ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://complianceascode.readthedocs.io/en/latest/
Other
2.22k stars 698 forks source link

rhel 7.5 beta: usgcb no longer draft, needs updated description #2571

Closed shawndwells closed 6 years ago

shawndwells commented 6 years ago

image

jmackani commented 6 years ago

Is the source reference at the top for the FAQ from the preceding entry?

Sent from my iPad

On Jan 24, 2018, at 7:18 PM, Shawn Wells notifications@github.com wrote:

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

shawndwells commented 6 years ago

Hey @jmackani, yes, that's from another entry.

Looks like this one: https://github.com/OpenSCAP/scap-security-guide/blob/master/rhel7/profiles/stig-rhvh-upstream.xml

<Profile id="stig-rhevh-upstream" extends="stig-rhel7-disa">
<title override="true">STIG for Red Hat Virtualization Hypervisor</title>
<description override="true">This is a *draft* profile for STIG. This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.<br /><br />

<p>
    <strong>Where is the RHV-H STIG?</strong>
    <ul>
        <li>Question: May I deploy a product if no STIG exists?<br />
            Answer: Yes, based on mission need and with DAA approval.
        </li>
        <li>Question: What do I use if there is no STIG?<br />
            Answer: DISA FSO developed Security Requirement Guides (SRGs) to address technology areas. In the absence of a STIG, an SRG can be used to determine compliance with DoD policies. If there is no applicable SRG or STIG, industry or vendor recommended practices may be used. Examples include Center for Internet Security Benchmarks, Payment Card Industry requirements or the vendor's own security documentation.
        </li>
    </ul>
    <small>Source: http://iase.disa.mil/stigs/Pages/faqs.aspx#STIG</small>
</p>
</description>

<!-- DISA FSO REFINEMENT VALUES
     The following refine-values tailor the NIAP OSPP profile
     to DoD-specific settings, as deemed approriate by DISA FSO (RE71) -->
<!-- END DISA FSO REFINEMENT VALUES -->

</Profile>
jmackani commented 6 years ago

Copy that.

Sent from my iPad

On Jan 24, 2018, at 7:33 PM, Shawn Wells notifications@github.com wrote:

Hey @jmackani, yes, that's from another entry.

Looks like this one: https://github.com/OpenSCAP/scap-security-guide/blob/master/rhel7/profiles/stig-rhvh-upstream.xml

STIG for Red Hat Virtualization Hypervisor This is a *draft* profile for STIG. This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.

Where is the RHV-H STIG?

  • Question: May I deploy a product if no STIG exists?
    Answer: Yes, based on mission need and with DAA approval.
  • Question: What do I use if there is no STIG?
    Answer: DISA FSO developed Security Requirement Guides (SRGs) to address technology areas. In the absence of a STIG, an SRG can be used to determine compliance with DoD policies. If there is no applicable SRG or STIG, industry or vendor recommended practices may be used. Examples include Center for Internet Security Benchmarks, Payment Card Industry requirements or the vendor's own security documentation.
Source: http://iase.disa.mil/stigs/Pages/faqs.aspx#STIG

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

GaryGapinski commented 6 years ago

If the "USGCB" profile is indeed no longer in draft — closest thing I can find is https://nvd.nist.gov/ncp/checklist/811 — perhaps the name "NIST 800-53/FISMA Moderate Recommendations for Red Hat Enterprise Linux 7 (RHEL7)" could be used (or some other appropriate name, id, and description).

I have attached a side-by-side comparison of profiles as of master branch commit e9696f954e80e79cda2c93879cf43eca1af8af45. A (very) wide display works best.

ssg-rhel7-profile-comparison.zip

That stig-rhevh-upstream profile description previously mentioned has malformed HTML, btw. <ul> cannot appear within <p>.