On 12/19/13, 11:00 AM, [email protected] wrote:
This is just a curiosity question. In the ssg-rhel6-xccdf.xml there are
several profiles listed: common, server, stig-rhel6-server,
usgcb-rhel6-server among others. I was curios how the tests for each
profile was selected, especially the stig-rhel6-server and
usgcb-rhel6-server. Was this the consensus of a group of SMEs? Also,
is there anything out there that documents why some tests were included
and others were not. As I said, just curious about the process. Thanks
STIG baselines are developed following the DoD Consensus model. DISA FSO
drops a list of requirements (CCIs) that we map rules against. The <ref>
tags are used for this purpose. Reference line 125:
https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/RHEL6/input/system/selinux.xml
We then transform these mappings into an HTML table:
http://people.redhat.com/swells/scap-security-guide/RHEL6/output/table-stig-rhel6.html
Afterwards, we hold a DoD consensus meeting which involves
representatives from all DoD, IC, and civilian parties. Over the course
of a day or two, we step through every. single. line. of that table and
verify all parties feel the CCI requirements are met. Some time
afterward, DISA generates the STIG.
The USGCB profile will be created in much the same way. Currently we're
performing the mappings against NIST 800-53, with the future intent to
validate these mappings with NIST, NSA, and other stakeholders.
Hope this helps!
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
