On 4/25/16 2:51 PM, Martin Preisler wrote:
----- Original Message -----
> >From: "Trevor Vaughan"<tvaughan(a)onyxpoint.com>
> >To: "SCAP Security
Guide"<scap-security-guide(a)lists.fedorahosted.org>
> >Sent: Sunday, April 24, 2016 2:03:25 PM
> >Subject: Re: cnssi No 1253 profile needed
> >
> >The main RH6 and RH7 SSG profiles.
Could you write up the use-cases and report it as a bug? Probably we can
expose something in the rules as variables and then you will be able to
tailor it in the way you need.
We're polishing out the RHEL7 STIG. Once that activity clears, we'll
start working on a DoD Secure Host Baseline.
(Interesting to talk about incorporating/elevating SIMP into that. Lets
hold that conversation for a minute though.)
The working intent is something like this:
- RHEL7 USGCB is a "base profile" that is aligned to NIAP's Operating
System Protection Profile. Ref:
https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/7/input/...
- RHEL7 STIG extends base NIAP profile with whatever things DISA feels
is relevant:
https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/7/input/...
- The DoD Secure Baseline will extend the NIAP profile with CNSSI 1253
overlay controls.
These three common/related profiles should set the base configurations
for US Government. They'll all ship natively in the installer, allowing
users to directly deploy into these configurations (as hopefully been
useful with the RHEL7 Vendor STIG!).
That leads to solving how people will tailor these baselines. In the
most simplistic use case, users can load SCAP Workbench and modify rule
selections and refine values. SCAP Workbench will generate custom RPMs
(if ran on RHEL hosts), and/or a "tailoring file" that outlines how you
drifted from the common baseline. More advanced users can
cryptographically hash things for integrity checking. The content can
also be imported into Satellite for central config management/scanning.
Trevor, how do you think you'll need to modify these for your use?