Bug 1284045 - please add CNSS No. 1253 Profile from upstream
please add CNSS No. 1253 Profile from upstream
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: scap-security-guide (Show other bugs)
6.7
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Jan Lieskovsky
Marek Haicman
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-20 11:06 EST by Andrew Shewmaker
Modified: 2016-05-10 17:40 EDT (History)
5 users (show)

See Also:
Fixed In Version: scap-security-guide-0.1.28-2.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-05-10 17:40:36 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:0846 normal SHIPPED_LIVE scap-security-guide bug fix update 2016-05-10 18:42:59 EDT

  None (edit)
Description Andrew Shewmaker 2015-11-20 11:06:29 EST
Description of problem:

The current version of the SCAP Security Guide does not include the CNSS No. 1253 Profile, which is available from upstream.

https://github.com/OpenSCAP/scap-security-guide/blob/master/RHEL/6/input/profiles/nist-CL-IL-AL.xml

Version-Release number of selected component (if applicable):

scap-security-guide-0.1.21-3

How reproducible:

Always

Steps to Reproduce:

1. oscap info /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml 


Actual results:

Document type: XCCDF Checklist
Checklist version: 1.1
Status: draft
Generated: 2015-05-12
Imported: 2015-05-12T06:50:20
Resolved: true
Profiles:
CS2
common
server
stig-rhel6-server-upstream
usgcb-rhel6-server
rht-ccp
CSCF-RHEL6-MLS
C2S
Referenced check files:
ssg-rhel6-oval.xml
system: http://oval.mitre.org/XMLSchema/oval-definitions-5

Expected results:

List of profiles should include:

nist-cl-il-al

Additional info:
Comment 3 Šimon Lukašík 2015-11-23 06:13:50 EST
Moving to POST, this has been already done in upstream. Thanks Andrew for raising this.

Note, to enable profile in distribution we also need this: https://github.com/OpenSCAP/scap-security-guide/pull/863
Comment 6 Jan Lieskovsky 2015-12-09 07:23:36 EST
Another fix applicable to this profile (fixing invalid selectors):
  https://github.com/OpenSCAP/scap-security-guide/pull/904
Comment 8 Marek Haicman 2016-01-28 13:39:04 EST
Hello Iankko, I know it is just a nitpick, but would you consider changing a profile name a bit? With all other profile names we move to less abbreviated format, but this is left pretty dense... :)

Proposal [well, the abbreviation itself probably cannot be expanded in any reasonable way]:
CNSSI 1253 with criterions Low/Low/Low
Comment 9 Jan Lieskovsky 2016-02-03 09:07:49 EST
(In reply to Marek Haicman from comment #8)

@Marek

Thank you for checking this!

> Hello Iankko, I know it is just a nitpick, but would you consider changing a
> profile name a bit? With all other profile names we move to less abbreviated
> format, but this is left pretty dense... :)
> 
> Proposal [well, the abbreviation itself probably cannot be expanded in any
> reasonable way]:
> CNSSI 1253 with criterions Low/Low/Low

Would "CNSSI 1253 Low/Low/Low Control Baseline for Red Hat Enterprise Linux 6"
form be acceptable instead?

Those "Low/Low/Low" categorizations are important there (since they specify the overlays we are using in this profile) [*]

[*] Refer to: https://www.cnss.gov/CNSS/openDoc.cfm?6pTJzXxAC8oPWmAm+YQAsQ==
(page #4) (Section "2.3 RELATIONSHIP BETWEEN BASELINES AND OVERLAYS" for clarification what that overlay means)

Thanks, Jan.
Comment 10 Marek Haicman 2016-02-03 09:26:55 EST
Hello Jan, it works for me just fine, thanks! :)
Comment 11 Jan Lieskovsky 2016-02-04 04:15:40 EST
(In reply to Marek Haicman from comment #10)
> Hello Jan, it works for me just fine, thanks! :)

Brilliant. Thanks for confirmation!

Upstream PR proposing this form is here:
  https://github.com/OpenSCAP/scap-security-guide/pull/1032
Comment 13 Marek Haicman 2016-02-16 06:30:34 EST
Verified there is "CNSSI 1253 Low/Low/Low Control Baseline for Red Hat Enterprise Linux 6" profile in scap-security-guide-0.1.28-2.el6, and its content looks sane.
Comment 15 errata-xmlrpc 2016-05-10 17:40:36 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0846.html

Note You need to log in before you can comment on or make changes to this bug.