On Tue, Oct 04, 2016 at 10:15:04PM -0400, Shawn Wells wrote:
> On 10/4/16 4:51 PM, Olivier BONHOMME wrote:
> > Le 04/10/2016 à 16:26, Gabe Alford a écrit :
> >> > Hello,
> >> >
> >> > Both the DISA SRGs and STIGIDs are added to the applicable RHEL/7
> >> > content.
> >> > You can verify this by either `grep -rni 'stigid\|srg'
> >> > RHEL/7/input/xccdf`, or `grep 'SRG\|RHEL-07' ssg-rhel7-xccdf.xml`
> >> > Also, when a report is generated with the oscap --report option, the SRG
> >> > and STIGID identifiers can be viewed in the report.
> >> >
> >> > Gabe
> > Hello Gabe,
> > Thanks for your answer. So I tried to write a little script which takes
> > the XCCDF file downloaded from DISA site and try to find the matching
> > rules into the RHEL/7/input/xccdf/*.xml files.
> > For now, I justed focused on the stigid identifiers not on the SGR ones.
> > Actually the result is that I have 97 rules matching with the DISA XCCDF
> > upstream file ?
> > Do you think it is a relevant number ?
> > Browsing the OPENSCAP XCCDF files I realised that there were some DISA
> > rules that maybe already covered but there is not actually a stigid
> > attributed attached to these rules.
> > Do you think it can be relevant if I try to complete OPENSCAP XCCDF
> > files with missing stigid if matches can be found against the DISA XCCDF
> > upstream file ? Or is it definitely not the process ?
> Since you appear to be working from source: `make tables` is your
> friend :)
> It'll generate HTML mapping tables, such as these:
> "What rules map to a given OS SRG?"
> "What NIST 800-53 controls are satisfied, and how?"
Hello the list,
I made that little sheet
https://hosting.ptitoliv.net/owncloud/index.php/s/ZUIwPiXXfvqntA6 where I tried
to map DISA STIG rules against openscap rules located into input/xccdf
I found there were several rules (63) which didn't have a declared OpenSCAP
rule stigid reference but that actually had a matching rule. So I put in front
on these rules a matching OpenSCAP rule.
You can show these rules in the sheet using the following filter :
* Matching rule status : Checked by OB
* Potential OSCAP Matching rule : Everything except "Not Available"
Do you think it is relevant ? If it is, would you accept some PR in order to
update the stigid reference for these rules.
I also detected 76 DISA Rules without any matching test. Is it planned from
scap-security-guide project to create new rules in order to have a complete (or
almost complete) coverage against DISA Stig XCCF ?
Thanks for your answers
scap-security-guide mailing list -- email@example.com
To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org