On 6/7/19 5:02 AM, harshad wadkar wrote:
Respected Madam / Sir,

I am referring the following url to know about open-scap and Ubuntu secure configuration.
https://static.open-scap.org/ssg-guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html

I have one query :
1. At present, the severities are labelled as unknown, low, medium and high.     a) Is there any mechanism or logic, which will quantify these severity levels.     e.g. low : 0 to < 3, medium : 3 to < 6 and high : 6 to 9 (as given in OWASP -
    Owasp risk rating methodology. https://www.owasp.org/index.php/OWASP_
Risk_Rating_Methodolog)
    b) If yes, requesting you share the information / document / url with me.

Your guidance is vital to me - waiting for the reply.



They correlate to the DISA Vulnerability Severity Category Code Definitions:


CAT I (HIGH):
Any vulnerability, the exploitation of which will directly and immediately result in loss of Confidentiality, Availability, or Integrity.


CAT II (MEDIUM):
Any vulnerability, the exploitation of which has a potential to result in loss of Confidentiality, Availability, or Integrity.

CAT III (LOW):
Any vulnerability, the existence of which degrades measures to protect against loss of Confidentiality, Availability, or Integrity.


Historically used the DISA ratings because much of the original community was from Government work (United States, then international) and the language was fairly standardized.

_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Reply via email to