On Fri, Dec 20, 2013, at 08:04 AM, Shawn Wells wrote: > On 12/19/13, 11:00 AM, [email protected] wrote: > > This is just a curiosity question. In the ssg-rhel6-xccdf.xml there are > > several profiles listed: common, server, stig-rhel6-server, > > usgcb-rhel6-server among others. I was curios how the tests for each > > profile was selected, especially the stig-rhel6-server and > > usgcb-rhel6-server. Was this the consensus of a group of SMEs? Also, > > is there anything out there that documents why some tests were included > > and others were not. As I said, just curious about the process. Thanks > > STIG baselines are developed following the DoD Consensus model. DISA FSO > drops a list of requirements (CCIs) that we map rules against. The <ref> > tags are used for this purpose. Reference line 125: > https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/RHEL6/input/system/selinux.xml > > We then transform these mappings into an HTML table: > http://people.redhat.com/swells/scap-security-guide/RHEL6/output/table-stig-rhel6.html > > Afterwards, we hold a DoD consensus meeting which involves > representatives from all DoD, IC, and civilian parties. Over the course > of a day or two, we step through every. single. line. of that table and > verify all parties feel the CCI requirements are met. Some time > afterward, DISA generates the STIG. > > The USGCB profile will be created in much the same way. Currently we're > performing the mappings against NIST 800-53, with the future intent to > validate these mappings with NIST, NSA, and other stakeholders. > > Hope this helps! > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
That helps a lot, thanks. A followup question. Just a little confused and want to make sure I understand. Your comments above refer to how the "stig-rhel6-server" profile was created? If that is correct, http://people.redhat.com/swells/scap-security-guide/RHEL6/output/table-stig-rhel6.html lists the tests that are enabled in the "stig-rhel6-server" profile? Or are your comments referring to the baseline DISA STIG as a whole that is available via the NIST checklist repository. _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
