[Open-scap] Comparing openSCAP content across versions

Robert Sanders rsanders at forcepoint.com
Tue Jun 19 18:57:38 UTC 2018 

Hi all,
  Sorry for dropping off the radar on this topic for a bit.  Got caught up in other things at work.  Anyway, I've attached the output of my little comparison program where I compared the content from the RHEL7.3 stig-rhel7-server-upstream content to the RHEL7.5 stig-rhel7-disa content.   My program is specifically looking for cases where the rule state (enabled/disabled/notpresent) differs, or it can figure out that a variable used for the rule has changed (example - unlocktime).  Found some surprising results as I mentioned before, and have finally gotten back around and make the results available.

  I've also gotten initial permission to make that program available to the group.  I need to clean it up a bit, as it is some of the ugliest python code I've ever had the audacity to make public.  A case of a tool starting out to do one things and winding up doing something different.  Once the rougher edges are off and final approval is given I'll post it.  The initial purpose was to give me a high level comparison between different releases to see what may have changed in the content (example - upgrading from RHEL7.3 to RHEL7.5).  Things got distinctly messier when I realized the name of the profiles changed, and even more so when I added code to accept a tailoring file as an input.

  Here are a couple of surprising things I've noticed is that the following rules are enabled in the 7.3 content and disabled in the 7.5 content:

  - Direct root Logins Not Allowed
  - Ensure Red Hat GPG Key Installed
  - Make the auditd Configuration Immutable
  - Ensure SELinux Not Disabled in /etc/default/grub
  - Restrict Virtual Console Root Logins


  I don't see several of these in the RHEL7 V1R4 content from DISA either, so that may account for the missing entries - especially if the Red Hat content is supposed to track to the official STIG.  I do confess to being a bit surprised by some of the missing items.

  Anyway, attached is the output of my little checker, comparing the RHEL 7.3 'stig-rhel7-server-upstream' content with the RHEL7.5 'stig-rhel7-disa' content.  If nothing else it may be a useful sanity checker for comparing versions.  


Sincerely,
  Rob Sanders


Robert Sanders
Sr. Secure Systems Engineer

FORCEPOINT
T +1.703.896.4762
F +1.703.318.5041
www.forcepoint.com

FORWARD WITHOUT FEAR

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: RH73_RH75.txt
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20180619/d6bb500f/attachment.txt>

More information about the Open-scap-list mailing list