Using OpenSCAP to audit against new RHEL 8 V1R13 STIG

[permanentdaylight]

Hello, I have a quick question around auditing new STIGs. We are currently auditing against the RHEL8 STIG V1R12 by using the ssg-rhel8-ds.xml file that you fine folks provide (against the xccdf_org.ssgproject.content_profile_stig profile). We would like to audit against the V1R13 STIG but the xml file provided by cybermil is quite different than the ssg-rhel8-ds.xml STIG.

So what's the process here? I'm new to the ecosystem and trying to wrap my head around how the ssg-rhel8-ds.xml datastream file is created. Is it safe to say downstream teams like yourself will consume the new V1R13 STIG and eventually release an updated ssg-rhel8-ds policy file? Any and all information around this processes is welcome! Thanks.

• Ryan

[Mab879]

Thanks for the question and I'm glad that this project is helpful to you.

The STIG profile in the ssg-rhel8-ds.xml file is not directly based on the SCAP (or any other) automated content that DISA provides. It based on the interpretation of the manual SCAP content (the wording of the STIG) by the developers from this project. The developers of this project come the OS vendors (such as Red Hat, SUSE, Oracle, Canonical, among others) and community members who contribute content. We create the OVAL checks, the remedations (Bash, Ansible, etc), and the prose used the ssg-rhel8-ds.xml.

As for the updates from V1R13 for RHEL 8 those were done in #11478 and will be in the in v0.1.72 release of this project. v0.1.72 should come out this Friday (9 February 2024). The content should it make to RHEL, however I can't comment on the timeline of that process.

[permanentdaylight]

@Mab879 thanks for your thoughtful answer! So, in other words, DISA releases a STIG and the community-driven efforts from the OpenSCAP and ComplianceAsCode frameworks and tooling help automate the auditing against it.

Thanks for the v0.1.72 update! We are coming from using the CISCAT tool and it was a bit easier with that to actually figure out WHAT the audit was doing - e.g. what command was being run on the machine under test to produce the audit result - be hit bash, linux commands, etc. So this is all very helpful translating how a STIG correlates to the ssg-rhel8-ds.xmlfile; I'm sure we will understand it better once we get our heads around all the tooling/xml/oval.

The content should it make to RHEL, however I can't comment on the timeline of that process.

Sorry, can you clarify what you mean by this? Not sure I follow.

[Mab879]

The content should it make to RHEL, however I can't comment on the timeline of that process.

Sorry, can you clarify what you mean by this? Not sure I follow.

This project is what populates the scap-security-guide package in RHEL.