Re: RHEL6 Draft STIG to DIACAP 8500 controls mapping?

Wed, 27 Feb 2013 19:55:22 -0800 

On 2/27/13 10:17 PM, Philip Shuman wrote:

On 2/27/13 11:41 AM, Philip Shuman wrote:

> >We are currently trying to map 8500 controls to the RHEL6 draft content

>(either the version from git or DISA's website would work). The RHEL5 STIG
>benchmark contains references to the IA controls, which allows the auditors
>to tie each check back to 8500.

> >
> >Here is an example from RedHat_5-V1R1_STIG_Benchmark-xccdf:
> >
> >Rule Title:  The operating system must be a supported release.
> >STIG ID: GEN000100
> >Rule ID: SV-27049r1_rule
> >Vuln ID: V-11940
> >IA Controls:VIVM-1
> >
> >Is there any mapping either between RHEL6 and 8500 or even between

>RHEL6 and RHEL5 that we could use to map these? It seems none of the
>RHEL6 identifiers in either the build from git or the DISA website are common
>with the past STIG content.
>
>The STIGs map back to NIST 800-53, so what you may find a NIST 800-53 to
>DoD 8500.2 mapping useful. You can find that here:
>
>http://www.doncio.navy.mil/uploads/1118AMF13814.pdf
>
>With that said, I would be more than willing to add-in the capability to tag
>rules by DoD 8500.2 section/requirement number if someone is willing to go
>through and do the actual tagging

Thanks! That gets us where we want to go.

Here are the full steps I used for the record:

1a) The draft RedHat6 STIG from DISA includes references to CCI values.
(<ident> tag in U_RedHat6_v1r03_manual-xccdf.xml)

http://iase.disa.mil/stigs/os/unix/u_draft_redhat%206_v1r03_stig.zip


1b) Alternatively, the draft RedHat6 STIG from RedHat’s git repo includes
references to CCI values in a different tag.
(<reference href="http://iase.disa.mil/cci/index.html";>352</reference>
in ssg-rhel6-xccdf.xml)

$ git clonessh://git.fedorahosted.org/git/scap-security-guide.git


2) The CCI list then maps to NIST 800-53 values.
(<reference creator="NIST" title="NIST SP 800-53"… tag in U_CCI_List.xml)

http://iase.disa.mil/cci/u_cci_list.zip


3) Then, the NIST 800-53 values map to the DoD 8500.2 values.

http://www.doncio.navy.mil/uploads/1118AMF13814.pdf
Because every SSG rule has (or should have, anyway) a unique CCI tag we should be able to transform the associated NIST rules at some point. If we could find a machine readable mapping of NIST to 8500.2 values that could be added too.
Could you add a ticket to the projects wiki to track this? Seems important enough to not forget about over time. 
_______________________________________________
scap-security-guide mailing list
scap-security-guide@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

Reply via email to