>From 48491e1c490d4556cbcc46f3ece23e4b28e71017 Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Wed, 26 Feb 2014 16:08:58 -0500 Subject: [PATCH] [RFC] Updated RHEL6 manpage to reflect U.S. gov usage + RHT support claims
What does everyone think about including this in the manpage? If agreeable, will also create a wiki page --- RHEL/6/input/auxiliary/scap-security-guide.8 | 64 +++++++++++++++++++++++++- 1 files changed, 62 insertions(+), 2 deletions(-) diff --git a/RHEL/6/input/auxiliary/scap-security-guide.8 b/RHEL/6/input/auxiliary/scap-security-guide.8 index 696f405..f149a22 100644 --- a/RHEL/6/input/auxiliary/scap-security-guide.8 +++ b/RHEL/6/input/auxiliary/scap-security-guide.8 @@ -1,8 +1,9 @@ .TH scap-security-guide 8 "26 Jan 2013" "version 1" .SH NAME -SCAP Security Guide - Delivers security guidance, baselines, and associated validation mechanisms utilizing -the Security Content Automation Protocol (SCAP). +SCAP Security Guide - Delivers security guidance, baselines, and +associated validation mechanisms utilizing the Security Content +Automation Protocol (SCAP). .SH DESCRIPTION @@ -100,6 +101,65 @@ HTML tables reflecting which institutionalized policy a particular SSG rule conforms to. .RE +.SH STATEMENT OF SUPPORT +The SCAP Security Guide, an open source project jointly maintained by Red Hat +and the NSA, provides XCCDF and OVAL content for Red Hat technologies. As an open +source project, community participation extends into U.S. Department of Defense +agencies, civilian agencies, academia, and other industrial partners. + +SCAP Security Guide is provided to consumers through Red Hat's Extended +Packages for Enterprise Linux (EPEL) repository. As such, SCAP Security Guide +content is considered "vendor provided." + +Note that while Red Hat hosts the infrastructure for this project and +Red Hat engineers are involved as maintainers and leaders, there is no +commercial support contracts or service level agreements provided by Red Hat. + +Support, for both users and developers, is provided through the SCAP Security +Guide community. + +Homepage: https://fedorahosted.org/scap-security-guide/ +Mailing List: https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide + +.SH DEPLOYMENT TO U.S. CIVILIAN GOVERNMENT SYSTEMS +SCAP Security Guide content is considered vendor (Red Hat) provided content. +Per guidance from the U.S. National Institute of Standards and Technology (NIST), +U.S. Government programs are allowed to use Vendor produced SCAP content in absence +of "Governmental Authority" checklists. The specific NIST verbage: +http://web.nvd.nist.gov/view/ncp/repository/glossary?cid=1#Authority + +.SH DEPLOYMENT TO U.S. MILITARY SYSTEMS +DoD Directive (DoDD) 8500.1 requires that "all IA and IA-enabled IT products +incorporated into DoD information systems shall be configured in accordance +with DoD-approved security configuration guidelines" and tasks Defense +Information Systems Agency (DISA) to "develop and provide security configuration +guidance for IA and IA-enabled IT products in coordination with Director, NSA." +The output of this authority is the DISA Security Technical Implimentation Guides, +or STIGs. DISA FSO is in the process of moving the STIGs towards the use +of the NIST Security Content Automation Protocol (SCAP) in order to "automate" +compliance reporting of the STIGs. + +Through a common, shared vision, the SCAP Security Guide community enjoys +close collaboration directly with NSA and DISA FSO. As stated in Section 1.1 of +the RHEL6 STIG Overview, Version 1, Release 2, issued on 03-JUNE-2013: + +"The consensus content was developed using an open-source project called SCAP +Security Guide. The project's website is https://fedorahosted.org/scap-security-guide/. +Except for differences in formatting to accomodate the DISA STIG publishing +process, the content of the RHEL6 STIG should mirrot the SCAP Security Guide +content with only minor divergence as updates from multiple sources work through +the concensus process." + +The DoD STIG for Red Hat Enterprise Linux 6 was released June 2013. Currently, the +DoD RHEL6 STIG contains only XCCDF content and is available online: +http://iase.disa.mil/stigs/os/unix/red_hat.html + +Content published against the iase.disa.mil website is authoratative +STIG content. The SCAP Security Guide project, as noted in the STIG overview, +is considered upstream content. Unlike DISA FSO, the SCAP Security Guide project +does publish OVAL automation content. Individual programs and C&A evaluators +make program-level determinations on the direct usage of the SCAP Security Guide. +Currently there is no blanket approval. .SH SEE ALSO .B oscap(8) -- 1.7.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
