Hi All,
The GIT repo contains the file RHEL6/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml. This is not part of the zipfile you can download from http://web.nvd.nist.gov/view/ncp/repository/checklist/download?id=1059.
I could not find a Makefile target that creates it. What is its origin?
Regards, Willem.
This should be the same semantically (as the authoritative version from iase.disa.mil) -- I just ran it through xmllint (or was it tidy?) to make it readable in a text editor. (And yes, I should have documented this.)
I really can't remember which, but if you'd like to do a quick re-run of each and compare, it would certainly be good for us to document its congruence with the official version :)
(Also note that we are not the maintainers of that content for RHEL 5.)
On 08/06/2012 03:00 AM, Willem Bos wrote:
Hi All,
The GIT repo contains the file RHEL6/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml. This is not part of the zipfile you can download from http://web.nvd.nist.gov/view/ncp/repository/checklist/download?id=1059.
I could not find a Makefile target that creates it. What is its origin?
Regards, Willem. _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Hi Jeffrey,
Thanks for your response. I'll run the comparison tomorrow and post the results. I'm new to xmllint (and SCAP for that matter) but I'll give it my best :)
Regards, Willem.
On Mon, Aug 6, 2012 at 4:20 PM, Jeffrey Blank blank@eclipse.ncsc.mil wrote:
This should be the same semantically (as the authoritative version from iase.disa.mil) -- I just ran it through xmllint (or was it tidy?) to make it readable in a text editor. (And yes, I should have documented this.)
I really can't remember which, but if you'd like to do a quick re-run of each and compare, it would certainly be good for us to document its congruence with the official version :)
(Also note that we are not the maintainers of that content for RHEL 5.)
On 08/06/2012 03:00 AM, Willem Bos wrote:
Hi All,
The GIT repo contains the file RHEL6/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml. This is not part of the zipfile you can download from http://web.nvd.nist.gov/view/ncp/repository/checklist/download?id=1059.
I could not find a Makefile target that creates it. What is its origin?
Regards, Willem. _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Hi Jeffrey,
Are you sure disa-stig-rhel5-v1r0.6-xccdf-manual.xml is based on disa-stig-rhel5-v1r0.6-xccdf.xml?
The *-manual.xml file contains a lot more <title>GEN*</title> tags :
grep -c '<title>GEN' U_RedHat_5_V1R0.6_STIG_Benchmark-xccdf.xml 350
grep -c '<title>GEN' scap-security-guide/RHEL6/references/disa-stig-rhel5-v1r0.6-xccdf.xml 350
grep -c '<title>GEN' scap-security-guide/RHEL6/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml 569
Maybe I'm missing something obvious but like I said, I'm new to this stuff :)
Regards, Willem.
On Mon, Aug 6, 2012 at 4:20 PM, Jeffrey Blank blank@eclipse.ncsc.mil wrote:
This should be the same semantically (as the authoritative version from iase.disa.mil) -- I just ran it through xmllint (or was it tidy?) to make it readable in a text editor. (And yes, I should have documented this.)
I really can't remember which, but if you'd like to do a quick re-run of each and compare, it would certainly be good for us to document its congruence with the official version :)
(Also note that we are not the maintainers of that content for RHEL 5.)
On 08/06/2012 03:00 AM, Willem Bos wrote:
Hi All,
The GIT repo contains the file RHEL6/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml. This is not part of the zipfile you can download from http://web.nvd.nist.gov/view/ncp/repository/checklist/download?id=1059.
I could not find a Makefile target that creates it. What is its origin?
Regards, Willem. _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Every gen Id in the benchmark is in the manual. The manual contains all 350 plus an extra 219. On Aug 7, 2012 1:41 PM, "Willem Bos" whbos@xs4all.nl wrote:
Hi Jeffrey,
Are you sure disa-stig-rhel5-v1r0.6-xccdf-manual.xml is based on disa-stig-rhel5-v1r0.6-xccdf.xml?
The *-manual.xml file contains a lot more <title>GEN*</title> tags :
grep -c '<title>GEN' U_RedHat_5_V1R0.6_STIG_Benchmark-xccdf.xml 350
grep -c '<title>GEN' scap-security-guide/RHEL6/references/disa-stig-rhel5-v1r0.6-xccdf.xml 350
grep -c '<title>GEN'
scap-security-guide/RHEL6/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml 569
Maybe I'm missing something obvious but like I said, I'm new to this stuff :)
Regards, Willem.
On Mon, Aug 6, 2012 at 4:20 PM, Jeffrey Blank blank@eclipse.ncsc.mil wrote:
This should be the same semantically (as the authoritative version from iase.disa.mil) -- I just ran it through xmllint (or was it tidy?) to make it readable in a text editor. (And yes, I should have documented this.)
I really can't remember which, but if you'd like to do a quick re-run of each and compare, it would certainly be good for us to document its congruence with the official version :)
(Also note that we are not the maintainers of that content for RHEL 5.)
On 08/06/2012 03:00 AM, Willem Bos wrote:
Hi All,
The GIT repo contains the file RHEL6/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml. This is not part of the zipfile you can download from http://web.nvd.nist.gov/view/ncp/repository/checklist/download?id=1059.
I could not find a Makefile target that creates it. What is its origin?
Regards, Willem. _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Hi Shannon,
Thanks. OK, so where do the extra id's come from? I grep-ed the whole scap-security-guide directory on a id from the *-manual.xml file but - apart from the file itself - got no results...
Regards, Willem.
On Tue, Aug 7, 2012 at 9:20 PM, Shannon Mitchell shannon.mitchell@merlintechs.com wrote:
Every gen Id in the benchmark is in the manual. The manual contains all 350 plus an extra 219.
On Aug 7, 2012 1:41 PM, "Willem Bos" whbos@xs4all.nl wrote:
Hi Jeffrey,
Are you sure disa-stig-rhel5-v1r0.6-xccdf-manual.xml is based on disa-stig-rhel5-v1r0.6-xccdf.xml?
The *-manual.xml file contains a lot more <title>GEN*</title> tags :
grep -c '<title>GEN' U_RedHat_5_V1R0.6_STIG_Benchmark-xccdf.xml 350
grep -c '<title>GEN' scap-security-guide/RHEL6/references/disa-stig-rhel5-v1r0.6-xccdf.xml 350
grep -c '<title>GEN'
scap-security-guide/RHEL6/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml 569
Maybe I'm missing something obvious but like I said, I'm new to this stuff :)
Regards, Willem.
On Mon, Aug 6, 2012 at 4:20 PM, Jeffrey Blank blank@eclipse.ncsc.mil wrote:
This should be the same semantically (as the authoritative version from iase.disa.mil) -- I just ran it through xmllint (or was it tidy?) to make it readable in a text editor. (And yes, I should have documented this.)
I really can't remember which, but if you'd like to do a quick re-run of each and compare, it would certainly be good for us to document its congruence with the official version :)
(Also note that we are not the maintainers of that content for RHEL 5.)
On 08/06/2012 03:00 AM, Willem Bos wrote:
Hi All,
The GIT repo contains the file RHEL6/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml. This is not part of the zipfile you can download from http://web.nvd.nist.gov/view/ncp/repository/checklist/download?id=1059.
I could not find a Makefile target that creates it. What is its origin?
Regards, Willem. _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
I'm just guessing here, but it looks like the manual is meant to be the full thing. The oval language seems very limited on what it can do, so it only takes care of a small subset of the full set of checks. The bad thing is that it looks like the nessus scans that I have seen run against my systems check for all of them and not just the 350 in the benchmark.
On Tue, Aug 7, 2012 at 4:03 PM, Willem Bos whbos@xs4all.nl wrote:
Hi Shannon,
Thanks. OK, so where do the extra id's come from? I grep-ed the whole scap-security-guide directory on a id from the *-manual.xml file but - apart from the file itself - got no results...
Regards, Willem.
On Tue, Aug 7, 2012 at 9:20 PM, Shannon Mitchell shannon.mitchell@merlintechs.com wrote:
Every gen Id in the benchmark is in the manual. The manual contains all
350
plus an extra 219.
On Aug 7, 2012 1:41 PM, "Willem Bos" whbos@xs4all.nl wrote:
Hi Jeffrey,
Are you sure disa-stig-rhel5-v1r0.6-xccdf-manual.xml is based on disa-stig-rhel5-v1r0.6-xccdf.xml?
The *-manual.xml file contains a lot more <title>GEN*</title> tags :
grep -c '<title>GEN' U_RedHat_5_V1R0.6_STIG_Benchmark-xccdf.xml 350
grep -c '<title>GEN' scap-security-guide/RHEL6/references/disa-stig-rhel5-v1r0.6-xccdf.xml 350
grep -c '<title>GEN'
scap-security-guide/RHEL6/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml
569
Maybe I'm missing something obvious but like I said, I'm new to this
stuff
:)
Regards, Willem.
On Mon, Aug 6, 2012 at 4:20 PM, Jeffrey Blank blank@eclipse.ncsc.mil wrote:
This should be the same semantically (as the authoritative version
from
iase.disa.mil) -- I just ran it through xmllint (or was it tidy?) to make it readable in a text editor. (And yes, I should have documented this.)
I really can't remember which, but if you'd like to do a quick re-run
of
each and compare, it would certainly be good for us to document its congruence with the official version :)
(Also note that we are not the maintainers of that content for RHEL
5.)
On 08/06/2012 03:00 AM, Willem Bos wrote:
Hi All,
The GIT repo contains the file RHEL6/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml. This is not part of the zipfile you can download from
http://web.nvd.nist.gov/view/ncp/repository/checklist/download?id=1059.
I could not find a Makefile target that creates it. What is its
origin?
Regards, Willem. _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Shannon hit it on the head. The xccdf-manual includes "procedural" checks that can not be automated with OVAL. An example of that would be there are government policies mandating proper backups, however there isn't a single system flag or command that can verify this. The intent is to process "procedural checks" is to use OCIL, however that is still very much evolving.
Note that the disa-stig-* files are included for us to reference while we build out content for the RHEL6 STIG. As a community we wanted to ensure that we inherited RHEL5 STIG controls where appropriate, so we dropped the disa-stig-* files into the RHEL6/references directory to allow developers to double check things. Those files absolutely should not be considered official DISA content!
In regards to SSG output things will still be dropped into rhel6-xccdf-scap-security-guide.xml.
-Shawn
On 8/7/12 4:14 PM, Shannon Mitchell wrote:
I'm just guessing here, but it looks like the manual is meant to be the full thing. The oval language seems very limited on what it can do, so it only takes care of a small subset of the full set of checks. The bad thing is that it looks like the nessus scans that I have seen run against my systems check for all of them and not just the 350 in the benchmark.
On Tue, Aug 7, 2012 at 4:03 PM, Willem Bos <whbos@xs4all.nl mailto:whbos@xs4all.nl> wrote:
Hi Shannon, Thanks. OK, so where do the extra id's come from? I grep-ed the whole scap-security-guide directory on a id from the *-manual.xml file but - apart from the file itself - got no results... Regards, Willem. On Tue, Aug 7, 2012 at 9:20 PM, Shannon Mitchell <shannon.mitchell@merlintechs.com <mailto:shannon.mitchell@merlintechs.com>> wrote: > Every gen Id in the benchmark is in the manual. The manual contains all 350 > plus an extra 219. > > On Aug 7, 2012 1:41 PM, "Willem Bos" <whbos@xs4all.nl <mailto:whbos@xs4all.nl>> wrote: >> >> Hi Jeffrey, >> >> Are you sure disa-stig-rhel5-v1r0.6-xccdf-manual.xml is based on >> disa-stig-rhel5-v1r0.6-xccdf.xml? >> >> The *-manual.xml file contains a lot more <title>GEN*</title> tags : >> >> grep -c '<title>GEN' U_RedHat_5_V1R0.6_STIG_Benchmark-xccdf.xml >> 350 >> >> grep -c '<title>GEN' >> scap-security-guide/RHEL6/references/disa-stig-rhel5-v1r0.6-xccdf.xml >> 350 >> >> grep -c '<title>GEN' >> >> scap-security-guide/RHEL6/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml >> 569 >> >> Maybe I'm missing something obvious but like I said, I'm new to this stuff >> :) >> >> Regards, >> Willem. >> >> >> On Mon, Aug 6, 2012 at 4:20 PM, Jeffrey Blank <blank@eclipse.ncsc.mil <mailto:blank@eclipse.ncsc.mil>> >> wrote: >> > This should be the same semantically (as the authoritative version from >> > iase.disa.mil <http://iase.disa.mil>) -- I just ran it through xmllint (or was it tidy?) to >> > make it readable in a text editor. (And yes, I should have documented >> > this.) >> > >> > I really can't remember which, but if you'd like to do a quick re-run of >> > each and compare, it would certainly be good for us to document its >> > congruence with the official version :) >> > >> > (Also note that we are not the maintainers of that content for RHEL 5.) >> > >> > >> > >> > >> > On 08/06/2012 03:00 AM, Willem Bos wrote: >> >> Hi All, >> >> >> >> The GIT repo contains the file >> >> RHEL6/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml. This is not >> >> part of the zipfile you can download from >> >> http://web.nvd.nist.gov/view/ncp/repository/checklist/download?id=1059. >> >> >> >> I could not find a Makefile target that creates it. What is its origin? >> >> >> >> Regards, >> >> Willem.
It’s sad to see DISA SCAP taking the community 3 steps forward 4 steps back.
We now have more manual checks than when we were using the SRR’s and no standardization or reporting format. These two things combined make it difficult to use the SCAP since we now have to run the XCCDF / OVAL checks, go back into the manual checks, figure out what wasn’t addressed, and then do it manually.
Honestly, it would take more time just do to the full 600 checks manually then to mess around with the ½ put together content.
From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of Shawn Wells Sent: Tuesday, August 07, 2012 3:04 PM To: scap-security-guide@lists.fedorahosted.org Subject: Re: disa-stig-rhel5-v1r0.6-xccdf-manual.xml
Shannon hit it on the head. The xccdf-manual includes "procedural" checks that can not be automated with OVAL. An example of that would be there are government policies mandating proper backups, however there isn't a single system flag or command that can verify this. The intent is to process "procedural checks" is to use OCIL, however that is still very much evolving.
Note that the disa-stig-* files are included for us to reference while we build out content for the RHEL6 STIG. As a community we wanted to ensure that we inherited RHEL5 STIG controls where appropriate, so we dropped the disa-stig-* files into the RHEL6/references directory to allow developers to double check things. Those files absolutely should not be considered official DISA content!
In regards to SSG output things will still be dropped into rhel6-xccdf-scap-security-guide.xml.
-Shawn
On 8/7/12 4:14 PM, Shannon Mitchell wrote: I'm just guessing here, but it looks like the manual is meant to be the full thing. The oval language seems very limited on what it can do, so it only takes care of a small subset of the full set of checks. The bad thing is that it looks like the nessus scans that I have seen run against my systems check for all of them and not just the 350 in the benchmark. On Tue, Aug 7, 2012 at 4:03 PM, Willem Bos <whbos@xs4all.nlmailto:whbos@xs4all.nl> wrote: Hi Shannon,
Thanks. OK, so where do the extra id's come from? I grep-ed the whole scap-security-guide directory on a id from the *-manual.xml file but - apart from the file itself - got no results...
Regards, Willem.
On Tue, Aug 7, 2012 at 9:20 PM, Shannon Mitchell <shannon.mitchell@merlintechs.commailto:shannon.mitchell@merlintechs.com> wrote:
Every gen Id in the benchmark is in the manual. The manual contains all 350 plus an extra 219.
On Aug 7, 2012 1:41 PM, "Willem Bos" <whbos@xs4all.nlmailto:whbos@xs4all.nl> wrote:
Hi Jeffrey,
Are you sure disa-stig-rhel5-v1r0.6-xccdf-manual.xml is based on disa-stig-rhel5-v1r0.6-xccdf.xml?
The *-manual.xml file contains a lot more <title>GEN*</title> tags :
grep -c '<title>GEN' U_RedHat_5_V1R0.6_STIG_Benchmark-xccdf.xml 350
grep -c '<title>GEN' scap-security-guide/RHEL6/references/disa-stig-rhel5-v1r0.6-xccdf.xml 350
grep -c '<title>GEN'
scap-security-guide/RHEL6/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml 569
Maybe I'm missing something obvious but like I said, I'm new to this stuff :)
Regards, Willem.
On Mon, Aug 6, 2012 at 4:20 PM, Jeffrey Blank <blank@eclipse.ncsc.milmailto:blank@eclipse.ncsc.mil> wrote:
This should be the same semantically (as the authoritative version from iase.disa.milhttp://iase.disa.mil) -- I just ran it through xmllint (or was it tidy?) to make it readable in a text editor. (And yes, I should have documented this.)
I really can't remember which, but if you'd like to do a quick re-run of each and compare, it would certainly be good for us to document its congruence with the official version :)
(Also note that we are not the maintainers of that content for RHEL 5.)
On 08/06/2012 03:00 AM, Willem Bos wrote:
Hi All,
The GIT repo contains the file RHEL6/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml. This is not part of the zipfile you can download from http://web.nvd.nist.gov/view/ncp/repository/checklist/download?id=1059.
I could not find a Makefile target that creates it. What is its origin?
Regards, Willem.
One of the major items we are (or should be) working is tagging the items that are truly manual and working with FSO to try to figure out which of these need to be included in the scap-security-guide content for the RHEL 6 STIG profile. A major related question is how much manual stuff the Windows STIGs require.
I discussed this on Monday a bit with Shawn.
On 08/07/2012 09:47 PM, Vincent Passaro wrote:
It’s sad to see DISA SCAP taking the community 3 steps forward 4 steps back.
We now have more manual checks than when we were using the SRR’s and no standardization or reporting format. These two things combined make it difficult to use the SCAP since we now have to run the XCCDF / OVAL checks, go back into the manual checks, figure out what wasn’t addressed, and then do it manually.
Honestly, it would take more time just do to the full 600 checks manually then to mess around with the ½ put together content.
*From:*scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap-security-guide-bounces@lists.fedorahosted.org] *On Behalf Of *Shawn Wells *Sent:* Tuesday, August 07, 2012 3:04 PM *To:* scap-security-guide@lists.fedorahosted.org *Subject:* Re: disa-stig-rhel5-v1r0.6-xccdf-manual.xml
Shannon hit it on the head. The xccdf-manual includes "procedural" checks that can not be automated with OVAL. An example of that would be there are government policies mandating proper backups, however there isn't a single system flag or command that can verify this. The intent is to process "procedural checks" is to use OCIL, however that is still very much evolving.
Note that the disa-stig-* files are included for us to reference while we build out content for the RHEL6 STIG. As a community we wanted to ensure that we inherited RHEL5 STIG controls where appropriate, so we dropped the disa-stig-* files into the RHEL6/references directory to allow developers to double check things. Those files absolutely should not be considered official DISA content!
In regards to SSG output things will still be dropped into rhel6-xccdf-scap-security-guide.xml.
-Shawn
On 8/7/12 4:14 PM, Shannon Mitchell wrote:
I'm just guessing here, but it looks like the manual is meant to be the full thing. The oval language seems very limited on what it can do, so it only takes care of a small subset of the full set of checks. The bad thing is that it looks like the nessus scans that I have seen run against my systems check for all of them and not just the 350 in the benchmark. On Tue, Aug 7, 2012 at 4:03 PM, Willem Bos <whbos@xs4all.nl <mailto:whbos@xs4all.nl>> wrote: Hi Shannon, Thanks. OK, so where do the extra id's come from? I grep-ed the whole scap-security-guide directory on a id from the *-manual.xml file but - apart from the file itself - got no results... Regards, Willem. On Tue, Aug 7, 2012 at 9:20 PM, Shannon Mitchell <shannon.mitchell@merlintechs.com <mailto:shannon.mitchell@merlintechs.com>> wrote: > Every gen Id in the benchmark is in the manual. The manual contains all 350 > plus an extra 219. > > On Aug 7, 2012 1:41 PM, "Willem Bos" <whbos@xs4all.nl <mailto:whbos@xs4all.nl>> wrote: >> >> Hi Jeffrey, >> >> Are you sure disa-stig-rhel5-v1r0.6-xccdf-manual.xml is based on >> disa-stig-rhel5-v1r0.6-xccdf.xml? >> >> The *-manual.xml file contains a lot more <title>GEN*</title> tags : >> >> grep -c '<title>GEN' U_RedHat_5_V1R0.6_STIG_Benchmark-xccdf.xml >> 350 >> >> grep -c '<title>GEN' >> scap-security-guide/RHEL6/references/disa-stig-rhel5-v1r0.6-xccdf.xml >> 350 >> >> grep -c '<title>GEN' >> >> scap-security-guide/RHEL6/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml >> 569 >> >> Maybe I'm missing something obvious but like I said, I'm new to this stuff >> :) >> >> Regards, >> Willem. >> >> >> On Mon, Aug 6, 2012 at 4:20 PM, Jeffrey Blank <blank@eclipse.ncsc.mil <mailto:blank@eclipse.ncsc.mil>> >> wrote: >> > This should be the same semantically (as the authoritative version from >> > iase.disa.mil <http://iase.disa.mil>) -- I just ran it through xmllint (or was it tidy?) to >> > make it readable in a text editor. (And yes, I should have documented >> > this.) >> > >> > I really can't remember which, but if you'd like to do a quick re-run of >> > each and compare, it would certainly be good for us to document its >> > congruence with the official version :) >> > >> > (Also note that we are not the maintainers of that content for RHEL 5.) >> > >> > >> > >> > >> > On 08/06/2012 03:00 AM, Willem Bos wrote: >> >> Hi All, >> >> >> >> The GIT repo contains the file >> >> RHEL6/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml. This is not >> >> part of the zipfile you can download from >> >> http://web.nvd.nist.gov/view/ncp/repository/checklist/download?id=1059. >> >> >> >> I could not find a Makefile target that creates it. What is its origin? >> >> >> >> Regards, >> >> Willem.
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
On 08/07/2012 09:47 PM, Vincent Passaro wrote:
It’s sad to see DISA SCAP taking the community 3 steps forward 4 steps back.
We now have more manual checks than when we were using the SRR’s and no standardization or reporting format. These two things combined make it difficult to use the SCAP since we now have to run the XCCDF / OVAL checks, go back into the manual checks, figure out what wasn’t addressed, and then do it manually.
This is in large part due to the absence of an generally accepted evaluation scheme (a "check language" in SCAP parlance) that allowed the use of scripting languages in a mechanized fashion (and no, I'm not talking about evaluations that cannot be performed on the ToE: that's what OCIL is for). OVAL is inadequately expressive to handle, easily if at all, many desired evaluations. The SCAP community (minus me at least) has for many years resisted the introduction of arbitrary scripting into OVAL. The resistance occurs at the dogma or doctrine level, not at the implementation level.
There are already people using scripting languages within the general context of SCAP-like checklist documents. It works, and works well. See, e.g., CIS XML content (available to CIS members only, unfortunately), and Peter Vrabec's slides http://people.redhat.com/pvrabec/openscap/openscap-aqueduct.pdf from the 20120512 Aqueduct community call. What's lacking is general assent that scripting languages should be used, and a structure in which such scripting languages can be expressed that is compatible with, e.g., XCCDF, as well as fostering uniformity of expression. I'd like to see at least shell commands and possibly Python. The former is IMO a necessity; most POSIX-like systems can be interrogated, and additionally configured, using commands executed within the context of a shell, and a shell is almost always present (not so for network gear and the like, but that's an arena for separate discussions).
And yes, scripting will work for "remediation" as well.
@Shawn/Shannon: Thanks a lot for explaining OVAL vs. XCCDF.
@Jeffrey : this goes beyond simply re-running the files trough tidy & xmllint so I'll leave it at this. If there's anything I can do just let me know.
Regards, Willem.
On Wed, Aug 8, 2012 at 12:04 AM, Shawn Wells shawn@redhat.com wrote:
Shannon hit it on the head. The xccdf-manual includes "procedural" checks that can not be automated with OVAL. An example of that would be there are government policies mandating proper backups, however there isn't a single system flag or command that can verify this. The intent is to process "procedural checks" is to use OCIL, however that is still very much evolving.
Note that the disa-stig-* files are included for us to reference while we build out content for the RHEL6 STIG. As a community we wanted to ensure that we inherited RHEL5 STIG controls where appropriate, so we dropped the disa-stig-* files into the RHEL6/references directory to allow developers to double check things. Those files absolutely should not be considered official DISA content!
In regards to SSG output things will still be dropped into rhel6-xccdf-scap-security-guide.xml.
-Shawn
On 8/7/12 4:14 PM, Shannon Mitchell wrote:
I'm just guessing here, but it looks like the manual is meant to be the full thing. The oval language seems very limited on what it can do, so it only takes care of a small subset of the full set of checks. The bad thing is that it looks like the nessus scans that I have seen run against my systems check for all of them and not just the 350 in the benchmark.
On Tue, Aug 7, 2012 at 4:03 PM, Willem Bos whbos@xs4all.nl wrote:
Hi Shannon,
Thanks. OK, so where do the extra id's come from? I grep-ed the whole scap-security-guide directory on a id from the *-manual.xml file but - apart from the file itself - got no results...
Regards, Willem.
On Tue, Aug 7, 2012 at 9:20 PM, Shannon Mitchell shannon.mitchell@merlintechs.com wrote:
Every gen Id in the benchmark is in the manual. The manual contains all 350 plus an extra 219.
On Aug 7, 2012 1:41 PM, "Willem Bos" whbos@xs4all.nl wrote:
Hi Jeffrey,
Are you sure disa-stig-rhel5-v1r0.6-xccdf-manual.xml is based on disa-stig-rhel5-v1r0.6-xccdf.xml?
The *-manual.xml file contains a lot more <title>GEN*</title> tags :
grep -c '<title>GEN' U_RedHat_5_V1R0.6_STIG_Benchmark-xccdf.xml 350
grep -c '<title>GEN' scap-security-guide/RHEL6/references/disa-stig-rhel5-v1r0.6-xccdf.xml 350
grep -c '<title>GEN'
scap-security-guide/RHEL6/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml 569
Maybe I'm missing something obvious but like I said, I'm new to this stuff :)
Regards, Willem.
On Mon, Aug 6, 2012 at 4:20 PM, Jeffrey Blank blank@eclipse.ncsc.mil wrote:
This should be the same semantically (as the authoritative version from iase.disa.mil) -- I just ran it through xmllint (or was it tidy?) to make it readable in a text editor. (And yes, I should have documented this.)
I really can't remember which, but if you'd like to do a quick re-run of each and compare, it would certainly be good for us to document its congruence with the official version :)
(Also note that we are not the maintainers of that content for RHEL 5.)
On 08/06/2012 03:00 AM, Willem Bos wrote:
Hi All,
The GIT repo contains the file RHEL6/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml. This is not part of the zipfile you can download from
http://web.nvd.nist.gov/view/ncp/repository/checklist/download?id=1059.
I could not find a Makefile target that creates it. What is its origin?
Regards, Willem.
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org
-
Gary Gapinski -
Jeffrey Blank -
Shannon Mitchell -
Shawn Wells -
Vincent Passaro -
Willem Bos