I'm running the latest openscap and scap-workbench for RHEL6 using Red Hat repositories. If I feed the workbench the XCCDF file from DISA (http://iasecontent.disa.mil/stigs/zip/July2015/U_RedHat_6_V1R8_STIG_SCAP_1-1...) and ask for online remediation I'm not getting any fixes.
Does this remediation functionality exist or is the benchmark content lacking? I can't seem to get that working.
I've been using hardening scripts from https://github.com/fcaviggia/hardening-script-el6? but without commenting out some things those scripts are stricter than needed.
Thanks, Lee
Lee,
The SSG is the script being maintained and supported by going forward - the scripts I have out there are for historical reference or further knockdowns beyond the DISA STIG - Shawn likes to call them STIG++ - it's really just ICD 503 requirements.
-Frank
----- Original Message ----- From: "Lee Meinecke" lee.meinecke@gtri.gatech.edu To: scap-security-guide@lists.fedorahosted.org Sent: Monday, August 24, 2015 6:34:48 PM Subject: Red Hat 6 STIG Benchmark - Version 1, Release 8 - Online Remediation
I'm running the latest openscap and scap-workbench for RHEL6 using Red Hat repositories. If I feed the workbench the XCCDF file from DISA (http://iasecontent.disa.mil/stigs/zip/July2015/U_RedHat_6_V1R8_STIG_SCAP_1-1...) and ask for online remediation I'm not getting any fixes.
Does this remediation functionality exist or is the benchmark content lacking? I can't seem to get that working.
I've been using hardening scripts from https://github.com/fcaviggia/hardening-script-el6 but without commenting out some things those scripts are stricter than needed.
Thanks, Lee
On 8/24/15 6:34 PM, Meinecke, Lee wrote:
I'm running the latest openscap and scap-workbench for RHEL6 using Red Hat repositories. If I feed the workbench the XCCDF file from DISA (http://iasecontent.disa.mil/stigs/zip/July2015/U_RedHat_6_V1R8_STIG_SCAP_1-1...) and ask for online remediation I'm not getting any fixes.
Does this remediation functionality exist or is the benchmark content lacking? I can't seem to get that working.
DISA FSO opts to strip remediation content/capabilities out from the content Red Hat gives them. In part this makes sense: DISA FSO's intention is to provide pass/fail content, anything beyond that is a distraction for them.
I've been using hardening scripts from https://github.com/fcaviggia/hardening-script-el6%E2%80%8B but without commenting out some things those scripts are stricter than needed.
The project you mention has caused more misinformation and confusion than usefulness. That project has no ties to Red Hat, DISA, and while perhaps using the STIG for inspiration, its hardening settings are largely arbitrary and places systems into an unknown compliance state.
If you're seeking embedded remediation, consider using SCAP Security Guide directly (shipping in RHEL as the "scap-security-guide" package, or upstream content on GitHub). SSG ships in RHEL and serves as the upstream for what Red Hat gives DISA FSO as part of the Vendor STIG Process.
You might also find NSA's SIMP project interesting, which fuses SSG+Puppet+MCollective and other things. You can find their project here: https://github.com/simp
Thanks for the reference Shawn!
Lee, if you're interested in information on SIMP, the easiest place to start is here https://github.com/NationalSecurityAgency/SIMP.
Thanks,
Trevor
On Mon, Aug 24, 2015 at 7:21 PM, Shawn Wells shawn@redhat.com wrote:
On 8/24/15 6:34 PM, Meinecke, Lee wrote:
I'm running the latest openscap and scap-workbench for RHEL6 using Red Hat repositories. If I feed the workbench the XCCDF file from DISA ( http://iasecontent.disa.mil/stigs/zip/July2015/U_RedHat_6_V1R8_STIG_SCAP_1-1...) and ask for online remediation I'm not getting any fixes.
Does this remediation functionality exist or is the benchmark content lacking? I can't seem to get that working.
DISA FSO opts to strip remediation content/capabilities out from the content Red Hat gives them. In part this makes sense: DISA FSO's intention is to provide pass/fail content, anything beyond that is a distraction for them.
I've been using hardening scripts from
https://github.com/fcaviggia/hardening-script-el6%E2%80%8B but without commenting out some things those scripts are stricter than needed.
The project you mention has caused more misinformation and confusion than usefulness. That project has no ties to Red Hat, DISA, and while perhaps using the STIG for inspiration, its hardening settings are largely arbitrary and places systems into an unknown compliance state.
If you're seeking embedded remediation, consider using SCAP Security Guide directly (shipping in RHEL as the "scap-security-guide" package, or upstream content on GitHub). SSG ships in RHEL and serves as the upstream for what Red Hat gives DISA FSO as part of the Vendor STIG Process.
You might also find NSA's SIMP project interesting, which fuses SSG+Puppet+MCollective and other things. You can find their project here: https://github.com/simp
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
scap-security-guide@lists.fedorahosted.org
-
Frank Caviggia -
Meinecke, Lee -
Shawn Wells -
Trevor Vaughan