On Tue, Oct 04, 2016 at 10:15:04PM -0400, Shawn Wells wrote:
>
>
> On 10/4/16 4:51 PM, Olivier BONHOMME wrote:
> > Le 04/10/2016 à 16:26, Gabe Alford a écrit :
> >> > Hello,
> >> >
> >> > Both the DISA SRGs and STIGIDs are added to the applicable RHEL/7
> >> > content.
> >> > You can verify this by either `grep -rni 'stigid\|srg'
> >> > RHEL/7/input/xccdf`, or `grep 'SRG\|RHEL-07' ssg-rhel7-xccdf.xml`
> >> > Also, when a report is generated with the oscap --report option, the SRG
> >> > and STIGID identifiers can be viewed in the report.
> >> >
> >> > Gabe
> > Hello Gabe,
> >
> > Thanks for your answer. So I tried to write a little script which takes
> > the XCCDF file downloaded from DISA site and try to find the matching
> > rules into the RHEL/7/input/xccdf/*.xml files.
> >
> > For now, I justed focused on the stigid identifiers not on the SGR ones.
> > Actually the result is that I have 97 rules matching with the DISA XCCDF
> > upstream file ?
> >
> > Do you think it is a relevant number ?
> >
> > Browsing the OPENSCAP XCCDF files I realised that there were some DISA
> > rules that maybe already covered but there is not actually a stigid
> > attributed attached to these rules.
> >
> > Do you think it can be relevant if I try to complete OPENSCAP XCCDF
> > files with missing stigid if matches can be found against the DISA XCCDF
> > upstream file ? Or is it definitely not the process ?
>
>
> Since you appear to be working from source: `make tables` is your
> friend :)
>
> It'll generate HTML mapping tables, such as these:
>
> "What rules map to a given OS SRG?"
> http://people.redhat.com/swells/scap-security-guide/RHEL/7/output/table-rhel7-srgmap.html
>
> "What NIST 800-53 controls are satisfied, and how?"
> http://people.redhat.com/swells/scap-security-guide/RHEL/7/output/table-rhel7-nistrefs.html
Hello Shawn,
Thanks for these two links but to be honest I'm a little bit confused about the
available informations.
That's why I have several questions in order to improve my understanding:
- On the srgmap table, does the "rules mapped" column refer to the
OpenSCAP profile ?
- On the srgmap table, are all the SRG rules from the DISA listed even
the one without a matching test ? Actually, as I told on my first mail, I try
to have a status about the DISA STIG rules who are covered by OpenSCAP profile
and above all the rules who are not covered.
Referring to my last question, I have another question : I thought that in
stead of considering the general SRG rules, it should be more relevant
considering the derivated RHEL-07-XXXXXX which are product specific rules. I
found this table on the output directory :
http://people.redhat.com/swells/scap-security-guide/RHEL/7/output/table-rhel7-stig-manual.html.
Could it be relevant to put the OpenSCAP test in front of each RHEL-07-XXXXXX
in order to have a coverage rate against the DISA product specific rules ?.
I thought that mapping was done with the stig_auxiliary file but actually the
RHEL rules specified into that XML files are for RHEL6 and not for RHEL7. Is it
normal that there are RHEL-06-XXXXX rules on that file for the RHEL7 input ? It
seems a little bit strange for me.
I also looked the disa-os-srg-v1r1.xml file but the rule are not named like on
the last file provided on the DISA site : rules are in the format V-XXXXXX in
stead of RHEL-07-XXXXXX. Is it normal ?
Thanks for your answers
Regards,
Olivier Bonhomme
_______________________________________________
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org
To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org
