ansible_virtualization_role != "guest" should never have been added as all of the rules of a physical machine apply to a virtual machine. However, keeping `ansible_virtualization_type != "docker"` makes sense because many of controls don't make sense for containers themselves. There is a bug open and fixes are pending.
On Tue, Feb 11, 2020 at 10:55 AM Link, Henry L II CTR USN NIWC ATLANTIC SC (USA) <henry.l.link1....@navy.mil> wrote: > Good afternoon! I am new to this list, and would normally lurk a bit more > first, but I have a question I am hoping the community might be able to > help me with. > > > > I have been reviewing the ansible playbook content for the NIAP OSPP for > RHEL 8 on the following site: > > > > https://static.open-scap.org/ssg-guides/ssg-rhel8-guide-index.html > > > > And I came across what has been labeled the “[DRAFT] DISA STIG for Red Hat > Enterprise Linux 8” > > It just so happens to mirror the NIAP OSPP guidance, no surprise there for > a first draft. However, a large number of the tasks in the playbook are > restricted with the WHEN statement: > > > > - when: ansible_virtualization_role != "guest" or > ansible_virtualization_type != "docker" > > > > These filters are from the original NIAP OSPP ansible guidance as well. > > Does anyone have an understanding why these tasks are filtered out for > virtual machines? The text guidance makes no mention why these would be > excluded, and in fact other code snippets (e.g. the bash scripts) don’t > include an exclusion like this. Even in cases like CCE-81024-2, I’ve never > had issues with enabling this on virtual guests in the past (in VMWare, > mind you), but items like CCE-82297-3 (tipc disable) or CCE-80834-5 (sctp > disable) they don’t cause any significant issues for a virtual guest where > these are disabled. (My interest is in use in a DoD implementation, and > though there is no STIG yet, I am negotiating with our accrediting body on > appropriate controls until the STIG is available.) > > > > If anyone has any further insight why these were restricted with “when” > directives in the ansible role/playbook for Draft STIG and NIAP, thank you > in advance. For my part, I’m removing the clause for my implementation, but > wanted to see what the original reason was and if it was something I should > be aware of to avoid any future unforeseen issues. > > > > v/r > > Henry Link > _______________________________________________ > scap-security-guide mailing list -- > email@example.com > To unsubscribe send an email to > scap-security-guide-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://firstname.lastname@example.org >
_______________________________________________ scap-security-guide mailing list -- email@example.com To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://firstname.lastname@example.org