-----Original Message-----
From: Trevor Vaughan [mailto:tvaughan@onyxpoint.com]
Sent: Friday, April 08, 2016 9:51 AM
I should be able to *easily* start from a base, replace the parts
that I need
to, trace back to the original information, and set my own parameters.
1) There should be a base CNSS 1253 policy that is the common XCCDF
ground
2) Each branch should have their own derived CNSS 1253 policies that
override the requisite XCCDF and OVAL content as necessary
3) Nothing should be repeated that is not overridden
4) Overrides should be understood in the derived content
5) This should be easy...it's not (actually, it appears to be impossible without
tying yourself in knots)
This is my understanding of what tailoring files are intended to do, do they fall short in
your use case?
Matt Micene
DLT Solutions
Solution Architect
RHCA# 100-002-435
Direct 703-773-1195
On Thu, Mar 24, 2016 at 12:48 PM, Shawn Wells <shawn(a)redhat.com
<mailto:shawn@redhat.com> > wrote:
On 3/23/16 6:25 AM, Jan Lieskovsky wrote:
Hello Daniel,
thank you for contacting us.
----- Original Message -----
>From: "Dan
Warburton"<dan.warburton(a)jvncomm.com
<mailto:dan.warburton@jvncomm.com> >
>To: "SCAP Security Guide"<scap-security-
guide(a)lists.fedorahosted.org <mailto:scap-security-
guide(a)lists.fedorahosted.org> >
>Sent: Tuesday, March 22, 2016 8:36:27 PM
>Subject: cnssi No 1253 profile needed
>
>
>
>
>
>
>http://static.open-scap.org/ssg-guides/ssg-rhel6-
guide-nist-cl-il-al.html
>
>I cannot locate this guide. I have redhat scap-
security-guide 0.10.21-3.el6
>which yum says is the latest.
This (CNSSI No. 1253) profile has been introduced starting
from upstream
scap-security-guide-0.1.27 release:
[
1]https://github.com/OpenSCAP/scap-security-
guide/releases/tag/v0.1.27
thus as such is not included in scap-security-guide-0.1.21-
3.el6 version yet
you mention above.
>
>
>I think the profile for National Security Systems
Instruction (CNSSI) No.
>1253, "Security Categorization and Control Selection
for National Security
>Systems""
>
>
>
>
>
>How can I get this? rpm preferred
AFAIK Red Hat Enterprise Linux 6.8 Beta includes scap-
security-guide RPM based on
upstream 0.1.28 version already:
http://www.redhat.com/en/about/blog/red-hat-
enterprise-linux-68-beta-now-available
therefore you can obtain the updated scap-security-guide
RPM from that release for now,
till the moment Red Hat Enterprise Linux 6 Update 8 is
generally available.
Hope this helps.
Let us know if we can be of any further guidance.
Direct link to the beta RPM:
https://access.redhat.com/downloads/content/rhel---
6/x86_64/160/scap-security-guide/0.1.28-2.el6/noarch/f21541eb/package
In regards to a CNSSI profile, we're trying to sort out what that'd
actually mean. NSA's CNSSI 12-53 is different than NRO, which is different
than DISA... who's CNSSI 12-53 overlay to we follow? What would be most
useful/applicable?
--
SCAP Security Guide mailing list
scap-security-guide(a)lists.fedorahosted.org <mailto:scap-security-
guide(a)lists.fedorahosted.org>
https://lists.fedorahosted.org/admin/lists/scap-security-
guide(a)lists.fedorahosted.org
https://github.com/OpenSCAP/scap-security-guide/
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
-- This account not approved for unencrypted proprietary information --