Closed shawndwells closed 6 years ago
Is the source reference at the top for the FAQ from the preceding entry?
Sent from my iPad
On Jan 24, 2018, at 7:18 PM, Shawn Wells notifications@github.com wrote:
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.
Hey @jmackani, yes, that's from another entry.
Looks like this one: https://github.com/OpenSCAP/scap-security-guide/blob/master/rhel7/profiles/stig-rhvh-upstream.xml
<Profile id="stig-rhevh-upstream" extends="stig-rhel7-disa">
<title override="true">STIG for Red Hat Virtualization Hypervisor</title>
<description override="true">This is a *draft* profile for STIG. This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.<br /><br />
<p>
<strong>Where is the RHV-H STIG?</strong>
<ul>
<li>Question: May I deploy a product if no STIG exists?<br />
Answer: Yes, based on mission need and with DAA approval.
</li>
<li>Question: What do I use if there is no STIG?<br />
Answer: DISA FSO developed Security Requirement Guides (SRGs) to address technology areas. In the absence of a STIG, an SRG can be used to determine compliance with DoD policies. If there is no applicable SRG or STIG, industry or vendor recommended practices may be used. Examples include Center for Internet Security Benchmarks, Payment Card Industry requirements or the vendor's own security documentation.
</li>
</ul>
<small>Source: http://iase.disa.mil/stigs/Pages/faqs.aspx#STIG</small>
</p>
</description>
<!-- DISA FSO REFINEMENT VALUES
The following refine-values tailor the NIAP OSPP profile
to DoD-specific settings, as deemed approriate by DISA FSO (RE71) -->
<!-- END DISA FSO REFINEMENT VALUES -->
</Profile>
Copy that.
Sent from my iPad
On Jan 24, 2018, at 7:33 PM, Shawn Wells notifications@github.com wrote:
Hey @jmackani, yes, that's from another entry.
Looks like this one: https://github.com/OpenSCAP/scap-security-guide/blob/master/rhel7/profiles/stig-rhvh-upstream.xml
STIG for Red Hat Virtualization Hypervisor This is a *draft* profile for STIG. This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.
Where is the RHV-H STIG?
Source: http://iase.disa.mil/stigs/Pages/faqs.aspx#STIG
- Question: May I deploy a product if no STIG exists?
Answer: Yes, based on mission need and with DAA approval.- Question: What do I use if there is no STIG?
Answer: DISA FSO developed Security Requirement Guides (SRGs) to address technology areas. In the absence of a STIG, an SRG can be used to determine compliance with DoD policies. If there is no applicable SRG or STIG, industry or vendor recommended practices may be used. Examples include Center for Internet Security Benchmarks, Payment Card Industry requirements or the vendor's own security documentation.— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.
If the "USGCB" profile is indeed no longer in draft — closest thing I can find is https://nvd.nist.gov/ncp/checklist/811 — perhaps the name "NIST 800-53/FISMA Moderate Recommendations for Red Hat Enterprise Linux 7 (RHEL7)" could be used (or some other appropriate name, id, and description).
I have attached a side-by-side comparison of profiles as of master branch commit e9696f954e80e79cda2c93879cf43eca1af8af45. A (very) wide display works best.
ssg-rhel7-profile-comparison.zip
That stig-rhevh-upstream profile description previously mentioned has malformed HTML, btw. <ul>
cannot appear within <p>
.