The issue is less the automation (that's easy) and more that it isn't
actually a codified standard.
I'll hop onto the STIG feedback space on SoftwareForge and see if they have
a schema anywhere. The last time I asked, there wasn't one, but that was
quite some time ago.
Trevor
On Thu, Nov 29, 2018 at 2:18 PM Albrecht, Thomas C <
thomas.c.albrecht(a)lmco.com> wrote:
They can and have been automated. One of our engineers at LM has
created
a very bloated python script that goes through each of the items in the
DISA STIG, and only leaves one unanswered (I think it’s the “ask the admin
if he’s doing backups”)
Tom A.
*From:* Meinecke, Lee <lee.meinecke(a)gtri.gatech.edu>
*Sent:* Thursday, November 29, 2018 2:25 PM
*To:* scap-security-guide(a)lists.fedorahosted.org
*Subject:* EXTERNAL: Re: alternatives to STIG Viewer once Oracle JDK 8 /
JavaFX 8 is EOL in January 2019?
.ckl files are the manual checklists that are used to import the automated
XCCDF content. For example on RHEL6 you import the XCCDF content from the
scan and then you have 85 manual controls to review. You use the Java STIG
viewer (JavaFX required) as the GUI to provide comments and choose from a
drop down menu (open, not a finding, not applicable) for each manual
control. The auditors typcially request results from each host in .ckl
format I believe because it shows you've done the manual review as opposed
to providing an SCC or openscap HTML report which would only cover the
automated checks.
btw, those 85 manual RHEL6 controls could be automated. Most are run this
command if it produces results its a finding. A few require interpretation
but most seem like they could be automated.
Lee
------------------------------
*From:* Shawn Wells <shawn(a)redhat.com>
*Sent:* Thursday, November 29, 2018 1:14 PM
*To:* scap-security-guide(a)lists.fedorahosted.org
*Subject:* Re: alternatives to STIG Viewer once Oracle JDK 8 / JavaFX 8
is EOL in January 2019?
On 11/28/18 12:51 PM, Trevor Vaughan wrote:
> Heh, no offense taken. I just needed to turn the little lights green
> with a .ckl file...and I did :-D
What are the .ckl files imported into? How are they used?
For example if OpenSCAP or Satellite could evaluate a system and output
a properly formatted .ckl file... would that provide value? What happens
with .ckl files?
_______________________________________________
scap-security-guide mailing list --
scap-security-guide(a)lists.fedorahosted.org
To unsubscribe send an email to
scap-security-guide-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
<
https://getfedora.org/code-of-conduct.html>
Fedora Code of Conduct <
https://getfedora.org/code-of-conduct.html>
getfedora.org
Choose Freedom. Choose Fedora. Pick a flavor of Fedora streamlined for
your needs, and get to work right away.
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
_______________________________________________
scap-security-guide mailing list --
scap-security-guide(a)lists.fedorahosted.org
To unsubscribe send an email to
scap-security-guide-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --