Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Could OpenSCAP STIG rules feed into e.g. covered_by #149

Open
openprivacy opened this issue May 26, 2016 · 3 comments
Open

Could OpenSCAP STIG rules feed into e.g. covered_by #149

openprivacy opened this issue May 26, 2016 · 3 comments
Labels
HighBar

Comments

@openprivacy
Copy link
Member

[assuming covered_by is for test results/justifications. If not, replace with appropriate key]

I'm building a set of RHEL/7 instances and am starting to look at compliance-masonry to help with document creation and gap analysis - and possibly as a controller to run tests. I'm currently using the OpenSCAP tool for OS compliance verification, and each of the 800-53 controls has one or more STIG rules to check compliance. Things get complicated quickly:

  • There may be seven STIG rules for a control of which only five pass (gap of two)
  • Even if all pass, that's just the OS; there may be tests required for the application (gap) and other tiers

Two questions:

  • Has anyone looked at hooking OpenSCAP up to CM?
  • What is the thinking on handling multiple tiers (platform, application, etc.)?
@mzia
Copy link
Contributor

mzia commented May 26, 2016

Hi @openprivacy :

  1. We've thought about it but haven't looked into SCAP integration mainly because OSS tools already exist and maintained for it. But that doesn't rule out the the above idea.
  2. Multiple tier support is not out of the question, certainly feasible. Please feel free to help out with maturing CM. Schema is defined in JSON, so it can be done.

@mogul
Copy link
Contributor

mogul commented May 26, 2016

@openprivacy : Have you looked at the existing compliance-masonry support for executing BDD tests that verify each control? It would be nice and natural to extend this for running BDD or SCAP rules. However, we have no experience/expertise with OpenSCAP; hopefully a community contributor with experience of OpenSCAP can fill in the gap!

As for as multiple-tier support: If I understand your request correctly, I think that's the already-supported common target use-case! See for example cg-compliance, which is composing existing CM YAML for AWS (IaaS-level) and Cloud Foundry (PaaS-level) from other repositories with YAML for cloud.gov itself (specific org-level management) there in the repository.

@mogul
Copy link
Contributor

mogul commented May 26, 2016

(Each set of YAML dependencies can come with its own BDD tests... Presumably you'd do the same for components that have corresponding SCAP rules.)

@mogul mogul added the HighBar label Jul 8, 2016
@mogul mogul added the Icebox label Jan 24, 2017
@mogul mogul removed the Icebox label Feb 2, 2017
@redhatrises redhatrises mentioned this issue Jul 4, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
HighBar
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mogul @openprivacy @mzia