance makes no mention why these would be excluded, and in fact other code snippets (e.g. the bash scripts) don't include an exclusion like this. Even in cases like CCE-81024-2, I've never had issues with enabling this on virtual guests in the past (in VMWare, mind you), but items like CCE-82297-3 (tipc disable) or CCE-80834-5 (sctp disable) they don't cause any significant issues for a virtual guest where these are disabled. (My interest is in use in a DoD implementation, and though there is no STIG yet, I am negotiating with our accrediting body on appropriate controls until the STIG is available.) If anyone has any further insight why these were restricted with "when" directives in the ansible role/playbook for Draft STIG and NIAP, thank you in advance. For my part, I'm removing the clause for my implementation, but wanted to see what the original reason was and if it was something I should be aware of to avoid any future unforeseen issues. v/r Henry Link

4 years, 2 months

4
4
0 / 0

← Newer
1
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

scap-security-guide February 2020