Category: security

DISA Updated the RHEL7 STIG! What changed between V1R1 –> V1R2?

This week DISA released an update to their RHEL7 STIG content, incrementing their release from V1R1 to V1R2. This update was unexpected; updates were not coordinated with DoD, NSA, NIST, or Red Hat — so what exactly changed?

Read More

RNGD and “Weak Cryptography” for Virtual Machines

There was recently a great post on Red Hat’s gov-sec mailing list that asked about random number generation inside virtual machines, what constitutes “weak cryptography,” how to increase performance, and generally make things better while staying inside Federal guidelines. Lets take this opportunity to trace through RHEL’s FIPS certifications to make a risk decision on what tools+techniques […]

Read More

Tackling compliance with OpenControl

    Placing information systems on government networks requires system owners to follow the NIST Risk Management framework, or an agency-specific tailored variant of it. Following this framework requires extensive documentation — even the government provided “Guide for Applying the Risk Management Framework to Federal Information Systems” is 102 pages long! The OpenControl project was created to […]

Read More

Quick review of SPAWAR SCC 4.2 Beta 1 with OpenSCAP/SCAP Security Guide

Earlier today (Fri 3-FEB-2017), SPAWAR released a beta edition of their SCAP Compliance Checker 4.2 Beta 1, also known as SPAWAR SCC. Their tool works across multiple operating systems and their latest release “adds NIST 800-53 mappings to reports when CCE/CCI references are included in the content.” The inclusion of NIST and CCE metadata is extremely helpful […]

Read More

Draft NIST 800-171 baseline for RHEL7

Initial guidance on configuring RHEL7 against NIST 800-171/CUI has been developed. Below is a short(ish) background on NIST 800-171/Controlled Unclassified Information, sample security compliance guides and reports, and how you can give feedback (or participate!) on this work.

Read More