Hello,
I'm a new OpenSCAP user and I write here because I have question about the DISA STIG compliancy.
Before using OpenSCAP on my project, I need to validate what is the coverage rate of the STIG OpenSCAP profile against the DISA STIG XCCDF.
I found lot of data in the generated output but I must admit it's a little bit difficult for me to understand how it is organized.
Actually, I'm just looking for some kind of mapping in order to know if there is an OpenScap checker for each DISA rule specified in that XCCDF provided here: http://iase.disa.mil/stigs/Pages/a-z.aspx
If I understood correctly, the DISA specifed general security requirements (SRG-XXXXX-GPOS-XXXXX) and derivated some specfic SCAP rules with the format RHEL-07-XXXXXX.
So for me, I just need to find if there is an openscap checker in the RHEL7 profile for each DISA derivated rule RHEL-07-XXXXXX.
I found the stig_overlay.xml file in the RHEL/7/input directory but it seems the mapping is done against the RHEL6 rules.
So I'm a little confused. That's why i'm looking if there is some official information about a coverage rate against the DISA rules or if there is a way to generate it using input provided from the openscap input.
Thanks for your answers.
Regards, Olivier Bonhomme
Hello,
Both the DISA SRGs and STIGIDs are added to the applicable RHEL/7 content. You can verify this by either `grep -rni 'stigid|srg' RHEL/7/input/xccdf`, or `grep 'SRG|RHEL-07' ssg-rhel7-xccdf.xml` Also, when a report is generated with the oscap --report option, the SRG and STIGID identifiers can be viewed in the report.
Gabe
On Tue, Oct 4, 2016 at 8:08 AM, Olivier BONHOMME obonhomme@nerim.net wrote:
Hello,
I'm a new OpenSCAP user and I write here because I have question about the DISA STIG compliancy.
Before using OpenSCAP on my project, I need to validate what is the coverage rate of the STIG OpenSCAP profile against the DISA STIG XCCDF.
I found lot of data in the generated output but I must admit it's a little bit difficult for me to understand how it is organized.
Actually, I'm just looking for some kind of mapping in order to know if there is an OpenScap checker for each DISA rule specified in that XCCDF provided here: http://iase.disa.mil/stigs/Pages/a-z.aspx
If I understood correctly, the DISA specifed general security requirements (SRG-XXXXX-GPOS-XXXXX) and derivated some specfic SCAP rules with the format RHEL-07-XXXXXX.
So for me, I just need to find if there is an openscap checker in the RHEL7 profile for each DISA derivated rule RHEL-07-XXXXXX.
I found the stig_overlay.xml file in the RHEL/7/input directory but it seems the mapping is done against the RHEL6 rules.
So I'm a little confused. That's why i'm looking if there is some official information about a coverage rate against the DISA rules or if there is a way to generate it using input provided from the openscap input.
Thanks for your answers.
Regards, Olivier Bonhomme _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists. fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@ lists.fedorahosted.org
Le 04/10/2016 à 16:26, Gabe Alford a écrit :
Hello,
Both the DISA SRGs and STIGIDs are added to the applicable RHEL/7 content. You can verify this by either `grep -rni 'stigid|srg' RHEL/7/input/xccdf`, or `grep 'SRG|RHEL-07' ssg-rhel7-xccdf.xml` Also, when a report is generated with the oscap --report option, the SRG and STIGID identifiers can be viewed in the report.
Gabe
Hello Gabe,
Thanks for your answer. So I tried to write a little script which takes the XCCDF file downloaded from DISA site and try to find the matching rules into the RHEL/7/input/xccdf/*.xml files.
For now, I justed focused on the stigid identifiers not on the SGR ones. Actually the result is that I have 97 rules matching with the DISA XCCDF upstream file ?
Do you think it is a relevant number ?
Browsing the OPENSCAP XCCDF files I realised that there were some DISA rules that maybe already covered but there is not actually a stigid attributed attached to these rules.
Do you think it can be relevant if I try to complete OPENSCAP XCCDF files with missing stigid if matches can be found against the DISA XCCDF upstream file ? Or is it definitely not the process ?
Thanks for your answer.
Regards, Olivier Bonhomme
On 10/4/16 4:51 PM, Olivier BONHOMME wrote:
Le 04/10/2016 à 16:26, Gabe Alford a écrit :
Hello,
Both the DISA SRGs and STIGIDs are added to the applicable RHEL/7 content. You can verify this by either `grep -rni 'stigid|srg' RHEL/7/input/xccdf`, or `grep 'SRG|RHEL-07' ssg-rhel7-xccdf.xml` Also, when a report is generated with the oscap --report option, the SRG and STIGID identifiers can be viewed in the report.
Gabe
Hello Gabe,
Thanks for your answer. So I tried to write a little script which takes the XCCDF file downloaded from DISA site and try to find the matching rules into the RHEL/7/input/xccdf/*.xml files.
For now, I justed focused on the stigid identifiers not on the SGR ones. Actually the result is that I have 97 rules matching with the DISA XCCDF upstream file ?
Do you think it is a relevant number ?
Browsing the OPENSCAP XCCDF files I realised that there were some DISA rules that maybe already covered but there is not actually a stigid attributed attached to these rules.
Do you think it can be relevant if I try to complete OPENSCAP XCCDF files with missing stigid if matches can be found against the DISA XCCDF upstream file ? Or is it definitely not the process ?
Since you appear to be working from source: `make tables` is your friend :)
It'll generate HTML mapping tables, such as these:
"What rules map to a given OS SRG?" http://people.redhat.com/swells/scap-security-guide/RHEL/7/output/table-rhel...
"What NIST 800-53 controls are satisfied, and how?" http://people.redhat.com/swells/scap-security-guide/RHEL/7/output/table-rhel...
On Tue, Oct 04, 2016 at 10:15:04PM -0400, Shawn Wells wrote:
On 10/4/16 4:51 PM, Olivier BONHOMME wrote:
Le 04/10/2016 à 16:26, Gabe Alford a écrit :
Hello,
Both the DISA SRGs and STIGIDs are added to the applicable RHEL/7 content. You can verify this by either `grep -rni 'stigid|srg' RHEL/7/input/xccdf`, or `grep 'SRG|RHEL-07' ssg-rhel7-xccdf.xml` Also, when a report is generated with the oscap --report option, the SRG and STIGID identifiers can be viewed in the report.
Gabe
Hello Gabe,
Thanks for your answer. So I tried to write a little script which takes the XCCDF file downloaded from DISA site and try to find the matching rules into the RHEL/7/input/xccdf/*.xml files.
For now, I justed focused on the stigid identifiers not on the SGR ones. Actually the result is that I have 97 rules matching with the DISA XCCDF upstream file ?
Do you think it is a relevant number ?
Browsing the OPENSCAP XCCDF files I realised that there were some DISA rules that maybe already covered but there is not actually a stigid attributed attached to these rules.
Do you think it can be relevant if I try to complete OPENSCAP XCCDF files with missing stigid if matches can be found against the DISA XCCDF upstream file ? Or is it definitely not the process ?
Since you appear to be working from source: `make tables` is your friend :)
It'll generate HTML mapping tables, such as these:
"What rules map to a given OS SRG?" http://people.redhat.com/swells/scap-security-guide/RHEL/7/output/table-rhel...
"What NIST 800-53 controls are satisfied, and how?" http://people.redhat.com/swells/scap-security-guide/RHEL/7/output/table-rhel...
Hello Shawn,
Thanks for these two links but to be honest I'm a little bit confused about the available informations.
That's why I have several questions in order to improve my understanding: - On the srgmap table, does the "rules mapped" column refer to the OpenSCAP profile ? - On the srgmap table, are all the SRG rules from the DISA listed even the one without a matching test ? Actually, as I told on my first mail, I try to have a status about the DISA STIG rules who are covered by OpenSCAP profile and above all the rules who are not covered.
Referring to my last question, I have another question : I thought that in stead of considering the general SRG rules, it should be more relevant considering the derivated RHEL-07-XXXXXX which are product specific rules. I found this table on the output directory : http://people.redhat.com/swells/scap-security-guide/RHEL/7/output/table-rhel.... Could it be relevant to put the OpenSCAP test in front of each RHEL-07-XXXXXX in order to have a coverage rate against the DISA product specific rules ?.
I thought that mapping was done with the stig_auxiliary file but actually the RHEL rules specified into that XML files are for RHEL6 and not for RHEL7. Is it normal that there are RHEL-06-XXXXX rules on that file for the RHEL7 input ? It seems a little bit strange for me.
I also looked the disa-os-srg-v1r1.xml file but the rule are not named like on the last file provided on the DISA site : rules are in the format V-XXXXXX in stead of RHEL-07-XXXXXX. Is it normal ?
Thanks for your answers
Regards, Olivier Bonhomme
On Tue, Oct 04, 2016 at 10:15:04PM -0400, Shawn Wells wrote:
On 10/4/16 4:51 PM, Olivier BONHOMME wrote:
Le 04/10/2016 à 16:26, Gabe Alford a écrit :
Hello,
Both the DISA SRGs and STIGIDs are added to the applicable RHEL/7 content. You can verify this by either `grep -rni 'stigid|srg' RHEL/7/input/xccdf`, or `grep 'SRG|RHEL-07' ssg-rhel7-xccdf.xml` Also, when a report is generated with the oscap --report option, the SRG and STIGID identifiers can be viewed in the report.
Gabe
Hello Gabe,
Thanks for your answer. So I tried to write a little script which takes the XCCDF file downloaded from DISA site and try to find the matching rules into the RHEL/7/input/xccdf/*.xml files.
For now, I justed focused on the stigid identifiers not on the SGR ones. Actually the result is that I have 97 rules matching with the DISA XCCDF upstream file ?
Do you think it is a relevant number ?
Browsing the OPENSCAP XCCDF files I realised that there were some DISA rules that maybe already covered but there is not actually a stigid attributed attached to these rules.
Do you think it can be relevant if I try to complete OPENSCAP XCCDF files with missing stigid if matches can be found against the DISA XCCDF upstream file ? Or is it definitely not the process ?
Since you appear to be working from source: `make tables` is your friend :)
It'll generate HTML mapping tables, such as these:
"What rules map to a given OS SRG?" http://people.redhat.com/swells/scap-security-guide/RHEL/7/output/table-rhel...
"What NIST 800-53 controls are satisfied, and how?" http://people.redhat.com/swells/scap-security-guide/RHEL/7/output/table-rhel...
Hello the list,
I made that little sheet https://hosting.ptitoliv.net/owncloud/index.php/s/ZUIwPiXXfvqntA6 where I tried to map DISA STIG rules against openscap rules located into input/xccdf directory.
I found there were several rules (63) which didn't have a declared OpenSCAP rule stigid reference but that actually had a matching rule. So I put in front on these rules a matching OpenSCAP rule.
You can show these rules in the sheet using the following filter : * Matching rule status : Checked by OB * Potential OSCAP Matching rule : Everything except "Not Available"
Do you think it is relevant ? If it is, would you accept some PR in order to update the stigid reference for these rules.
I also detected 76 DISA Rules without any matching test. Is it planned from scap-security-guide project to create new rules in order to have a complete (or almost complete) coverage against DISA Stig XCCF ?
Thanks for your answers
Regards, Olivier Bonhomme
Nice list. Waiting for other responses. Dan White | d_e_white@icloud.com ------------------------------------------------ “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” (Bill Waterson: Calvin & Hobbes)
On Oct 12, 2016, at 12:13 PM, Olivier BONHOMME obonhomme@nerim.net wrote:
Hello the list,
I made that little sheet https://hosting.ptitoliv.net/owncloud/index.php/s/ZUIwPiXXfvqntA6 where I tried to map DISA STIG rules against openscap rules located into input/xccdf directory.
I found there were several rules (63) which didn't have a declared OpenSCAP rule stigid reference but that actually had a matching rule. So I put in front on these rules a matching OpenSCAP rule.
You can show these rules in the sheet using the following filter : * Matching rule status : Checked by OB * Potential OSCAP Matching rule : Everything except "Not Available"
Do you think it is relevant ? If it is, would you accept some PR in order to update the stigid reference for these rules.
I also detected 76 DISA Rules without any matching test. Is it planned from scap-security-guide project to create new rules in order to have a complete (or almost complete) coverage against DISA Stig XCCF ?
Thanks for your answers
Regards, Olivier Bonhomme _______________________________________________
Shawn Wells
On Oct 12, 2016, at 12:38 PM, Dan White d_e_white@icloud.com wrote:
Nice list. Waiting for other responses. Dan White | d_e_white@icloud.com
“Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” (Bill Waterson: Calvin & Hobbes)
On Oct 12, 2016, at 12:13 PM, Olivier BONHOMME obonhomme@nerim.net wrote:
Hello the list,
I made that little sheet https://hosting.ptitoliv.net/owncloud/index.php/s/ZUIwPiXXfvqntA6 where I tried to map DISA STIG rules against openscap rules located into input/xccdf directory.
I found there were several rules (63) which didn't have a declared OpenSCAP rule stigid reference but that actually had a matching rule. So I put in front on these rules a matching OpenSCAP rule.
You can show these rules in the sheet using the following filter :
- Matching rule status : Checked by OB
- Potential OSCAP Matching rule : Everything except "Not Available"
Do you think it is relevant ? If it is, would you accept some PR in order to update the stigid reference for these rules.
I also detected 76 DISA Rules without any matching test. Is it planned from scap-security-guide project to create new rules in order to have a complete (or almost complete) coverage against DISA Stig XCCF ?
Thanks for your answers
Thank you for doing this! Patches that map RHEL-07-* identifiers to SSG rules would be awesome.
Intent is definitely to have full coverage. Viewing from cell phone now, so a bit hard to identify which rules are in DISA edition but not in SSG.
Regards, Olivier Bonhomme _______________________________________________
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org
scap-security-guide@lists.fedorahosted.org