The DISA STIGViewer isn't about to correlate the Redhat STIG with any of the items from a Rhel/CentOS xml file created by openscap. This means that all of the items must be updated manually.
Would it be possible to get the output to be recognized by the DISA STIGViewer? I'm not sure what openscap does differently from the SPAWAR SCC tool, which can be imported into the STIGViewer.
The openscap xml output is also not processed by the vulnerator tool, but it will handle the SCC xml files.
David Paige
Yeah, someone else has this issue.
Matthew Conley 912-398-6704
On Aug 17, 2017 1:03 PM, "Paige, David B CTR USARMY ICOE (US)" < david.b.paige.ctr@mail.mil> wrote:
The DISA STIGViewer isn't about to correlate the Redhat STIG with any of the items from a Rhel/CentOS xml file created by openscap. This means that all of the items must be updated manually.
Would it be possible to get the output to be recognized by the DISA STIGViewer? I'm not sure what openscap does differently from the SPAWAR SCC tool, which can be imported into the STIGViewer.
The openscap xml output is also not processed by the vulnerator tool, but it will handle the SCC xml files.
David Paige _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists. fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@ lists.fedorahosted.org
On 8/17/17 1:02 PM, Paige, David B CTR USARMY ICOE (US) wrote:
The DISA STIGViewer isn't about to correlate the Redhat STIG with any of the items from a Rhel/CentOS xml file created by openscap. This means that all of the items must be updated manually.
Would it be possible to get the output to be recognized by the DISA STIGViewer? I'm not sure what openscap does differently from the SPAWAR SCC tool, which can be imported into the STIGViewer.
The openscap xml output is also not processed by the vulnerator tool, but it will handle the SCC xml files.
OpenSCAP generates SCAP content. STIGViewer (and SCC) built in DISA's proprietary extensions/formats.
In theory this would be a matter of applying an XSLT to restructure the properly formatted SCAP results into whatever DISA needs.
Please do ask DISA to support the standard SCAP formats if at all possible.
I haven't been able to find any of their internal formats yet I'm trying to automate the generation of content for them.
This really is not helpful to their user base.
Trevor
On Thu, Aug 17, 2017 at 9:58 PM, Shawn Wells shawn@redhat.com wrote:
On 8/17/17 1:02 PM, Paige, David B CTR USARMY ICOE (US) wrote:
The DISA STIGViewer isn't about to correlate the Redhat STIG with any of
the items from a Rhel/CentOS xml file created by openscap. This means that all of the items must be updated manually.
Would it be possible to get the output to be recognized by the DISA
STIGViewer? I'm not sure what openscap does differently from the SPAWAR SCC tool, which can be imported into the STIGViewer.
The openscap xml output is also not processed by the vulnerator tool,
but it will handle the SCC xml files.
OpenSCAP generates SCAP content. STIGViewer (and SCC) built in DISA's proprietary extensions/formats.
In theory this would be a matter of applying an XSLT to restructure the properly formatted SCAP results into whatever DISA needs. _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists. fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@ lists.fedorahosted.org
On 8/18/17 10:20 AM, Trevor Vaughan wrote:
Please do ask DISA to support the standard SCAP formats if at all possible.
I haven't been able to find any of their internal formats yet I'm trying to automate the generation of content for them.
This really is not helpful to their user base.
Having end-customers/users make the requests would be ideal:
https://iase.disa.mil/stigs/Pages/contact.aspx
disa.stig_spt@mail.mil
I will drop them a note and see if they have any plans to support the standard SCAP formats.
-----Original Message----- From: Shawn Wells [mailto:shawn@redhat.com] Sent: Friday, August 18, 2017 9:13 AM To: scap-security-guide@lists.fedorahosted.org Subject: [Non-DoD Source] Re: oscap output and STIG Viewer
All active links contained in this email were disabled. Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser.
----
On 8/18/17 10:20 AM, Trevor Vaughan wrote:
Please do ask DISA to support the standard SCAP formats if at all possible.
I haven't been able to find any of their internal formats yet I'm trying to automate the generation of content for them.
This really is not helpful to their user base.
Having end-customers/users make the requests would be ideal:
Caution-https://iase.disa.mil/stigs/Pages/contact.aspx
disa.stig_spt@mail.mil _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org
OpenSCAP will not be supported. There is a benchmark in development which will correspond to the RHEL7 STIG.
-----Original Message----- From: Shawn Wells [mailto:shawn@redhat.com] Sent: Friday, August 18, 2017 9:13 AM To: scap-security-guide@lists.fedorahosted.org Subject: [Non-DoD Source] Re: oscap output and STIG Viewer
All active links contained in this email were disabled. Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser.
----
On 8/18/17 10:20 AM, Trevor Vaughan wrote:
Please do ask DISA to support the standard SCAP formats if at all possible.
I haven't been able to find any of their internal formats yet I'm trying to automate the generation of content for them.
This really is not helpful to their user base.
Having end-customers/users make the requests would be ideal:
Caution-https://iase.disa.mil/stigs/Pages/contact.aspx
disa.stig_spt@mail.mil _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org
Sadly, this is the response I expected. DISA is not being asked to support OpenSCAP. They're being asked to comply with SCAP, which, last time I checked, is a standard published by NIST.
Embrace and extend.
Tom A.
-----Original Message----- From: Paige, David B CTR USARMY ICOE (US) [mailto:david.b.paige.ctr@mail.mil] Sent: Friday, August 18, 2017 1:36 PM To: SCAP Security Guide scap-security-guide@lists.fedorahosted.org Subject: EXTERNAL: RE: [Non-DoD Source] Re: oscap output and STIG Viewer
OpenSCAP will not be supported. There is a benchmark in development which will correspond to the RHEL7 STIG.
-----Original Message----- From: Shawn Wells [mailto:shawn@redhat.com] Sent: Friday, August 18, 2017 9:13 AM To: scap-security-guide@lists.fedorahosted.org Subject: [Non-DoD Source] Re: oscap output and STIG Viewer
All active links contained in this email were disabled. Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser.
----
On 8/18/17 10:20 AM, Trevor Vaughan wrote:
Please do ask DISA to support the standard SCAP formats if at all possible.
I haven't been able to find any of their internal formats yet I'm trying to automate the generation of content for them.
This really is not helpful to their user base.
Having end-customers/users make the requests would be ideal:
Caution-https://iase.disa.mil/stigs/Pages/contact.aspx
disa.stig_spt@mail.mil _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org
I don't quite follow.
I thought that the OpenSCAP output was SCAP standard compliant since it's one of the validated scanners?
I guess I'm missing what they can't support? Is it the Data Streams, individual files, something else?
Trevor
On Fri, Aug 18, 2017 at 1:46 PM, Albrecht, Thomas C < thomas.c.albrecht@lmco.com> wrote:
Sadly, this is the response I expected. DISA is not being asked to support OpenSCAP. They're being asked to comply with SCAP, which, last time I checked, is a standard published by NIST.
Embrace and extend.
Tom A.
-----Original Message----- From: Paige, David B CTR USARMY ICOE (US) [mailto:david.b.paige.ctr@ mail.mil] Sent: Friday, August 18, 2017 1:36 PM To: SCAP Security Guide scap-security-guide@lists.fedorahosted.org Subject: EXTERNAL: RE: [Non-DoD Source] Re: oscap output and STIG Viewer
OpenSCAP will not be supported. There is a benchmark in development which will correspond to the RHEL7 STIG.
-----Original Message----- From: Shawn Wells [mailto:shawn@redhat.com] Sent: Friday, August 18, 2017 9:13 AM To: scap-security-guide@lists.fedorahosted.org Subject: [Non-DoD Source] Re: oscap output and STIG Viewer
All active links contained in this email were disabled. Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser.
On 8/18/17 10:20 AM, Trevor Vaughan wrote:
Please do ask DISA to support the standard SCAP formats if at all possible.
I haven't been able to find any of their internal formats yet I'm trying to automate the generation of content for them.
This really is not helpful to their user base.
Having end-customers/users make the requests would be ideal:
Caution-https://iase.disa.mil/stigs/Pages/contact.aspx
disa.stig_spt@mail.mil _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists. fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@ lists.fedorahosted.org _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists. fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@ lists.fedorahosted.org _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists. fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@ lists.fedorahosted.org
Translated: Instead of adhering to the US Government mandated standard for continuous monitoring, DISA intends to develop their own proprietary content that only works with DISA provided tooling.
Further, instead of partnering with DoD, NSA, NIST, industry, and the actual vendor, DISA intends to redevelop an entire body of automation content internally with no oversight from DoD, and pay a private subcontractor to duplicate over 5 years of work.
On Aug 18, 2017, at 1:36 PM, Paige, David B CTR USARMY ICOE (US) david.b.paige.ctr@mail.mil wrote:
OpenSCAP will not be supported. There is a benchmark in development which will correspond to the RHEL7 STIG.
-----Original Message----- From: Shawn Wells [mailto:shawn@redhat.com] Sent: Friday, August 18, 2017 9:13 AM To: scap-security-guide@lists.fedorahosted.org Subject: [Non-DoD Source] Re: oscap output and STIG Viewer
All active links contained in this email were disabled. Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser.
On 8/18/17 10:20 AM, Trevor Vaughan wrote: Please do ask DISA to support the standard SCAP formats if at all possible.
I haven't been able to find any of their internal formats yet I'm trying to automate the generation of content for them.
This really is not helpful to their user base.
Having end-customers/users make the requests would be ideal:
Caution-https://iase.disa.mil/stigs/Pages/contact.aspx
disa.stig_spt@mail.mil _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org
scap-security-guide@lists.fedorahosted.org
-
Albrecht, Thomas C -
Matthew -
Paige, David B CTR USARMY ICOE (US) -
Shawn Wells -
Trevor Vaughan