On Tue, Oct 04, 2016 at 10:15:04PM -0400, Shawn Wells wrote: > > > On 10/4/16 4:51 PM, Olivier BONHOMME wrote: > > Le 04/10/2016 à 16:26, Gabe Alford a écrit : > >> > Hello, > >> > > >> > Both the DISA SRGs and STIGIDs are added to the applicable RHEL/7 > >> > content. > >> > You can verify this by either `grep -rni 'stigid\|srg' > >> > RHEL/7/input/xccdf`, or `grep 'SRG\|RHEL-07' ssg-rhel7-xccdf.xml` > >> > Also, when a report is generated with the oscap --report option, the SRG > >> > and STIGID identifiers can be viewed in the report. > >> > > >> > Gabe > > Hello Gabe, > > > > Thanks for your answer. So I tried to write a little script which takes > > the XCCDF file downloaded from DISA site and try to find the matching > > rules into the RHEL/7/input/xccdf/*.xml files. > > > > For now, I justed focused on the stigid identifiers not on the SGR ones. > > Actually the result is that I have 97 rules matching with the DISA XCCDF > > upstream file ? > > > > Do you think it is a relevant number ? > > > > Browsing the OPENSCAP XCCDF files I realised that there were some DISA > > rules that maybe already covered but there is not actually a stigid > > attributed attached to these rules. > > > > Do you think it can be relevant if I try to complete OPENSCAP XCCDF > > files with missing stigid if matches can be found against the DISA XCCDF > > upstream file ? Or is it definitely not the process ? > > > Since you appear to be working from source: `make tables` is your > friend :) > > It'll generate HTML mapping tables, such as these: > > "What rules map to a given OS SRG?" > http://people.redhat.com/swells/scap-security-guide/RHEL/7/output/table-rhel7-srgmap.html > > "What NIST 800-53 controls are satisfied, and how?" > http://people.redhat.com/swells/scap-security-guide/RHEL/7/output/table-rhel7-nistrefs.html
Hello Shawn, Thanks for these two links but to be honest I'm a little bit confused about the available informations. That's why I have several questions in order to improve my understanding: - On the srgmap table, does the "rules mapped" column refer to the OpenSCAP profile ? - On the srgmap table, are all the SRG rules from the DISA listed even the one without a matching test ? Actually, as I told on my first mail, I try to have a status about the DISA STIG rules who are covered by OpenSCAP profile and above all the rules who are not covered. Referring to my last question, I have another question : I thought that in stead of considering the general SRG rules, it should be more relevant considering the derivated RHEL-07-XXXXXX which are product specific rules. I found this table on the output directory : http://people.redhat.com/swells/scap-security-guide/RHEL/7/output/table-rhel7-stig-manual.html. Could it be relevant to put the OpenSCAP test in front of each RHEL-07-XXXXXX in order to have a coverage rate against the DISA product specific rules ?. I thought that mapping was done with the stig_auxiliary file but actually the RHEL rules specified into that XML files are for RHEL6 and not for RHEL7. Is it normal that there are RHEL-06-XXXXX rules on that file for the RHEL7 input ? It seems a little bit strange for me. I also looked the disa-os-srg-v1r1.xml file but the rule are not named like on the last file provided on the DISA site : rules are in the format V-XXXXXX in stead of RHEL-07-XXXXXX. Is it normal ? Thanks for your answers Regards, Olivier Bonhomme _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org