shawndwells
commented
6 years ago For example:
SSG takes a OpenControl-inspired YAML format and transforms it into XCCDF:
documentation_complete: true
prodtype: rhel7,fedora
title: 'Ensure SELinux State is Enforcing'
description: |-
The SELinux state should be set to <tt><sub idref="var_selinux_state" /></tt> at
system boot time. In the file <tt>/etc/selinux/config</tt>, add or correct the
following line to configure the system to boot into enforcing mode:
<pre>SELINUX=<sub idref="var_selinux_state" /></pre>
rationale: |-
Setting the SELinux state to enforcing ensures SELinux is able to confine
potentially compromised processes to the security policy, which is designed to
prevent them from causing damage to the system or further elevating their
privileges.
severity: high
identifiers:
cce@rhel7: 27334-2
references:
cis: 1.6.1.2
cui: 3.1.2,3.7.2
disa: 2165,2696
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e)
nist: AC-3,AC-3(3),AC-3(4),AC-4,AC-6,AU-9,SI-6(a)
srg: SRG-OS-000445-GPOS-00199
stigid@rhel7: "020210"
ocil_clause: 'SELINUX is not set to enforcing'
ocil: |-
Check the file <tt>/etc/selinux/config</tt> and ensure the following line appears:
<pre>SELINUX=<sub idref="var_selinux_state" /></pre>Pairs that with an associated OVAL file:
https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/checks/oval/selinux_state.xml
<def-group>
<definition class="compliance" id="selinux_state" version="1">
<metadata>
<title>SELinux Enforcing</title>
<affected family="unix">
<platform>multi_platform_rhel</platform>
</affected>
<description>The SELinux state should be enforcing the local policy.</description>
</metadata>
<criteria operator="AND">
<criterion comment="enforce is disabled" test_ref="test_etc_selinux_config" />
</criteria>
</definition>
<ind:textfilecontent54_test check="all" check_existence="all_exist"
comment="/selinux/enforce is 1" id="test_etc_selinux_config" version="1">
<ind:object object_ref="object_etc_selinux_config" />
<ind:state state_ref="state_etc_selinux_config" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_etc_selinux_config" version="1">
<ind:filepath>/etc/selinux/config</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*SELINUX[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_state id="state_etc_selinux_config" version="1">
<ind:subexpression datatype="string" operation="equals" var_check="all" var_ref="var_selinux_state" />
</ind:textfilecontent54_state>
<external_variable comment="external variable for selinux state"
datatype="string" id="var_selinux_state" version="1" />
</def-group>And a build system combines the two together, including other rules, into a consolidated SCAP datastream. Using this process means nobody needed to edit the 100K+ lines of XML to create content.
Similar story with OSCAL. Need a way to integrate OSCAL, SCAP, and remediation languages like Ansible and Chef. Today that work is happening in another project already (ComplianceAsCode).
In slide ware, looks like this:
Today the "Auditor Documents" are OpenControl-based. Can easily update to OSCAL.
Should the content community (where profiles would be developed, along with formal vendor/product responses) be developed here in the OSCAL repo or somewhere else?
david-waltermire
trevor-vaughan
anweiss
wendellpiez
aj-stein-nist
Creating a profile. such as FedRAMP or another agency (e.g. DHS 4300A) requires 5,000+ lines of XML.
Propose a shorthand build system be created. Something akin to how SCAP Security Guide decomposed XCCDF and OVAL rules into singular files that are merged together into specification-correct SCAP.
Currently to cumbersome to create profiles with existing workflow.
Does NIST envision authoritative content (e.g. profiles, like FedRAMP) to be created in this repo, or should an open source content project be created (aka fold this into the ComplianceAsCode efforts)?