On 12/19/13, 11:00 AM, joescap@mm.st wrote:
This is just a curiosity question. In the ssg-rhel6-xccdf.xml there are several profiles listed: common, server, stig-rhel6-server, usgcb-rhel6-server among others. I was curios how the tests for each profile was selected, especially the stig-rhel6-server and usgcb-rhel6-server. Was this the consensus of a group of SMEs? Also, is there anything out there that documents why some tests were included and others were not. As I said, just curious about the process. Thanks
STIG baselines are developed following the DoD Consensus model. DISA FSO drops a list of requirements (CCIs) that we map rules against. The <ref> tags are used for this purpose. Reference line 125: https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/RHEL6/input/s...
We then transform these mappings into an HTML table: http://people.redhat.com/swells/scap-security-guide/RHEL6/output/table-stig-...
Afterwards, we hold a DoD consensus meeting which involves representatives from all DoD, IC, and civilian parties. Over the course of a day or two, we step through every. single. line. of that table and verify all parties feel the CCI requirements are met. Some time afterward, DISA generates the STIG.
The USGCB profile will be created in much the same way. Currently we're performing the mappings against NIST 800-53, with the future intent to validate these mappings with NIST, NSA, and other stakeholders.
Hope this helps!