> On 2/27/13 11:41 AM, Philip Shuman wrote: > > We are currently trying to map 8500 controls to the RHEL6 draft content > (either the version from git or DISA's website would work). The RHEL5 STIG > benchmark contains references to the IA controls, which allows the auditors > to tie each check back to 8500. > > > > Here is an example from RedHat_5-V1R1_STIG_Benchmark-xccdf: > > > > Rule Title: The operating system must be a supported release. > > STIG ID: GEN000100 > > Rule ID: SV-27049r1_rule > > Vuln ID: V-11940 > > IA Controls:VIVM-1 > > > > Is there any mapping either between RHEL6 and 8500 or even between > RHEL6 and RHEL5 that we could use to map these? It seems none of the > RHEL6 identifiers in either the build from git or the DISA website are common > with the past STIG content. > > The STIGs map back to NIST 800-53, so what you may find a NIST 800-53 to > DoD 8500.2 mapping useful. You can find that here: > > http://www.doncio.navy.mil/uploads/1118AMF13814.pdf > > With that said, I would be more than willing to add-in the capability to tag > rules by DoD 8500.2 section/requirement number if someone is willing to go > through and do the actual tagging
Thanks! That gets us where we want to go. Here are the full steps I used for the record: 1a) The draft RedHat6 STIG from DISA includes references to CCI values. (<ident> tag in U_RedHat6_v1r03_manual-xccdf.xml) http://iase.disa.mil/stigs/os/unix/u_draft_redhat%206_v1r03_stig.zip 1b) Alternatively, the draft RedHat6 STIG from RedHat’s git repo includes references to CCI values in a different tag. (<reference href="http://iase.disa.mil/cci/index.html";>352</reference> in ssg-rhel6-xccdf.xml) $ git clone ssh://git.fedorahosted.org/git/scap-security-guide.git 2) The CCI list then maps to NIST 800-53 values. (<reference creator="NIST" title="NIST SP 800-53"… tag in U_CCI_List.xml) http://iase.disa.mil/cci/u_cci_list.zip 3) Then, the NIST 800-53 values map to the DoD 8500.2 values. http://www.doncio.navy.mil/uploads/1118AMF13814.pdf _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
