[Other organizations that wish to create a Profile from the content are
welcome to use project resources as well; the project is is not intended
to be a "DoD-only" thing: it is intended to provide a high-quality
dictionary of SCAP content for the RHEL platform, useful for a wide
variety of customers.]
Here's a rough agenda for our DoD consensus call today, based on the
pre-release draft STIG profile:
0) Please introduce yourself as you join the call.
1) Should we leave (as Rules) items which require disabling certain
services, which is what we have now? The RHEL 5 STIG didn't do this
(and instead included enforcement of secure policies for those services,
in case they were active). The approach from the RHEL 5 STIG seems
reasonable to me (and makes compliance simpler for wider variety of use
cases), but I would like consensus thought on it.
2) Update on STIG process / plans from FSO. This could include
discussing any policy-type additions that should be expected as the
project content is vetted.
3) Discussion of severities. Most are the same as the RHEL 5 STIG
(where Rules are shared/similar). Let's discuss any changes.
4) Open questions/discussion. Operational concerns? Have we forgotten
anything?
Link is here:
http://people.redhat.com/swells/scap-security-guide/RHEL6/output/table-rh...
Talk to everyone at 11!
Thanks,
Jeff