DoD RHEL6 STIG Consensus call tomorrow - Thurs 25OCT
170 views
Skip to first unread message
shawn....@gmail.com
Oct 24, 2012, 1:35:38 PM10/24/12
to mil...@googlegroups.com
Hello,
As you may be aware, development efforts for the Red Hat Enterprise Linux 6 (RHEL6) STIG have been occurring over the past several months. The draft content has been developed through an open source project, called the SCAP Security Guide [1], with partnership from NSA, DISA FSO, Red Hat, and other interested parties.
In the theme of transparency, and as part of the DoD Consensus Process, we will be hosting a public call to receive user feedback on the latest draft content. This is your chance to influence settings, including the voicing of concerns relating to any impact the STIG may have on daily operations. While last minute, we realized that mailing lists such as this would be a great place to spread awareness of the call.
The current draft of the RHEL6 STIG is located at:
http://people.redhat.com/swells/scap-security-guide/RHEL6/output/table-rhel6-stig-server.html
We are actively seeking feedback in areas such as:
- Do you feel any of the proposed settings would have a negative mission impact?
- Are the proposed settings operationally feasible?
- Is there anything we forgot?
To RSVP for the public DoD Consensus call, occurring Thursday 25-OCT at 1100 EST, please reach out to either of the following:
Shawn Wells - Red Hat - sh...@redhat.com
Jeffrey Blank - NSA IAD - bl...@eclipse.ncsc.mil
Regards,
Shawn
[1] https://fedorahosted.org/scap-security-guide/
As you may be aware, development efforts for the Red Hat Enterprise Linux 6 (RHEL6) STIG have been occurring over the past several months. The draft content has been developed through an open source project, called the SCAP Security Guide [1], with partnership from NSA, DISA FSO, Red Hat, and other interested parties.
In the theme of transparency, and as part of the DoD Consensus Process, we will be hosting a public call to receive user feedback on the latest draft content. This is your chance to influence settings, including the voicing of concerns relating to any impact the STIG may have on daily operations. While last minute, we realized that mailing lists such as this would be a great place to spread awareness of the call.
The current draft of the RHEL6 STIG is located at:
http://people.redhat.com/swells/scap-security-guide/RHEL6/output/table-rhel6-stig-server.html
We are actively seeking feedback in areas such as:
- Do you feel any of the proposed settings would have a negative mission impact?
- Are the proposed settings operationally feasible?
- Is there anything we forgot?
To RSVP for the public DoD Consensus call, occurring Thursday 25-OCT at 1100 EST, please reach out to either of the following:
Shawn Wells - Red Hat - sh...@redhat.com
Jeffrey Blank - NSA IAD - bl...@eclipse.ncsc.mil
Regards,
Shawn
[1] https://fedorahosted.org/scap-security-guide/
-- Shawn Wells Technical Director, U.S. Intelligence Programs (e) sh...@redhat.com (c) 443.534.0130
John Janek
Oct 25, 2012, 9:59:22 AM10/25/12
to mil...@googlegroups.com
Thanks for this information, great news to hear so much effort has been put towards building a RHEL6 STIG. Out of curiosity, has anyone done a delta between the RHEL5 STIG and the new one? What's changed?
-John
--
You received this message because you are subscribed to the "Military Open Source Software" Google Group.
To post to this group, send email to mil...@googlegroups.com
To unsubscribe from this group, send email to mil-oss+u...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en
www.mil-oss.org
shawn....@gmail.com
Oct 25, 2012, 10:19:25 AM10/25/12
to mil...@googlegroups.com
On 10/25/12 9:59 AM, John Janek wrote:
> Thanks for this information, great news to hear so much effort has
> been put towards building a RHEL6 STIG. Out of curiosity, has anyone
> done a delta between the RHEL5 STIG and the new one? What's changed?
>
Actually, yes:
> Thanks for this information, great news to hear so much effort has
> been put towards building a RHEL6 STIG. Out of curiosity, has anyone
> done a delta between the RHEL5 STIG and the new one? What's changed?
>
http://people.redhat.com/swells/scap-security-guide/RHEL6/output/table-rhel5-stig-manual-withnotes.html
Last column reflects our notes on what should get dropped or carry
forward for RHEL6.
ben
Dec 11, 2012, 7:55:36 PM12/11/12
to mil...@googlegroups.com
I will caveat the following with the fact that I have not read the draft STIG and it has been 2 years since I STIG'd a RHEL 5 machine from scratch:
Will the new STIG still mandate insane file and directory permissions/ownership so that a user cannot traverse the directory tree and execute system commands resulting in them needing to be root at all times?
I hate having all our logs say user 'root' did something. It kind of defeats the purpose of auditing It would be nice to be able to use sudo properly and traverse the directory tree and run common commands, as a user instead of root.
simo...@gmail.com
Dec 11, 2012, 7:59:16 PM12/11/12
to mil...@googlegroups.com
They epect to get it done by may 2013
Sent via BlackBerry from T-Mobile
From: ben <benjamin...@gmail.com>
Sender: mil...@googlegroups.com
Date: Tue, 11 Dec 2012 16:55:36 -0800 (PST)
To: <mil...@googlegroups.com>
ReplyTo: mil...@googlegroups.com
Subject: [mil-oss] Re: DoD RHEL6 STIG Consensus call tomorrow - Thurs 25OCT
--
shawn....@gmail.com
Dec 12, 2012, 8:54:01 AM12/12/12
to mil...@googlegroups.com
On 12/11/12 7:55 PM, ben wrote:
I will caveat the following with the fact that I have not read the draft STIG and it has been 2 years since I STIG'd a RHEL 5 machine from scratch:
Will the new STIG still mandate insane file and directory permissions/ownership so that a user cannot traverse the directory tree and execute system commands resulting in them needing to be root at all times?
I hate having all our logs say user 'root' did something. It kind of defeats the purpose of auditing It would be nice to be able to use sudo properly and traverse the directory tree and run common commands, as a user instead of root.
We hope the language is saner. Do a search for "rpm -V" here:
http://people.redhat.com/swells/scap-security-guide/RHEL6/table-rhel6-stig-server.html
We've pushed proper file permission requirements directly to the OS vendor (instead of having users alter file permissions post-install), and setup auditd to log any system-specific changes from vendor defaults.
Other language around file permissions that I can recall:
- Sticky bit on public directories
- Directories must be owned by a real user
http://people.redhat.com/swells/scap-security-guide/RHEL6/table-rhel6-stig-server.html
We've pushed proper file permission requirements directly to the OS vendor (instead of having users alter file permissions post-install), and setup auditd to log any system-specific changes from vendor defaults.
Other language around file permissions that I can recall:
- Sticky bit on public directories
- Directories must be owned by a real user
Reply all
Reply to author
Forward
0 new messages