Bug 1284045

Summary: please add CNSS No. 1253 Profile from upstream
Product: Red Hat Enterprise Linux 6 Reporter: Andrew Shewmaker <shewa>
Component: scap-security-guideAssignee: Jan Lieskovsky <jlieskov>
Status: CLOSED ERRATA QA Contact: Marek Haicman <mhaicman>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.7CC: jlieskov, ksrot, mhaicman, openscap-maint, slukasik
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.28-2.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-10 21:40:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Andrew Shewmaker 2015-11-20 16:06:29 UTC 
Description of problem:

The current version of the SCAP Security Guide does not include the CNSS No. 1253 Profile, which is available from upstream.

https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/6/input/profiles/nist-CL-IL-AL.xml

Version-Release number of selected component (if applicable):

scap-security-guide-0.1.21-3

How reproducible:

Always

Steps to Reproduce:

1. oscap info /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml 


Actual results:

Document type: XCCDF Checklist
Checklist version: 1.1
Status: draft
Generated: 2015-05-12
Imported: 2015-05-12T06:50:20
Resolved: true
Profiles:
CS2
common
server
stig-rhel6-server-upstream
usgcb-rhel6-server
rht-ccp
CSCF-RHEL6-MLS
C2S
Referenced check files:
ssg-rhel6-oval.xml
system: http://oval.mitre.org/XMLSchema/oval-definitions-5

Expected results:

List of profiles should include:

nist-cl-il-al

Additional info:
Comment 3 Šimon Lukašík 2015-11-23 11:13:50 UTC 
Moving to POST, this has been already done in upstream. Thanks Andrew for raising this.

Note, to enable profile in distribution we also need this: https://github.com/OpenSCAP/scap-security-guide/pull/863
Comment 6 Jan Lieskovsky 2015-12-09 12:23:36 UTC 
Another fix applicable to this profile (fixing invalid selectors):
  https://github.com/OpenSCAP/scap-security-guide/pull/904
Comment 8 Marek Haicman 2016-01-28 18:39:04 UTC 
Hello Iankko, I know it is just a nitpick, but would you consider changing a profile name a bit? With all other profile names we move to less abbreviated format, but this is left pretty dense... :)

Proposal [well, the abbreviation itself probably cannot be expanded in any reasonable way]:
CNSSI 1253 with criterions Low/Low/Low
Comment 9 Jan Lieskovsky 2016-02-03 14:07:49 UTC 
(In reply to Marek Haicman from comment #8)

@Marek

Thank you for checking this!

> Hello Iankko, I know it is just a nitpick, but would you consider changing a
> profile name a bit? With all other profile names we move to less abbreviated
> format, but this is left pretty dense... :)
> 
> Proposal [well, the abbreviation itself probably cannot be expanded in any
> reasonable way]:
> CNSSI 1253 with criterions Low/Low/Low

Would "CNSSI 1253 Low/Low/Low Control Baseline for Red Hat Enterprise Linux 6"
form be acceptable instead?

Those "Low/Low/Low" categorizations are important there (since they specify the overlays we are using in this profile) [*]

[*] Refer to: https://www.cnss.gov/CNSS/openDoc.cfm?6pTJzXxAC8oPWmAm+YQAsQ==
(page #4) (Section "2.3 RELATIONSHIP BETWEEN BASELINES AND OVERLAYS" for clarification what that overlay means)

Thanks, Jan.
Comment 10 Marek Haicman 2016-02-03 14:26:55 UTC 
Hello Jan, it works for me just fine, thanks! :)
Comment 11 Jan Lieskovsky 2016-02-04 09:15:40 UTC 
(In reply to Marek Haicman from comment #10)
> Hello Jan, it works for me just fine, thanks! :)

Brilliant. Thanks for confirmation!

Upstream PR proposing this form is here:
  https://github.com/OpenSCAP/scap-security-guide/pull/1032
Comment 13 Marek Haicman 2016-02-16 11:30:34 UTC 
Verified there is "CNSSI 1253 Low/Low/Low Control Baseline for Red Hat Enterprise Linux 6" profile in scap-security-guide-0.1.28-2.el6, and its content looks sane.
Comment 15 errata-xmlrpc 2016-05-10 21:40:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0846.html