Help needed identifying and correlating rules in SCAP Security Guide for RHEL8 STIG (draft)
I'm in the process of upgrading to RHEL8, and need to analyze the STIG rules since my project had waivers in place for some of the rules in earlier RHEL versions. My team would like to use the SCAP Security Guide as the source of our content for scans, and so the plan was to review the rules from the SSG's RHEL8 STIG profile. I thought it would be pretty easy to just get a list of the rules with their ids, titles, and descriptions, but have run into a couple issues.
First, I am seeing a lot of differences between the ruleset I can download directly from DISA (their manual xccdf for RHEL8 STIG - draft) and the ruleset in the SSG RHEL8 STIG profile. Figured the titles might not have been brought over from the DISA STIG verbatim, so thought it might be better to align them by identifier, which leads to the second problem...
I can't find any identifiers in common between the DISA STIG and the SSG profile. DISA has indicated that STIG IDs (e.g. RHEL-08-010050) are the way to go moving forward, and only provides these ids in their draft STIG. SSG on the other hand, provides CCEs (presumably ones that it generates from a pool allocated by NIST), vul group ids, and sub-vul rule ids, but does not appear to provide the STIG IDs (I've looked in the table-rhel8-nistrefs-stig.html file of the 0.1.50 release and in the scan report from scanning my system).
I would appreciate guidance on how to correlate these two sources and ideally where STIG IDs can be found in SSG STIG content since these seem to be DISA's preferred identifier going forward.
Both sets of content (DISA and SSG) are still considered in draft right now. The vendor content was sent to DISA in early December for their review. We were all a little surprised at the draft that was published since it deviated from what had sent. The STIG IDs were left out of the SSG content since the STIG IDs are assigned by DISA. Once the STIG content reaches a final version, the STIG-IDs will be added to the SSG.
For now, the best way of matching the two contents lists is to use the SRG-ID. It is not perfect, but it will get you close to a match (at least in the right area).
R/ Ted
On Wed, Jul 8, 2020 at 12:14 PM N B frostynate@fedoraproject.org wrote:
I'm in the process of upgrading to RHEL8, and need to analyze the STIG rules since my project had waivers in place for some of the rules in earlier RHEL versions. My team would like to use the SCAP Security Guide as the source of our content for scans, and so the plan was to review the rules from the SSG's RHEL8 STIG profile. I thought it would be pretty easy to just get a list of the rules with their ids, titles, and descriptions, but have run into a couple issues.
First, I am seeing a lot of differences between the ruleset I can download directly from DISA (their manual xccdf for RHEL8 STIG - draft) and the ruleset in the SSG RHEL8 STIG profile. Figured the titles might not have been brought over from the DISA STIG verbatim, so thought it might be better to align them by identifier, which leads to the second problem...
I can't find any identifiers in common between the DISA STIG and the SSG profile. DISA has indicated that STIG IDs (e.g. RHEL-08-010050) are the way to go moving forward, and only provides these ids in their draft STIG. SSG on the other hand, provides CCEs (presumably ones that it generates from a pool allocated by NIST), vul group ids, and sub-vul rule ids, but does not appear to provide the STIG IDs (I've looked in the table-rhel8-nistrefs-stig.html file of the 0.1.50 release and in the scan report from scanning my system).
I would appreciate guidance on how to correlate these two sources and ideally where STIG IDs can be found in SSG STIG content since these seem to be DISA's preferred identifier going forward. _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
Very helpful info. Thanks. Glad to know it's just a draft-thing getting in the way of this.
Do you expect DISA will come around to something closer to what SSG's draft says or that SSG is more likely to need to accomodate the deviations in DISA's draft?
Thanks again.
Out of curiosity, how much of a delta between the two? I don’t have cycles right now to do a side by side comparison.
Thanks,
Mark Salowitz
From: Ted Brunell tbrunell@redhat.com Sent: Wednesday, July 8, 2020 2:20 PM To: SCAP Security Guide scap-security-guide@lists.fedorahosted.org Subject: [Non-DoD Source] Re: Help needed identifying and correlating rules in SCAP Security Guide for RHEL8 STIG (draft)
Both sets of content (DISA and SSG) are still considered in draft right now. The vendor content was sent to DISA in early December for their review. We were all a little surprised at the draft that was published since it deviated from what had sent. The STIG IDs were left out of the SSG content since the STIG IDs are assigned by DISA. Once the STIG content reaches a final version, the STIG-IDs will be added to the SSG.
For now, the best way of matching the two contents lists is to use the SRG-ID. It is not perfect, but it will get you close to a match (at least in the right area).
R/ Ted
On Wed, Jul 8, 2020 at 12:14 PM N B <frostynate@fedoraproject.orgmailto:frostynate@fedoraproject.org> wrote: I'm in the process of upgrading to RHEL8, and need to analyze the STIG rules since my project had waivers in place for some of the rules in earlier RHEL versions. My team would like to use the SCAP Security Guide as the source of our content for scans, and so the plan was to review the rules from the SSG's RHEL8 STIG profile. I thought it would be pretty easy to just get a list of the rules with their ids, titles, and descriptions, but have run into a couple issues.
First, I am seeing a lot of differences between the ruleset I can download directly from DISA (their manual xccdf for RHEL8 STIG - draft) and the ruleset in the SSG RHEL8 STIG profile. Figured the titles might not have been brought over from the DISA STIG verbatim, so thought it might be better to align them by identifier, which leads to the second problem...
I can't find any identifiers in common between the DISA STIG and the SSG profile. DISA has indicated that STIG IDs (e.g. RHEL-08-010050) are the way to go moving forward, and only provides these ids in their draft STIG. SSG on the other hand, provides CCEs (presumably ones that it generates from a pool allocated by NIST), vul group ids, and sub-vul rule ids, but does not appear to provide the STIG IDs (I've looked in the table-rhel8-nistrefs-stig.html file of the 0.1.50 release and in the scan report from scanning my system).
I would appreciate guidance on how to correlate these two sources and ideally where STIG IDs can be found in SSG STIG content since these seem to be DISA's preferred identifier going forward. _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.orgmailto:scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.orgmailto:scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_en-2DUS_project_code-2Dof-2Dconduct_&d=DwMFaQ&c=0NKfg44GVknAU-XkWXjNxQ&r=iohgjlRx8rzsacNUP-p6Uoa5Wl3Ea1utSdxGRRALEQk&m=sdGy1G8a5Pg-_KFRpVWvQfQorKA1z24I9utL6Q96PiU&s=LNsgcXOHmJ5AujgSycl7ZfQLSi0HVp6uCJQ3mnTl0Jk&e= List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelineshttps://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_Mailing-5Flist-5Fguidelines&d=DwMFaQ&c=0NKfg44GVknAU-XkWXjNxQ&r=iohgjlRx8rzsacNUP-p6Uoa5Wl3Ea1utSdxGRRALEQk&m=sdGy1G8a5Pg-_KFRpVWvQfQorKA1z24I9utL6Q96PiU&s=gnT_fjy_R5Gm_q-pp2Nihq3BaVGSqu0Ig9a5AhnAUNg&e= List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_archives_list_scap-2Dsecurity-2Dguide-40lists.fedorahosted.org&d=DwMFaQ&c=0NKfg44GVknAU-XkWXjNxQ&r=iohgjlRx8rzsacNUP-p6Uoa5Wl3Ea1utSdxGRRALEQk&m=sdGy1G8a5Pg-_KFRpVWvQfQorKA1z24I9utL6Q96PiU&s=CNoVs97PHEb2plx5skEde5OPNMRsf4wqpNvOvme4rhE&e=
About 235 comments were sent to DISA. The SCAP Security Guide received about 85 comments - mostly changing SRG IDs and adding in rules that were inherently met and were in the draft STIG but not in the SSG content.
R/ Ted
On Thu, Jul 9, 2020 at 7:22 AM Salowitz, Mark A CTR < Mark.A.Salowitz@uscg.mil> wrote:
Out of curiosity, how much of a delta between the two? I don’t have cycles right now to do a side by side comparison.
Thanks,
Mark Salowitz
*From:* Ted Brunell tbrunell@redhat.com *Sent:* Wednesday, July 8, 2020 2:20 PM *To:* SCAP Security Guide scap-security-guide@lists.fedorahosted.org *Subject:* [Non-DoD Source] Re: Help needed identifying and correlating rules in SCAP Security Guide for RHEL8 STIG (draft)
Both sets of content (DISA and SSG) are still considered in draft right now. The vendor content was sent to DISA in early December for their review. We were all a little surprised at the draft that was published since it deviated from what had sent. The STIG IDs were left out of the SSG content since the STIG IDs are assigned by DISA. Once the STIG content reaches a final version, the STIG-IDs will be added to the SSG.
For now, the best way of matching the two contents lists is to use the SRG-ID. It is not perfect, but it will get you close to a match (at least in the right area).
R/
Ted
On Wed, Jul 8, 2020 at 12:14 PM N B frostynate@fedoraproject.org wrote:
I'm in the process of upgrading to RHEL8, and need to analyze the STIG rules since my project had waivers in place for some of the rules in earlier RHEL versions. My team would like to use the SCAP Security Guide as the source of our content for scans, and so the plan was to review the rules from the SSG's RHEL8 STIG profile. I thought it would be pretty easy to just get a list of the rules with their ids, titles, and descriptions, but have run into a couple issues.
First, I am seeing a lot of differences between the ruleset I can download directly from DISA (their manual xccdf for RHEL8 STIG - draft) and the ruleset in the SSG RHEL8 STIG profile. Figured the titles might not have been brought over from the DISA STIG verbatim, so thought it might be better to align them by identifier, which leads to the second problem...
I can't find any identifiers in common between the DISA STIG and the SSG profile. DISA has indicated that STIG IDs (e.g. RHEL-08-010050) are the way to go moving forward, and only provides these ids in their draft STIG. SSG on the other hand, provides CCEs (presumably ones that it generates from a pool allocated by NIST), vul group ids, and sub-vul rule ids, but does not appear to provide the STIG IDs (I've looked in the table-rhel8-nistrefs-stig.html file of the 0.1.50 release and in the scan report from scanning my system).
I would appreciate guidance on how to correlate these two sources and ideally where STIG IDs can be found in SSG STIG content since these seem to be DISA's preferred identifier going forward. _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_en-2DUS_project_code-2Dof-2Dconduct_&d=DwMFaQ&c=0NKfg44GVknAU-XkWXjNxQ&r=iohgjlRx8rzsacNUP-p6Uoa5Wl3Ea1utSdxGRRALEQk&m=sdGy1G8a5Pg-_KFRpVWvQfQorKA1z24I9utL6Q96PiU&s=LNsgcXOHmJ5AujgSycl7ZfQLSi0HVp6uCJQ3mnTl0Jk&e= List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_Mailing-5Flist-5Fguidelines&d=DwMFaQ&c=0NKfg44GVknAU-XkWXjNxQ&r=iohgjlRx8rzsacNUP-p6Uoa5Wl3Ea1utSdxGRRALEQk&m=sdGy1G8a5Pg-_KFRpVWvQfQorKA1z24I9utL6Q96PiU&s=gnT_fjy_R5Gm_q-pp2Nihq3BaVGSqu0Ig9a5AhnAUNg&e= List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor... https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_archives_list_scap-2Dsecurity-2Dguide-40lists.fedorahosted.org&d=DwMFaQ&c=0NKfg44GVknAU-XkWXjNxQ&r=iohgjlRx8rzsacNUP-p6Uoa5Wl3Ea1utSdxGRRALEQk&m=sdGy1G8a5Pg-_KFRpVWvQfQorKA1z24I9utL6Q96PiU&s=CNoVs97PHEb2plx5skEde5OPNMRsf4wqpNvOvme4rhE&e=
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
Thank you, that helps!
Mark Salowitz
From: Ted Brunell tbrunell@redhat.com Sent: Thursday, July 9, 2020 8:58 AM To: SCAP Security Guide scap-security-guide@lists.fedorahosted.org Subject: Re: [Non-DoD Source] Re: Help needed identifying and correlating rules in SCAP Security Guide for RHEL8 STIG (draft)
About 235 comments were sent to DISA. The SCAP Security Guide received about 85 comments - mostly changing SRG IDs and adding in rules that were inherently met and were in the draft STIG but not in the SSG content.
R/ Ted
On Thu, Jul 9, 2020 at 7:22 AM Salowitz, Mark A CTR <Mark.A.Salowitz@uscg.milmailto:Mark.A.Salowitz@uscg.mil> wrote: Out of curiosity, how much of a delta between the two? I don’t have cycles right now to do a side by side comparison.
Thanks,
Mark Salowitz
From: Ted Brunell <tbrunell@redhat.commailto:tbrunell@redhat.com> Sent: Wednesday, July 8, 2020 2:20 PM To: SCAP Security Guide <scap-security-guide@lists.fedorahosted.orgmailto:scap-security-guide@lists.fedorahosted.org> Subject: [Non-DoD Source] Re: Help needed identifying and correlating rules in SCAP Security Guide for RHEL8 STIG (draft)
Both sets of content (DISA and SSG) are still considered in draft right now. The vendor content was sent to DISA in early December for their review. We were all a little surprised at the draft that was published since it deviated from what had sent. The STIG IDs were left out of the SSG content since the STIG IDs are assigned by DISA. Once the STIG content reaches a final version, the STIG-IDs will be added to the SSG.
For now, the best way of matching the two contents lists is to use the SRG-ID. It is not perfect, but it will get you close to a match (at least in the right area).
R/ Ted
On Wed, Jul 8, 2020 at 12:14 PM N B <frostynate@fedoraproject.orgmailto:frostynate@fedoraproject.org> wrote: I'm in the process of upgrading to RHEL8, and need to analyze the STIG rules since my project had waivers in place for some of the rules in earlier RHEL versions. My team would like to use the SCAP Security Guide as the source of our content for scans, and so the plan was to review the rules from the SSG's RHEL8 STIG profile. I thought it would be pretty easy to just get a list of the rules with their ids, titles, and descriptions, but have run into a couple issues.
First, I am seeing a lot of differences between the ruleset I can download directly from DISA (their manual xccdf for RHEL8 STIG - draft) and the ruleset in the SSG RHEL8 STIG profile. Figured the titles might not have been brought over from the DISA STIG verbatim, so thought it might be better to align them by identifier, which leads to the second problem...
I can't find any identifiers in common between the DISA STIG and the SSG profile. DISA has indicated that STIG IDs (e.g. RHEL-08-010050) are the way to go moving forward, and only provides these ids in their draft STIG. SSG on the other hand, provides CCEs (presumably ones that it generates from a pool allocated by NIST), vul group ids, and sub-vul rule ids, but does not appear to provide the STIG IDs (I've looked in the table-rhel8-nistrefs-stig.html file of the 0.1.50 release and in the scan report from scanning my system).
I would appreciate guidance on how to correlate these two sources and ideally where STIG IDs can be found in SSG STIG content since these seem to be DISA's preferred identifier going forward. _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.orgmailto:scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.orgmailto:scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_en-2DUS_project_code-2Dof-2Dconduct_&d=DwMFaQ&c=0NKfg44GVknAU-XkWXjNxQ&r=iohgjlRx8rzsacNUP-p6Uoa5Wl3Ea1utSdxGRRALEQk&m=sdGy1G8a5Pg-_KFRpVWvQfQorKA1z24I9utL6Q96PiU&s=LNsgcXOHmJ5AujgSycl7ZfQLSi0HVp6uCJQ3mnTl0Jk&e= List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelineshttps://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_Mailing-5Flist-5Fguidelines&d=DwMFaQ&c=0NKfg44GVknAU-XkWXjNxQ&r=iohgjlRx8rzsacNUP-p6Uoa5Wl3Ea1utSdxGRRALEQk&m=sdGy1G8a5Pg-_KFRpVWvQfQorKA1z24I9utL6Q96PiU&s=gnT_fjy_R5Gm_q-pp2Nihq3BaVGSqu0Ig9a5AhnAUNg&e= List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_archives_list_scap-2Dsecurity-2Dguide-40lists.fedorahosted.org&d=DwMFaQ&c=0NKfg44GVknAU-XkWXjNxQ&r=iohgjlRx8rzsacNUP-p6Uoa5Wl3Ea1utSdxGRRALEQk&m=sdGy1G8a5Pg-_KFRpVWvQfQorKA1z24I9utL6Q96PiU&s=CNoVs97PHEb2plx5skEde5OPNMRsf4wqpNvOvme4rhE&e= _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.orgmailto:scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.orgmailto:scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_en-2DUS_project_code-2Dof-2Dconduct_&d=DwMFaQ&c=0NKfg44GVknAU-XkWXjNxQ&r=iohgjlRx8rzsacNUP-p6Uoa5Wl3Ea1utSdxGRRALEQk&m=RatK2anj4f_27cDhYoGH61U2gqHtfoVZueYmzsev5wk&s=RpxZN7ahDemiHbvswbzG1VGm6kPjU2N9fEjqxZuB3gw&e= List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelineshttps://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_Mailing-5Flist-5Fguidelines&d=DwMFaQ&c=0NKfg44GVknAU-XkWXjNxQ&r=iohgjlRx8rzsacNUP-p6Uoa5Wl3Ea1utSdxGRRALEQk&m=RatK2anj4f_27cDhYoGH61U2gqHtfoVZueYmzsev5wk&s=JJ3GjOZv387sie9uo1BRZWpDK4qM2BkaB6Qfk8GehjU&e= List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_archives_list_scap-2Dsecurity-2Dguide-40lists.fedorahosted.org&d=DwMFaQ&c=0NKfg44GVknAU-XkWXjNxQ&r=iohgjlRx8rzsacNUP-p6Uoa5Wl3Ea1utSdxGRRALEQk&m=RatK2anj4f_27cDhYoGH61U2gqHtfoVZueYmzsev5wk&s=3RJYhMoFTL-t0nK5IFle1Rm2YX9m_ooTJDYbT3deAlI&e=
scap-security-guide@lists.fedorahosted.org
-
Gary Gapinski -
N B -
Salowitz, Mark A CTR -
Ted Brunell