NIAP OSPP/Draft RHEL8 STIG ansible plays - disabled options for virtual guests and docker containers

[Link, Henry L II CTR USN NIWC ATLANTIC SC (USA)]

Good afternoon! I am new to this list, and would normally lurk a bit more 
first, but I have a question I am hoping the community might be able to help me 
with.



I have been reviewing the ansible playbook content for the NIAP OSPP for RHEL 8 
on the following site:



https://static.open-scap.org/ssg-guides/ssg-rhel8-guide-index.html



And I came across what has been labeled the "[DRAFT] DISA STIG for Red Hat 
Enterprise Linux 8"

It just so happens to mirror the NIAP OSPP guidance, no surprise there for a 
first draft. However, a large number of the tasks in the playbook are 
restricted with the WHEN statement:



- when: ansible_virtualization_role != "guest" or ansible_virtualization_type 
!= "docker"



These filters are from the original NIAP OSPP ansible guidance as well.

Does anyone have an understanding why these tasks are filtered out for virtual 
machines? The text guidance makes no mention why these would be excluded, and 
in fact other code snippets (e.g. the bash scripts) don't include an exclusion 
like this. Even in cases like CCE-81024-2, I've never had issues with enabling 
this on virtual guests in the past (in VMWare, mind you), but items like 
CCE-82297-3 (tipc disable) or CCE-80834-5 (sctp disable) they don't cause any 
significant issues for a virtual guest where these are disabled. (My interest 
is in use in a DoD implementation, and though there is no STIG yet, I am 
negotiating with our accrediting body on appropriate controls until the STIG is 
available.)



If anyone has any further insight why these were restricted with "when" 
directives in the ansible role/playbook for Draft STIG and NIAP, thank you in 
advance. For my part, I'm removing the clause for my implementation, but wanted 
to see what the original reason was and if it was something I should be aware 
of to avoid any future unforeseen issues.



v/r

Henry Link

___
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org
To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org

Re: NIAP OSPP/Draft RHEL8 STIG ansible plays - disabled options for virtual guests and docker containers

[Gabe Alford]

ansible_virtualization_role != "guest" should never have been added as all
of the rules of a physical machine apply to a virtual machine.
However, keeping `ansible_virtualization_type != "docker"` makes sense
because many of controls don't make sense for containers themselves.
There is a bug open and fixes are pending.

On Tue, Feb 11, 2020 at 10:55 AM Link, Henry L II CTR USN NIWC ATLANTIC SC
(USA)  wrote:

> Good afternoon! I am new to this list, and would normally lurk a bit more
> first, but I have a question I am hoping the community might be able to
> help me with.
>
>
>
> I have been reviewing the ansible playbook content for the NIAP OSPP for
> RHEL 8 on the following site:
>
>
>
> https://static.open-scap.org/ssg-guides/ssg-rhel8-guide-index.html
>
>
>
> And I came across what has been labeled the “[DRAFT] DISA STIG for Red Hat
> Enterprise Linux 8”
>
> It just so happens to mirror the NIAP OSPP guidance, no surprise there for
> a first draft. However, a large number of the tasks in the playbook are
> restricted with the WHEN statement:
>
>
>
> - when: ansible_virtualization_role != "guest" or
> ansible_virtualization_type != "docker"
>
>
>
> These filters are from the original NIAP OSPP ansible guidance as well.
>
> Does anyone have an understanding why these tasks are filtered out for
> virtual machines? The text guidance makes no mention why these would be
> excluded, and in fact other code snippets (e.g. the bash scripts) don’t
> include an exclusion like this. Even in cases like CCE-81024-2, I’ve never
> had issues with enabling this on virtual guests in the past (in VMWare,
> mind you), but items like CCE-82297-3 (tipc disable) or CCE-80834-5 (sctp
> disable) they don’t cause any significant issues for a virtual guest where
> these are disabled. (My interest is in use in a DoD implementation, and
> though there is no STIG yet, I am negotiating with our accrediting body on
> appropriate controls until the STIG is available.)
>
>
>
> If anyone has any further insight why these were restricted with “when”
> directives in the ansible role/playbook for Draft STIG and NIAP, thank you
> in advance. For my part, I’m removing the clause for my implementation, but
> wanted to see what the original reason was and if it was something I should
> be aware of to avoid any future unforeseen issues.
>
>
>
> v/r
>
> Henry Link
> ___
> scap-security-guide mailing list --
> scap-security-guide@lists.fedorahosted.org
> To unsubscribe send an email to
> scap-security-guide-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org
>
___
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org
To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org