On Thu, Mar 5, 2020 at 7:57 PM Shawn Wells <sh...@redhat.com> wrote: > > On 3/5/20 1:00 PM, James Cassell wrote: > > On Thu, Mar 5, 2020, at 12:57 PM, Jeff Bachtel wrote: > > Good day. I am trying to apply current RHEL7 STIG guidance to AWS EC2 > instances and have run into issues. Could someone check my conclusions > below and let me know if I missed something? > > - OpenSCAP doesn't yet support RHEL7 STIG V2R6 in its in-tree code > (including remediation code) > - The NIST NCP for RHEL7 from > https://github.com/ComplianceAsCode/content/tree/master/rhel7 doesn't > yet include STIG V2R4 remediations > - The actual DISA RHEL7 STIG XCCDF file does not include fixes, such > that OpenSCAP could use it to generate remediation scripts > - https://github.com/MindPointGroup/RHEL7-STIG is probably the best > RHEL7 STIG remediation script that's publicly available > > > All correct from my perspective. > > > To the best of our knowledge there haven't been any substantive changes to > the DISA content. At least we haven't been informed of any (eg rule > selections/removals, changing variables like password length, etc). > > That said, could be interesting to run the Red Hat provided remediations > and then re-scan with the DISA-provided content. Goal would be to see if > anything fails... in theory showing any gaps between the content. > > Would you be interested/able to help do that? Here's the ansible content: > > https://galaxy.ansible.com/RedHatOfficial/rhel7_stig >
Ah, I actually HAVE done this. I ran the SCAP Ansible role for rhel7-stig (same as the galaxy link above, correct? Looks the same) against an AMI then launched and ran Tenable's STIG r2v4 scan against it. 150-something findings, because the STIG changed validations of things in a way that the role no longer solves. I was tricked a bit in my own head because SSG made a release right after the new STIG (r2v6) and I thought it was to keep up with the rev, but that was not the case. So in short if RH is recommending the SSG / rhel7_stig role to customers to get close to compliant with modern STIG guidance, uh, it doesn't work. To be fair, the CIS RHEL7 STIG AMI is also Really Bad for hitting scan compliance. I do appreciate everyone's answers on the thread, though. If the SSG rhel7-stig Ansible role is generated from XCCDF fix statements (I don't know that that's the case), would the solution then be to update the SSG RHEL7 STIG XCCDF from the DISA release, and put in new fixes? Jeff > _______________________________________________ > scap-security-guide mailing list -- > scap-security-guide@lists.fedorahosted.org > To unsubscribe send an email to > scap-security-guide-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org > -- Jeff Bachtel Senior Cloud Ops Developer, IronNet -- This message is intended exclusively for the individual(s) or entity to which it is addressed. It may contain information that is privileged or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message. Any digital signatures or certifications transmitted with this email are for sender verification purposes only and have not been included in this email for the purposes of binding the company to any statement or attachment made herein or for any other purpose.
_______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org
