What is the difference between 'Red Hat Enterprise Linux STIG - Ver 3, Rel 3' and 'Red Hat Enterprise Linux 7 STIG Benchmark -Ver3,Rel3'

Question

I've been assigned to STIG our current rhel7 servers and when I go to 'public.cyber.mil/stigs/downloads' to download the zip file to import into stigviewer, I see two files.

Red Hat Enterprise Linux 7 STIG - Ver 3,Rel 3
Red Hat Enterprise Linux 7 STIG Benchmark - Ver 3, Rel 3

Can someone explain what are the differences between the two and which one should I use.

The benchmark is an XML template file intended to be consumed by your SCAP automation tool, which for RHEL may be OpenSCAP. The other zip has the documentation and definitions for manual scans. — Greg Askew, May 09 '21 at 18:05

score 3 · Answer 1 · answered May 09 '21 at 18:33

3

As @GregAskew said, the "STIG" is for a manual review and the "STIG Benchmark" is for use with automated SCAP tools. If you are expected to perform a complete review, you should use the full "STIG" (not the Benchmark), as it will contain a number of checkpoints for things that cannot be automated, like the creation of specific system documentation, or the documentation of specific organizational policies.

answered May 09 '21 at 18:33

pmdba

281
1
6

Got it. Thanks for the clarification. – guzr1 May 10 '21 at 13:14

What is the difference between 'Red Hat Enterprise Linux STIG - Ver 3, Rel 3' and 'Red Hat Enterprise Linux 7 STIG Benchmark -Ver3,Rel3'

1 Answers1