Classification: UNCLASSIFIED Caveats: NONE
Hope I'm not being a bother, but if possible, would someone mind weighing in on this? Scanning on RHEL7 isn't particularly useful right now, and we'd like to lock it down as soon as possible.
Thanks,
-- Ray Shaw (Contractor, STG) Army Research Laboratory CIO, Unix Support
-----Original Message----- From: Shaw, Ray V CTR USARMY ARL (US) Sent: Tuesday, June 24, 2014 10:31 AM To: 'SCAP Security Guide' Subject: RHEL7 scanning (UNCLASSIFIED)
Classification: UNCLASSIFIED Caveats: NONE
By default, it looks like only the partition checks are enabled when scanning with the stig-rhel7-server-upstream profile (on RHEL7). If I edit the profile to enable all of the ones that RHEL6 has enabled (and then remove the few that don't exist for RHEL7), I get a total of 56 checks.
[If anyone is curious, out of the box it passes 35 and fails 21, assuming it's partitioned correctly.]
We're starting on RHEL7 to prepare our configuration management system, etc. for when 7 is blessed and we can deploy it, and of course STIGs are a big part of that. Is it reasonable to expect that they will closely parallel the RHEL6 STIG? Permissions/ownership, audit rules, sysctl, GDM, etc.
Thanks,
-- Ray Shaw (Contractor, STG) Army Research Laboratory CIO, Unix Support
Classification: UNCLASSIFIED Caveats: NONE
Classification: UNCLASSIFIED Caveats: NONE
Hello Ray,
thank you for checking with us (and sorry for late reply).
----- Original Message -----
From: "Ray V CTR USARMY ARL Shaw (US)" ray.v.shaw.ctr@mail.mil To: "SCAP Security Guide" scap-security-guide@lists.fedorahosted.org Sent: Tuesday, July 1, 2014 5:36:24 PM Subject: RE: RHEL7 scanning (UNCLASSIFIED)
Classification: UNCLASSIFIED Caveats: NONE
Hope I'm not being a bother, but if possible, would someone mind weighing in on this? Scanning on RHEL7 isn't particularly useful right now, and we'd like to lock it down as soon as possible.
Thanks,
-- Ray Shaw (Contractor, STG) Army Research Laboratory CIO, Unix Support
-----Original Message----- From: Shaw, Ray V CTR USARMY ARL (US) Sent: Tuesday, June 24, 2014 10:31 AM To: 'SCAP Security Guide' Subject: RHEL7 scanning (UNCLASSIFIED)
Classification: UNCLASSIFIED Caveats: NONE
By default, it looks like only the partition checks are enabled when scanning with the stig-rhel7-server-upstream profile (on RHEL7). If I edit the profile to enable all of the ones that RHEL6 has enabled (and then remove the few that don't exist for RHEL7), I get a total of 56 checks.
[If anyone is curious, out of the box it passes 35 and fails 21, assuming it's partitioned correctly.]
We're starting on RHEL7 to prepare our configuration management system, etc. for when 7 is blessed and we can deploy it, and of course STIGs are a big part of that. Is it reasonable to expect that they will closely parallel the RHEL6 STIG? Permissions/ownership, audit rules, sysctl, GDM, etc.
There definitely is motivation the RHEL-7 content to cover same areas of the system as RHEL-6 one was / is doing (plus add specific rules for the enhancements / new features that appeared in RHEL-7).
Of course this effort will take some time, therefore I would not want to promise any ETAs / time periods to you. Couple of the reasons for the delayed RHEL-7 content delivery: * existing RHEL-6 rules need to be re-tested against RHEL-7 system (if they still work properly), * some features / capabilities will require OVAL language enhancements (this process by itself takes some time), * the newly introduced features will require completely new rules to be written.
In short yes, there definitely is willingness RHEL-7 content to be as much capable as currently the RHEL-6 one is. But I would like to avoid to need to express some statements, when this will happen (basically the community can expect the RHEL-7 content to be improved in the upcoming releases).
That's fwiw regarding SCAP content author PoV. For the timeline / updates regarding official RHEL-7 STIG content evolution (& locations for its download etc.), please ask Shawn <- Shawn can you possibly weigh on this?
Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
Thanks,
-- Ray Shaw (Contractor, STG) Army Research Laboratory CIO, Unix Support
Classification: UNCLASSIFIED Caveats: NONE
Classification: UNCLASSIFIED Caveats: NONE
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
On 7/1/14, 12:03 PM, Jan Lieskovsky wrote:
Hello Ray,
thank you for checking with us (and sorry for late reply).
----- Original Message -----
From: "Ray V CTR USARMY ARL Shaw (US)"ray.v.shaw.ctr@mail.mil To: "SCAP Security Guide"scap-security-guide@lists.fedorahosted.org Sent: Tuesday, July 1, 2014 5:36:24 PM Subject: RE: RHEL7 scanning (UNCLASSIFIED)
Classification: UNCLASSIFIED Caveats: NONE
Hope I'm not being a bother, but if possible, would someone mind weighing in on this? Scanning on RHEL7 isn't particularly useful right now, and we'd like to lock it down as soon as possible.
Thanks,
-- Ray Shaw (Contractor, STG) Army Research Laboratory CIO, Unix Support
-----Original Message----- From: Shaw, Ray V CTR USARMY ARL (US) Sent: Tuesday, June 24, 2014 10:31 AM To: 'SCAP Security Guide' Subject: RHEL7 scanning (UNCLASSIFIED)
Classification: UNCLASSIFIED Caveats: NONE
By default, it looks like only the partition checks are enabled when scanning with the stig-rhel7-server-upstream profile (on RHEL7). If I edit the profile to enable all of the ones that RHEL6 has enabled (and then remove the few that don't exist for RHEL7), I get a total of 56 checks.
[If anyone is curious, out of the box it passes 35 and fails 21, assuming it's partitioned correctly.]
We're starting on RHEL7 to prepare our configuration management system, etc. for when 7 is blessed and we can deploy it, and of course STIGs are a big part of that. Is it reasonable to expect that they will closely parallel the RHEL6 STIG? Permissions/ownership, audit rules, sysctl, GDM, etc.
There definitely is motivation the RHEL-7 content to cover same areas of the system as RHEL-6 one was / is doing (plus add specific rules for the enhancements / new features that appeared in RHEL-7).
Of course this effort will take some time, therefore I would not want to promise any ETAs / time periods to you. Couple of the reasons for the delayed RHEL-7 content delivery:
- existing RHEL-6 rules need to be re-tested against RHEL-7 system (if they still work properly),
- some features / capabilities will require OVAL language enhancements (this process by itself takes some time),
- the newly introduced features will require completely new rules to be written.
In short yes, there definitely is willingness RHEL-7 content to be as much capable as currently the RHEL-6 one is. But I would like to avoid to need to express some statements, when this will happen (basically the community can expect the RHEL-7 content to be improved in the upcoming releases).
That's fwiw regarding SCAP content author PoV. For the timeline / updates regarding official RHEL-7 STIG content evolution (& locations for its download etc.), please ask Shawn <- Shawn can you possibly weigh on this?
I've been speaking with DISA FSO, and have the new RHEL7 OS SRG requirements. Will get them posted this afternoon (US Eastern) with a proper writeup of where things are headed.
On 07/01/2014 11:11 AM, Shawn Wells wrote:
I've been speaking with DISA FSO, and have the new RHEL7 OS SRG requirements. Will get them posted this afternoon (US Eastern) with a proper writeup of where things are headed.
Great! (we're also staying tuned to this RHEL7 thread here)
On 7/1/14, 12:11 PM, Shawn Wells wrote:
On 7/1/14, 12:03 PM, Jan Lieskovsky wrote:
Hello Ray,
thank you for checking with us (and sorry for late reply).
----- Original Message -----
From: "Ray V CTR USARMY ARL Shaw (US)"ray.v.shaw.ctr@mail.mil To: "SCAP Security Guide"scap-security-guide@lists.fedorahosted.org Sent: Tuesday, July 1, 2014 5:36:24 PM Subject: RE: RHEL7 scanning (UNCLASSIFIED)
Classification: UNCLASSIFIED Caveats: NONE
Hope I'm not being a bother, but if possible, would someone mind
weighing in
on this? Scanning on RHEL7 isn't particularly useful right now,
and we'd
like to lock it down as soon as possible.
Thanks,
-- Ray Shaw (Contractor, STG) Army Research Laboratory CIO, Unix Support
-----Original Message----- From: Shaw, Ray V CTR USARMY ARL (US) Sent: Tuesday, June 24, 2014 10:31 AM To: 'SCAP Security Guide' Subject: RHEL7 scanning (UNCLASSIFIED)
Classification: UNCLASSIFIED Caveats: NONE
By default, it looks like only the partition checks are enabled
when
scanning with the stig-rhel7-server-upstream profile (on
RHEL7). If I
edit the profile to enable all of the ones that RHEL6 has enabled
(and then
remove the few that don't exist for RHEL7), I get a total of 56
checks.
[If anyone is curious, out of the box it passes 35 and fails 21, assuming it's partitioned correctly.]
We're starting on RHEL7 to prepare our configuration management
system,
etc. for when 7 is blessed and we can deploy it, and of course STIGs
are a
big part of that. Is it reasonable to expect that they will closely parallel the RHEL6 STIG? Permissions/ownership, audit rules, sysctl,
GDM, etc.
There definitely is motivation the RHEL-7 content to cover same areas of the system as RHEL-6 one was / is doing (plus add specific rules for the enhancements / new features that appeared in RHEL-7).
Of course this effort will take some time, therefore I would not want to promise any ETAs / time periods to you. Couple of the reasons for the delayed RHEL-7 content delivery:
- existing RHEL-6 rules need to be re-tested against RHEL-7 system
(if they still work properly),
- some features / capabilities will require OVAL language
enhancements (this process by itself takes some time),
- the newly introduced features will require completely new rules to
be written.
In short yes, there definitely is willingness RHEL-7 content to be as much capable as currently the RHEL-6 one is. But I would like to avoid to need to express some statements, when this will happen (basically the community can expect the RHEL-7 content to be improved in the upcoming releases).
That's fwiw regarding SCAP content author PoV. For the timeline / updates regarding official RHEL-7 STIG content evolution (& locations for its download etc.), please ask Shawn <- Shawn can you possibly weigh on this?
I've been speaking with DISA FSO, and have the new RHEL7 OS SRG requirements. Will get them posted this afternoon (US Eastern) with a proper writeup of where things are headed.
Created an initial wiki page to track RHEL7 STIG progress. Not much there, but will be the primary landing page for updates, documents, and general communication: https://github.com/OpenSCAP/scap-security-guide/wiki/RHEL7-STIG-Project-Page
You'll find a link to DISA FSO's requirements on the wiki page. FSO released a new OS SRG this year for which RHEL7 will have to attest against. A direct link: http://people.redhat.com/swells/RHEL7_STIG_REQUIREMENTS.xlsx
Next Steps: - In the second column of FSO's spreadsheet you will notice the CCI number. The next step is to sort through each CCI and bucket them as follows: * Impractical Requirement: aka, expecting RHEL to antivirus scan all incoming TCP/IP packets: RHEL is not an A/V * Cannot be configured out of compliance: aka, automatic auditing of user login events doesn't require a specific configuration check, as this is hard coded behavior * Permanent Findings: Things that will always be a finding, and must be mitigated * Questionable Requirement: Things we need clarification on
I've created a wiki page to start the bucketing process. I'll be going through the requirements over the next couple days... extra eyes are most welcome! Please add comments here: https://github.com/OpenSCAP/scap-security-guide/wiki/RHEL7-STIG-Settings-Rev...
- Once the spreadsheet is reviewed, are there things which should be added into the STIG which were not covered in a CCI? Place them on the wiki: https://github.com/OpenSCAP/scap-security-guide/wiki/RHEL7-STIG-Settings-Rev...
Once we've a handle on the "CCI bucketing," Red Hat will formally submit the comments to DISA FSO. They'll make a determination on which requirements will be dropped (e.g. if they agree on Impractical / Questionable items), and which CCI requirements can be labelled as Permanent Non-Findings (aka, we don't have to write guidance against them at all). Ideally, we'll be submitting that list to DISA FSO on Friday.
Wanted to get this quick call to action out to the community. It's 2239, I'm still at the office, and I'm now heading home to bed ;) Will respond more in the AM to outline estimated timelines.
Shawn
On 07/01/2014 05:36 PM, Shaw, Ray V CTR USARMY ARL (US) wrote:
Classification: UNCLASSIFIED Caveats: NONE
Hope I'm not being a bother, but if possible, would someone mind weighing in on this? Scanning on RHEL7 isn't particularly useful right now, and we'd like to lock it down as soon as possible.
Thanks,
Hello Ray,
Thank You for checking with us.
RHEL6 part of content is well mature and next natural step is to enhance RHEL7 part. So it is near on the road maps. However, I unable to comment further.
The RHEL6 content could be created by just copying RHEL6 over. However, it was decided that we want to put more diligence into creating RHEL7 content.
That being said, SCAP Security Guide is open source project and if you or your organization feels that more thorough STIG guidance is needed. You are very welcomed to contribute!
The other option is to file a customer ticket with your software provider to indicate that SCAP content is essential deliverable for you.
Best regards,
scap-security-guide@lists.fedorahosted.org
-
Jan Lieskovsky -
Robert Giles -
Shaw, Ray V CTR USARMY RDECOM ARL (US) -
Shawn Wells -
Šimon Lukašík