On 6/7/19 5:02 AM, harshad wadkar wrote:
Respected Madam / Sir,
I am referring the following url to know about open-scap and Ubuntu
secure configuration.
https://static.open-scap.org/ssg-guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html
I have one query :
1. At present, the severities are labelled as unknown, low, medium and
high.
a) Is there any mechanism or logic, which will quantify these
severity levels.
e.g. low : 0 to < 3, medium : 3 to < 6 and high : 6 to 9 (as given
in OWASP -
Owasp risk rating methodology. https://www.owasp.org/index.php/OWASP_
Risk_Rating_Methodolog)
b) If yes, requesting you share the information / document / url
with me.
Your guidance is vital to me - waiting for the reply.
They correlate to the DISA Vulnerability Severity Category Code Definitions:
CAT I (HIGH):
Any vulnerability, the exploitation of which will directly and
immediately result in loss of Confidentiality, Availability, or
Integrity.
CAT II (MEDIUM):
Any vulnerability, the exploitation of which has a potential to result
in loss of Confidentiality, Availability, or Integrity.
CAT III (LOW):
Any vulnerability, the existence of which degrades measures to protect
against loss of Confidentiality, Availability, or Integrity.
Historically used the DISA ratings because much of the original
community was from Government work (United States, then international)
and the language was fairly standardized.
_______________________________________________
Open-scap-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/open-scap-list
