New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OnDemand should provide a NIST STIG #785
Comments
I believe the most applicable guide for this project would be this one: https://www.stigviewer.com/stig/application_security_and_development/2018-12-24/MAC-3_Classified/ I selected the MAC 3 classified profile since a lot of DoE labs operate classified equipment. A lot of the controls probably aren't applicable. For example, V-70399 "Procedures must be in place to notify users when an application is decommissioned." isn't going to apply to the application. In that case you'd say something like "Not applicable - administrators are responsible for decommissioning their instances should development cease." Most of the time you see these things as Excel or XML documents. I'm not entirely sure what the best way to collaborate on such a thing might be. Maybe some kind of Google Doc? |
As for collaborating, what would the table look like? I see on that linked page an Excel or XML or JSON can be downloaded but it looks like that just contains a list of all the Finding IDs and related check text that can be found on the details page of each Finding. Are you imagining we do something like this:
Or would the table be more complex? If we did something simple like above one option is to use restructured's list tables. GitHub can render this in a restructured file in the root of this repo or as a page in the wiki. |
In practice these things are usually submitted via Excel workbook so the security folks can check off the list. But, it's probably better to start a markdown table then, once that's filled out, move on to an Excel sheet with check texts, fix texts, and whatnot. |
I setup a checklist and team on https://ondemand.vaulted.io. Maybe a tool like that would be helpful? I took these steps:
288 not reviewed! Looks like a nice interface with conversation, tags, and text field to put "Finding details" and "Comments": @nealepetrillo I'm happy to send an invite to you if you are interested. Do you know about this tool? |
Awesome! Haven't heard about that tool but looks like a good fit. I signed up and will review in the next day or two. |
In a nutshell STIG is a security self assessment, and we were told that this would assist with uptake for US federal HPC sites.
https://csrc.nist.gov/glossary/term/security-technical-implementation-guide
┆Issue is synchronized with this Asana task by Unito
The text was updated successfully, but these errors were encountered: