SCAP-Security-Guide (SSG) contains configuration hardening advice of Red Hat Enterprise Linux 7 and other products. Some customers are contributing fixes directly to upstream. The expectation is that we ship these fixes/improvements along the RHEL update release.
SCAP-Security-Guide (SSG) is low risk rebase component. There is no API or ABI, the product is a set of XML files used with OpenSCAP or other SCAP scanners.
The version currently in RHEL7 is 0.1.30, https://github.com/OpenSCAP/scap-security-guide/compare/v0.1.30...master shows changes in upstream since then.
This would also fix:
How do we get release notes created for the rebase of SCAP Security Guide?
This rebase brings in previously unavailable compliance profiles that should be documented.
OK. I don't have VPN access currently, so will login Monday and use the template. Mostly imagining to document the new and rebased profiles available in RHEL 7.4 (e.g. STIG and USGCB draft).
Mirek, Here is a first stab of content. Review from yourself and Watson is appreciated.
SCAP Security Guide v0.1.33 enhances existing compliance profiles and expands scope of coverage to include two new configuration baselines.
- PCI-DSS v3 Control Baseline
- U.S. Government Commercial Cloud Services (C2S)
- Red Hat Corporate Profile for Certified Cloud Providers
- NEW: DISA STIG for Red Hat Enterprise Linux 7, aligning to the DISA STIG for Red Hat Enterprise Linux V1R1
- NEW: United States Government Configuration Baseline (USGCB / STIG) - DRAFT
This profile is developed in partnership with the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat. The USGCB is intended to be the core set of security related configuration settings by which all federal agencies should comply.
This baseline implements configuration requirements from the following documents:
- Committee on National Security Systems Instruction No. 1253 (CNSSI 1253)
- NIST Controlled Unclassified Information (NIST 800-171)
- NIST 800-53 control selections for MODERATE impact systems (NIST 800-53)
- U.S. Government Configuration Baseline (USGCB)
- NIAP Protection Profile for General Purpose Operating Systems v4.0 (OSPP v4.0)
- DISA Operating System Security Requirements Guide (OS SRG)
For any differing configuration requirements, e.g. password lengths, the stricter
security setting was chosen.
- NEW: Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
This profile configures Red Hat Enterprise Linux 7 to the NIST Special
Publication 800-53 controls identified for securing Controlled Unclassified
Thank you Shawn.
Looks good to me.
One thing that may be worth to mention is that some profiles were removed or merged. People will come asking for them and it would be good to point, for each profile removed, the profiles they should go for now.
Regression and Sanity checks of version scap-security-guide-0.1.33-5.el7.noarch performed. Multiple new issues found and reported.
Most important ones:
https://bugzilla.redhat.com/show_bug.cgi?id=1465402 (incompatibility of SSG with oscap-anaconda-addon)
https://bugzilla.redhat.com/show_bug.cgi?id=1465675 (audit rules failing remediation)
https://bugzilla.redhat.com/show_bug.cgi?id=1465686 (various rules missing/failing remediations)
None of them are blocking issues though, switching to verified.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.