11. Understanding Profile Updates
January 5, 2024About 1 min
Learning Objectives
By the end of this section, you will be able to:
- Identify the three types of profile updates
- Understand the scope of STIG and CIS Benchmark updates
- Recognize the forward-only nature of security benchmark updates
Types of Profile Updates
Security benchmark profiles require regular updates to maintain their effectiveness. Let's explore the three main types of updates:
| Patch Updates | Release Updates | Major Version Updates | |
|---|---|---|---|
| Scope | Minor | Intermediate | Intermediate/Significant |
| Trigger | The validation code author desiring to address corner cases, fix bugs, or otherwise improve the quality of the tests. | Guidance author making a new release of the benchmark to address new or updated security requirements. | The guidance author is significantly overhauling their nomenclature, requirement identification schema, or control alignment. Alternatively, a new major version of the software system is being released which would require a new version of the benchmark to address the potentially significant implementation changes - though in this case, guidance authors sometimes choose to create a new benchmark entirely. |
| Example | An InSpec control did not properly address a caveat specified by the guidance. Making the fix bumps the profile from v1.3.4 to v1.3.5. | DISA publishes a new version of the RHEL 8 STIG going from V1R13 to V1R14 in order to adjust the check text command syntax for several sshd configuration related requirements amongst other things. Making the changes bumps the profile from v1.13.4 to v1.14.0. | DISA adds, removes, and modifies a substantial number of requirements due to transitioning between control versions (NIST SP 800-53 Rev. 4 to Rev. 5). Making the changes bumps the profile from v1.6.1 to v2.0.0. |
Understanding Update Scope
Important concepts to remember:
- Updates are version-specific
- Changes only move forward ("forward-only" process)
- No "back-patching" to older versions
- Each requirement maps to:
- Source SRG document
- Control Correlation Identifier (CCI)
- Unique Rule and STIG IDs
Example requirement identifiers:
tag gtitle: 'SRG-OS-000480-GPOS-00227'
tag gid: 'V-230221'
tag rid: 'SV-230221r858734_rule'
tag stig_id: 'RHEL-08-010000'
tag fix_id: 'F-32865r567410_fix'
tag cci: ['CCI-000366']