[Open-scap] CNSSI-1253 Profile being developed for RHEL7 Workstation?
Malin, Alex Barry
amalin at lanl.gov
Thu Feb 11 20:21:44 UTC 2016
> On Feb 11, 2016, at 3:46 AM, Jan Lieskovsky <jlieskov at redhat.com> wrote:
>
>
> Hello Mike,
>
> thank you for reaching out.
>
> ----- Original Message -----
>> From: "Mike Kuhnkey" <mkuhnkey at gmail.com>
>> To: open-scap-list at redhat.com
>> Sent: Thursday, February 11, 2016 10:59:00 AM
>> Subject: [Open-scap] CNSSI-1253 Profile being developed for RHEL7 Workstation?
>>
>> Noticed the CNSSI-1253 profile is available for RHEL6. Is it possible to
>> carry the profile forward to RHEL7?
>
> The CNSS No.1253 profile from RHEL-6 has not been ported to RHEL-7
> system in SSG upstream yet. The corresponding upstream ticket is:
> [1] https://github.com/OpenSCAP/scap-security-guide/issues/858
>
> So I would recommend to watch progress done there.
We have a timely interest interest in the RHEL 7 CNSS-I-1253 profile as well, as we transition in 2016 to “ongoing authorization” supported by continuous monitoring.
My understanding is that CNSS-I-1253 compliance is required for all US Gov. national security systems, and that organizations will also need some way to validate configuration and test for software vulnerabilities to meet continuous monitoring requirements. I’m a bit unclear if/how this applies to DOD, where the STIGs still seem to rule?
>
>> What I’m particularly interested in is modifications of CNSSI-1253
>> low/low/low to increased levels/controls.
>
> Also interested in modifications of existing RHEL-6 CNSS No.1253 profile
> against different overlays? Or is this question just RHEL-7 specific?
> (IOW aforementioned answer(s) hold).
Ideally the RHEL-6 CNSS No.1253 profile would offer tests for systems at high/high/high, and all overlays, then sites could deselect the tests not required.
Alex Malin
Los Alamos National Laboratory
More information about the Open-scap-list
mailing list