Yes, this is the one that I was thinking of. I agree that going further than that would make things too confusing.
The nice thing about this is that it provides standard language that could result in a Q&A segment that allows users to be prompted for the threat level based on likelihood. At some point, we're going to have to come up with some level of combinatorics to make this more reasonable. As a quick couple of examples: PAM is configured to allow remote root logins on a non-Internet facing system: Indeterminate PAM is configured to allow remote root logins AND SSH is configured to allow root logins with a password: Moderate PAM is configured to allow remote root logins AND SSH is configured to allow root logins with a blank password: Very High If the system is Internet/untrusted network facing, these would need to be adjusted. Trevor On Tue, Jun 18, 2019 at 9:21 PM Shawn Wells <sh...@redhat.com> wrote: > > On 6/18/19 3:45 PM, Trevor Vaughan wrote: > > At some point, these should probably be changed to correlate with the > > Vulnerability Severity Assessment Scale as outlined in the NIST 800-30 > > since it is well defined, a public standard at no cost, and 0-100 > > which lines up with most people's internal "gut feeling". > > > Sounds reasonable. Looks like "TABLE D-6: ASSESSMENT SCALE – RANGE OF > EFFECTS FOR NON-ADVERSARIAL THREAT SOURCES" seems most applicable . > Is that what you were thinking? > > Worried the broader 800-30 requires advanced multidimensional > calculus.... yes, could result in better ratings than the DISA scale, > but if its to hard to use... nobody will use it. > > >  Page 68 @ > > https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf > > _______________________________________________ > Open-scap-list mailing list > Openfirstname.lastname@example.org > https://www.redhat.com/mailman/listinfo/open-scap-list -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 -- This account not approved for unencrypted proprietary information --
_______________________________________________ Open-scap-list mailing list Openemail@example.com https://www.redhat.com/mailman/listinfo/open-scap-list