I'm in the process of upgrading to RHEL8, and need to analyze the STIG rules since my project had waivers in place for some of the rules in earlier RHEL versions. My team would like to use the SCAP Security Guide as the source of our content for scans, and so the plan was to review the rules from the SSG's RHEL8 STIG profile. I thought it would be pretty easy to just get a list of the rules with their ids, titles, and descriptions, but have run into a couple issues.
First, I am seeing a lot of differences between the ruleset I can download directly from DISA (their manual xccdf for RHEL8 STIG - draft) and the ruleset in the SSG RHEL8 STIG profile. Figured the titles might not have been brought over from the DISA STIG verbatim, so thought it might be better to align them by identifier, which leads to the second problem... I can't find any identifiers in common between the DISA STIG and the SSG profile. DISA has indicated that STIG IDs (e.g. RHEL-08-010050) are the way to go moving forward, and only provides these ids in their draft STIG. SSG on the other hand, provides CCEs (presumably ones that it generates from a pool allocated by NIST), vul group ids, and sub-vul rule ids, but does not appear to provide the STIG IDs (I've looked in the table-rhel8-nistrefs-stig.html file of the 0.1.50 release and in the scan report from scanning my system). I would appreciate guidance on how to correlate these two sources and ideally where STIG IDs can be found in SSG STIG content since these seem to be DISA's preferred identifier going forward. _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org
