On 3/24/17 3:57 PM, [email protected] wrote: > DISA has released a STIG for RHEL 7. redhatrises updated an overlay to > account for the final release from DISA of RHEL7 STIG. What additional work, > if any, needs to be done to SSG in order for oscap to be able to scan > relative to the final DISA STIG for RHEL 7? > > When I clone the github repository, run cmake and examine > build/ssg-rhel7-ds.xml, it shows > xccdf_org.ssgproject.content_rule_encrypt_partitions select="true" for > profile *STIG for Red Hat Enterprise Linux 7 Server Running GUI*. When I > load up the final RHEL7 STIG, I can't find any vulnerability related to > unencrypted partitions. Am I missing the vulnerability in the STIG, or is > the SSG adding security checks to the profile?
DISA decided against following the Vendor STIG process and also chose not to host DoD consensus meetings on the content they released. As a result the production readiness of the DISA provided content is largely unknown. Would wager not having encrypted data at rest is an oversight in their content (it was specifically recommended by Red Hat and DoD). There are likely yet-to-be-discovered discrepancies between configuration rules recommended by DoD + Red Hat vs what DISA published. Now that DISA has published something, we likely need to restructure our profiles a bit. - Rename the existing stig-rhel7-server-upstream profile to DoD Secure Host Baseline (e.g. shb-rhel7-server), to reflect future DoD CIO strategy; - Create a 'stig-rhel7-server' profile that aligns to only the rules shipped by DISA
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
