On Tue, Oct 04, 2016 at 10:15:04PM -0400, Shawn Wells wrote: > > > On 10/4/16 4:51 PM, Olivier BONHOMME wrote: > > Le 04/10/2016 à 16:26, Gabe Alford a écrit : > >> > Hello, > >> > > >> > Both the DISA SRGs and STIGIDs are added to the applicable RHEL/7 > >> > content. > >> > You can verify this by either `grep -rni 'stigid\|srg' > >> > RHEL/7/input/xccdf`, or `grep 'SRG\|RHEL-07' ssg-rhel7-xccdf.xml` > >> > Also, when a report is generated with the oscap --report option, the SRG > >> > and STIGID identifiers can be viewed in the report. > >> > > >> > Gabe > > Hello Gabe, > > > > Thanks for your answer. So I tried to write a little script which takes > > the XCCDF file downloaded from DISA site and try to find the matching > > rules into the RHEL/7/input/xccdf/*.xml files. > > > > For now, I justed focused on the stigid identifiers not on the SGR ones. > > Actually the result is that I have 97 rules matching with the DISA XCCDF > > upstream file ? > > > > Do you think it is a relevant number ? > > > > Browsing the OPENSCAP XCCDF files I realised that there were some DISA > > rules that maybe already covered but there is not actually a stigid > > attributed attached to these rules. > > > > Do you think it can be relevant if I try to complete OPENSCAP XCCDF > > files with missing stigid if matches can be found against the DISA XCCDF > > upstream file ? Or is it definitely not the process ? > > > Since you appear to be working from source: `make tables` is your > friend :) > > It'll generate HTML mapping tables, such as these: > > "What rules map to a given OS SRG?" > http://people.redhat.com/swells/scap-security-guide/RHEL/7/output/table-rhel7-srgmap.html > > "What NIST 800-53 controls are satisfied, and how?" > http://people.redhat.com/swells/scap-security-guide/RHEL/7/output/table-rhel7-nistrefs.html >
Hello the list, I made that little sheet https://hosting.ptitoliv.net/owncloud/index.php/s/ZUIwPiXXfvqntA6 where I tried to map DISA STIG rules against openscap rules located into input/xccdf directory. I found there were several rules (63) which didn't have a declared OpenSCAP rule stigid reference but that actually had a matching rule. So I put in front on these rules a matching OpenSCAP rule. You can show these rules in the sheet using the following filter : * Matching rule status : Checked by OB * Potential OSCAP Matching rule : Everything except "Not Available" Do you think it is relevant ? If it is, would you accept some PR in order to update the stigid reference for these rules. I also detected 76 DISA Rules without any matching test. Is it planned from scap-security-guide project to create new rules in order to have a complete (or almost complete) coverage against DISA Stig XCCF ? Thanks for your answers Regards, Olivier Bonhomme _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org