On 4/25/16 2:51 PM, Martin Preisler wrote:
----- Original Message -----
From: "Trevor Vaughan"tvaughan@onyxpoint.com To: "SCAP Security Guide"scap-security-guide@lists.fedorahosted.org Sent: Sunday, April 24, 2016 2:03:25 PM Subject: Re: cnssi No 1253 profile needed
The main RH6 and RH7 SSG profiles.
Could you write up the use-cases and report it as a bug? Probably we can expose something in the rules as variables and then you will be able to tailor it in the way you need.
We're polishing out the RHEL7 STIG. Once that activity clears, we'll start working on a DoD Secure Host Baseline. (Interesting to talk about incorporating/elevating SIMP into that. Lets hold that conversation for a minute though.)
The working intent is something like this: - RHEL7 USGCB is a "base profile" that is aligned to NIAP's Operating System Protection Profile. Ref: https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/7/input/pro...
- RHEL7 STIG extends base NIAP profile with whatever things DISA feels is relevant: https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/7/input/pro...
- The DoD Secure Baseline will extend the NIAP profile with CNSSI 1253 overlay controls.
These three common/related profiles should set the base configurations for US Government. They'll all ship natively in the installer, allowing users to directly deploy into these configurations (as hopefully been useful with the RHEL7 Vendor STIG!).
That leads to solving how people will tailor these baselines. In the most simplistic use case, users can load SCAP Workbench and modify rule selections and refine values. SCAP Workbench will generate custom RPMs (if ran on RHEL hosts), and/or a "tailoring file" that outlines how you drifted from the common baseline. More advanced users can cryptographically hash things for integrity checking. The content can also be imported into Satellite for central config management/scanning.
Trevor, how do you think you'll need to modify these for your use?