Good afternoon! I am new to this list, and would normally lurk a bit more first, but I have a question I am hoping the community might be able to help me with.
I have been reviewing the ansible playbook content for the NIAP OSPP for RHEL 8 on the following site: https://static.open-scap.org/ssg-guides/ssg-rhel8-guide-index.html And I came across what has been labeled the "[DRAFT] DISA STIG for Red Hat Enterprise Linux 8" It just so happens to mirror the NIAP OSPP guidance, no surprise there for a first draft. However, a large number of the tasks in the playbook are restricted with the WHEN statement: - when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" These filters are from the original NIAP OSPP ansible guidance as well. Does anyone have an understanding why these tasks are filtered out for virtual machines? The text guidance makes no mention why these would be excluded, and in fact other code snippets (e.g. the bash scripts) don't include an exclusion like this. Even in cases like CCE-81024-2, I've never had issues with enabling this on virtual guests in the past (in VMWare, mind you), but items like CCE-82297-3 (tipc disable) or CCE-80834-5 (sctp disable) they don't cause any significant issues for a virtual guest where these are disabled. (My interest is in use in a DoD implementation, and though there is no STIG yet, I am negotiating with our accrediting body on appropriate controls until the STIG is available.) If anyone has any further insight why these were restricted with "when" directives in the ansible role/playbook for Draft STIG and NIAP, thank you in advance. For my part, I'm removing the clause for my implementation, but wanted to see what the original reason was and if it was something I should be aware of to avoid any future unforeseen issues. v/r Henry Link
_______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org
