> On 2/27/13 11:41 AM, Philip Shuman wrote:
>> > >We are currently trying to map 8500 controls to the RHEL6 draft content
> >(either the version from git or DISA's website would work). The RHEL5 STIG
> >benchmark contains references to the IA controls, which allows the auditors
> >to tie each check back to 8500.
>> > >
>> > >Here is an example from RedHat_5-V1R1_STIG_Benchmark-xccdf:
>> > >
>> > >Rule Title: The operating system must be a supported release.
>> > >STIG ID: GEN000100
>> > >Rule ID: SV-27049r1_rule
>> > >Vuln ID: V-11940
>> > >IA Controls:VIVM-1
>> > >
>> > >Is there any mapping either between RHEL6 and 8500 or even between
> >RHEL6 and RHEL5 that we could use to map these? It seems none of the
> >RHEL6 identifiers in either the build from git or the DISA website are common
> >with the past STIG content.
> >
> >The STIGs map back to NIST 800-53, so what you may find a NIST 800-53 to
> >DoD 8500.2 mapping useful. You can find that here:
> >
> >http://www.doncio.navy.mil/uploads/1118AMF13814.pdf
> >
> >With that said, I would be more than willing to add-in the capability to tag
> >rules by DoD 8500.2 section/requirement number if someone is willing to go
> >through and do the actual tagging
Thanks! That gets us where we want to go.
Here are the full steps I used for the record:
1a) The draft RedHat6 STIG from DISA includes references to CCI values.
(<ident> tag in U_RedHat6_v1r03_manual-xccdf.xml)
http://iase.disa.mil/stigs/os/unix/u_draft_redhat%206_v1r03_stig.zip
1b) Alternatively, the draft RedHat6 STIG from RedHat’s git repo includes
references to CCI values in a different tag.
(<reference
href="http://iase.disa.mil/cci/index.html">352</reference...
in ssg-rhel6-xccdf.xml)
$ git
clonessh://git.fedorahosted.org/git/scap-security-guide.git
2) The CCI list then maps to NIST 800-53 values.
(<reference creator="NIST" title="NIST SP 800-53"… tag in
U_CCI_List.xml)
http://iase.disa.mil/cci/u_cci_list.zip
3) Then, the NIST 800-53 values map to the DoD 8500.2 values.
http://www.doncio.navy.mil/uploads/1118AMF13814.pdf
Because every SSG rule has (or should have, anyway) a unique CCI tag we
should be able to transform the associated NIST rules at some point. If
we could find a machine readable mapping of NIST to 8500.2 values that
could be added too.
Could you add a ticket to the projects wiki to track this? Seems
important enough to not forget about over time.