Thanks for the reference Shawn!
Lee, if you're interested in information on SIMP, the easiest place to
start is here
https://github.com/NationalSecurityAgency/SIMP.
Thanks,
Trevor
On Mon, Aug 24, 2015 at 7:21 PM, Shawn Wells <shawn(a)redhat.com> wrote:
On 8/24/15 6:34 PM, Meinecke, Lee wrote:
>
> I'm running the latest openscap and scap-workbench for RHEL6 using Red
> Hat repositories. If I feed the workbench the XCCDF file from DISA (
>
http://iasecontent.disa.mil/stigs/zip/July2015/U_RedHat_6_V1R8_STIG_SCAP_...)
> and ask for online remediation I'm not getting any fixes.
>
> Does this remediation functionality exist or is the benchmark content
> lacking? I can't seem to get that working.
>
>
DISA FSO opts to strip remediation content/capabilities out from the
content Red Hat gives them. In part this makes sense: DISA FSO's intention
is to provide pass/fail content, anything beyond that is a distraction for
them.
I've been using hardening scripts from
>
https://github.com/fcaviggia/hardening-script-el6 but without
> commenting out some things those scripts are stricter than needed.
>
>
The project you mention has caused more misinformation and confusion than
usefulness. That project has no ties to Red Hat, DISA, and while perhaps
using the STIG for inspiration, its hardening settings are largely
arbitrary and places systems into an unknown compliance state.
If you're seeking embedded remediation, consider using SCAP Security Guide
directly (shipping in RHEL as the "scap-security-guide" package, or
upstream content on GitHub). SSG ships in RHEL and serves as the upstream
for what Red Hat gives DISA FSO as part of the Vendor STIG Process.
You might also find NSA's SIMP project interesting, which fuses
SSG+Puppet+MCollective and other things. You can find their project here:
https://github.com/simp
--
SCAP Security Guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
-- This account not approved for unencrypted proprietary information --