When we attempted the tailoring files it was quite easy to override individual values but it didn't seem to be able to enhance entire sets of both XCCDF and OVAL ties.
100% open to the possibility that we're missing something and I haven't really found any instances of how to do this particular action. The GUI tools are targeted toward simple selectors which is too simplistic for what we need to do.
Thanks,
Trevor
On Tue, Apr 12, 2016 at 9:57 AM, Matt Micene matt.micene@dlt.com wrote:
-----Original Message----- From: Trevor Vaughan [mailto:tvaughan@onyxpoint.com] Sent: Friday, April 08, 2016 9:51 AM
I should be able to *easily* start from a base, replace the parts that I
need
to, trace back to the original information, and set my own parameters.
- There should be a base CNSS 1253 policy that is the common XCCDF
ground
- Each branch should have their own derived CNSS 1253 policies that
override the requisite XCCDF and OVAL content as necessary
Nothing should be repeated that is not overridden
Overrides should be understood in the derived content
This should be easy...it's not (actually, it appears to be impossible
without
tying yourself in knots)
This is my understanding of what tailoring files are intended to do, do they fall short in your use case?
Matt Micene DLT Solutions Solution Architect RHCA# 100-002-435 Direct 703-773-1195
On Thu, Mar 24, 2016 at 12:48 PM, Shawn Wells <shawn@redhat.com mailto:shawn@redhat.com > wrote:
On 3/23/16 6:25 AM, Jan Lieskovsky wrote: Hello Daniel, thank you for contacting us. ----- Original Message ----- >From: "DanWarburton"<dan.warburton@jvncomm.com mailto:dan.warburton@jvncomm.com > >To: "SCAP Security Guide"<scap-security- guide@lists.fedorahosted.org mailto:scap-security- guide@lists.fedorahosted.org > >Sent: Tuesday, March 22, 2016 8:36:27 PM >Subject: cnssi No 1253 profile needed > > > > > > >http://static.open-scap.org/ssg-guides/ssg-rhel6- guide-nist-cl-il-al.html > >I cannot locate this guide. I have redhat scap- security-guide 0.10.21-3.el6 >which yum says is the latest.
This (CNSSI No. 1253) profile has been introduced startingfrom upstream scap-security-guide-0.1.27 release: [1]https://github.com/OpenSCAP/scap-security- guide/releases/tag/v0.1.27
thus as such is not included in scap-security-guide-0.1.21-3.el6 version yet you mention above.
> > >I think the profile for National Security SystemsInstruction (CNSSI) No. >1253, "Security Categorization and Control
Selection
for National Security >Systems"" > > > > > >How can I get this? rpm preferred
AFAIK Red Hat Enterprise Linux 6.8 Beta includes scap-security-guide RPM based on upstream 0.1.28 version already:
http://www.redhat.com/en/about/blog/red-hat-enterprise-linux-68-beta-now-available
therefore you can obtain the updated scap-security-guideRPM from that release for now, till the moment Red Hat Enterprise Linux 6 Update 8 is generally available.
Hope this helps. Let us know if we can be of any further guidance. Direct link to the beta RPM: https://access.redhat.com/downloads/content/rhel---6/x86_64/160/scap-security-guide/0.1.28-2.el6/noarch/f21541eb/package
In regards to a CNSSI profile, we're trying to sort out what that'dactually mean. NSA's CNSSI 12-53 is different than NRO, which is
different
than DISA... who's CNSSI 12-53 overlay to we follow? What would be most useful/applicable?
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org <mailto:scap-security-guide@lists.fedorahosted.org> https://lists.fedorahosted.org/admin/lists/scap-security- guide@lists.fedorahosted.org https://github.com/OpenSCAP/scap-security-guide/
--
Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699
-- This account not approved for unencrypted proprietary information --
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/scap-security-guide@lists.fedorah... https://github.com/OpenSCAP/scap-security-guide/