Feature Request: PCI or other openscap profiles? #13
Comments
|
I had planned to add them in here shortly - now that the RHEL STIG is finalized I can add them to the menu and update the classification banners for PCI and HIPPA profiles. |
|
There is color scheme associated with the DoD/IC for classification levels - I was thinking about using a light grey or white background with black text for PCI or HIPPA. Any opinions? |
|
I think the nice rainbow series would be kind of cool. In the old days there were the rainbow books
Thomas J Munn
… On May 13, 2017, at 10:56, Frank Caviggia ***@***.***> wrote:
There is color scheme associated with the DoD/IC for classification levels - I was thinking about using a light grey or white background with black text for PCI or HIPPA. Any opinions?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
Thomas - I'm just going to try to work in the profiles built-in to SCAP Security Guide (SSG) :
I will also add the classification banners for PCI and HIPPA data on the classification-banner. Selecting those profiles would not allow anything above 'Unclassified' as the STIG would be the general requirement for that. |
|
I think that it makes sense to use the colors of people used to. I was just thinking we kind of cool they have the rainbow series for the military stuff.
I really appreciate the work you're doing on this. I would like to collaborate with you perhaps on a document on how to get a system ready for Azure. or even more interestingly work with you on getting a kickstart file that will get all the things ready for an azure cloud native experience.
I have some very clever ansible scripts that automate make much of the drudgery of creating azure secure images much simpler.
The images that I used for the base seem to be much more stable, secure, and easier to use than the stock CentOs that seems to ship by default on azure.
I can continue to provide test images as well as feedback on how well we do if you would like to go down this road.
what would be of especial interest to me would be getting ansible install natively so we could do very interesting things post install after we have a network connection.
This enables people to configure things post install without having to bother you.
Slso is there a way to fix the openscap remediation Scripts? They seem to be quite erroneous on a number of issues even if I fix them. I suspect that the regexes are incorrectly made.
Thomas J Munn
… On May 16, 2017, at 16:50, Frank Caviggia ***@***.***> wrote:
Thomas - I'm just going to try to work in the profiles built-in to SCAP Security Guide (SSG) :
# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
https://static.open-scap.org/openscap-1.0/oscap_user_manual.html#_displaying_information_scap_content
I will also add the classification banners for PCI and HIPPA data on the classification-banner. Selecting those profiles would not allow anything above 'Unclassified' as the STIG would be the general requirement for that.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
Thomas, It's probably something good to think about - I've extended these scripts at MITRE with packer to handle VMs (QEMU/KVM/Xen, VirtualBox, VMware) and AMIs (AWS) - I just have to do all the work to get legal happy (re-doing banners, etc.) with me open sourcing the scripts. I think that might be a good direction to take things as it worked out extremely well for the MITRE project I extended them for. I have had to redress misconfigurations in SCAP Security Guide hardening quite a bit (usually in the supplemental.sh script) - I haven't had the time to go back and deal with all of those issues in the upstream, which constantly change with every release. I think it's partly a limitation with SCAP, XCCDF, and OVAL (even though they are MITRE standards, it is my opinion that those standards are over-complicated and hard to maintain) - I've been working with Aaron at MITRE (@aaronlippold) to make Chef InSpec as tie in between the security scanning engine and the CM tie in (via Kitchen to Chef, Ansible, Puppet, etc.) after installation. Also Steven (@stephenwb) has some great ideas that I'm interested in implementing in a re-design at some point. I might even totally revamp the hardening scripts that I developed for RHEL 6 into something that work work for RHEL 6/8 - something Steven and I discussed at one point. At some point, maybe next month I think we need to organize a meet up in DC and try to figure out where things are going and how we can re-organize things I really only intended that this install be the initial installation proper patching, CM tooling, and continuous monitoring are required to make systems maintainable long term. Just my two cents. -Frank |
I would be willing to work on this but don't know how to convert say a PCI or a HIPAA compliance profile in the script. Would be willing to work for food.
The text was updated successfully, but these errors were encountered: