5:34 p.m.
I'm running the latest openscap and scap-workbench for RHEL6 using Red Hat
repositories. If I feed the workbench the XCCDF file from DISA
(http://iasecontent.disa.mil/stigs/zip/July2015/U_RedHat_6_V1R8_STIG_SCAP_...)
and ask for online remediation I'm not getting any fixes.
Does this remediation functionality exist or is the benchmark content lacking? I can't
seem to get that working.
I've been using hardening scripts from
https://github.com/fcaviggia/hardening-script-el6? but without commenting out some things
those scripts are stricter than needed.
Thanks,
Lee
5:39 p.m.
Lee,
The SSG is the script being maintained and supported by going forward - the scripts I have
out there are for historical reference or further knockdowns beyond the DISA STIG - Shawn
likes to call them STIG++ - it's really just ICD 503 requirements.
-Frank
----- Original Message -----
From: "Lee Meinecke" <lee.meinecke(a)gtri.gatech.edu>
To: scap-security-guide(a)lists.fedorahosted.org
Sent: Monday, August 24, 2015 6:34:48 PM
Subject: Red Hat 6 STIG Benchmark - Version 1, Release 8 - Online Remediation
I'm running the latest openscap and scap-workbench for RHEL6 using Red Hat
repositories. If I feed the workbench the XCCDF file from DISA
(http://iasecontent.disa.mil/stigs/zip/July2015/U_RedHat_6_V1R8_STIG_SCAP_...)
and ask for online remediation I'm not getting any fixes.
Does this remediation functionality exist or is the benchmark content lacking? I can't
seem to get that working.
I've been using hardening scripts from
https://github.com/fcaviggia/hardening-script-el6 but without commenting out some things
those scripts are stricter than needed.
Thanks,
Lee
--
SCAP Security Guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/
--
Frank Caviggia
Senior Consultant, Red Hat
fcaviggi(a)redhat.com
(M) (571) 295-4560
6:21 p.m.
On 8/24/15 6:34 PM, Meinecke, Lee wrote:
I'm running the latest openscap and scap-workbench for RHEL6 using Red
Hat repositories. If I feed the workbench the XCCDF file from DISA
(http://iasecontent.disa.mil/stigs/zip/July2015/U_RedHat_6_V1R8_STIG_SCAP_...)
and ask for online remediation I'm not getting any fixes.
Does this remediation functionality exist or is the benchmark content
lacking? I can't seem to get that working.
DISA FSO opts to strip remediation content/capabilities out from the
content Red Hat gives them. In part this makes sense: DISA FSO's
intention is to provide pass/fail content, anything beyond that is a
distraction for them.
I've been using hardening scripts from
https://github.com/fcaviggia/hardening-script-el6 but without
commenting out some things those scripts are stricter than needed.
The project you mention has caused more misinformation and confusion
than usefulness. That project has no ties to Red Hat, DISA, and while
perhaps using the STIG for inspiration, its hardening settings are
largely arbitrary and places systems into an unknown compliance state.
If you're seeking embedded remediation, consider using SCAP Security
Guide directly (shipping in RHEL as the "scap-security-guide" package,
or upstream content on GitHub). SSG ships in RHEL and serves as the
upstream for what Red Hat gives DISA FSO as part of the Vendor STIG
Process.
You might also find NSA's SIMP project interesting, which fuses
SSG+Puppet+MCollective and other things. You can find their project here:
https://github.com/simp
10:10 p.m.
Thanks for the reference Shawn!
Lee, if you're interested in information on SIMP, the easiest place to
start is here https://github.com/NationalSecurityAgency/SIMP.
Thanks,
Trevor
On Mon, Aug 24, 2015 at 7:21 PM, Shawn Wells <shawn(a)redhat.com> wrote:
On 8/24/15 6:34 PM, Meinecke, Lee wrote:
>
> I'm running the latest openscap and scap-workbench for RHEL6 using Red
> Hat repositories. If I feed the workbench the XCCDF file from DISA (
>
http://iasecontent.disa.mil/stigs/zip/July2015/U_RedHat_6_V1R8_STIG_SCAP_...)
> and ask for online remediation I'm not getting any fixes.
>
> Does this remediation functionality exist or is the benchmark content
> lacking? I can't seem to get that working.
>
>
DISA FSO opts to strip remediation content/capabilities out from the
content Red Hat gives them. In part this makes sense: DISA FSO's intention
is to provide pass/fail content, anything beyond that is a distraction for
them.
I've been using hardening scripts from
> https://github.com/fcaviggia/hardening-script-el6 but without
> commenting out some things those scripts are stricter than needed.
>
>
The project you mention has caused more misinformation and confusion than
usefulness. That project has no ties to Red Hat, DISA, and while perhaps
using the STIG for inspiration, its hardening settings are largely
arbitrary and places systems into an unknown compliance state.
If you're seeking embedded remediation, consider using SCAP Security Guide
directly (shipping in RHEL as the "scap-security-guide" package, or
upstream content on GitHub). SSG ships in RHEL and serves as the upstream
for what Red Hat gives DISA FSO as part of the Vendor STIG Process.
You might also find NSA's SIMP project interesting, which fuses
SSG+Puppet+MCollective and other things. You can find their project here:
https://github.com/simp
--
SCAP Security Guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
-- This account not approved for unencrypted proprietary information --
3173
days inactive
3175
days old
scap-security-guide@lists.fedorahosted.org
3 comments
4 participants
participants (4)
-
Frank Caviggia -
Meinecke, Lee -
Shawn Wells -
Trevor Vaughan