Yes, this is the one that I was thinking of.

I agree that going further than that would make things too confusing.

The nice thing about this is that it provides standard language that could
result in a Q&A segment that allows users to be prompted for the threat
level based on likelihood.

At some point, we're going to have to come up with some level of
combinatorics to make this more reasonable.

As a quick couple of examples:

PAM is configured to allow remote root logins on a non-Internet facing
system: Indeterminate
PAM is configured to allow remote root logins AND SSH is configured to
allow root logins with a password: Moderate
PAM is configured to allow remote root logins AND SSH is configured to
allow root logins with a blank password: Very High

If the system is Internet/untrusted network facing, these would need to be
adjusted.

Trevor

On Tue, Jun 18, 2019 at 9:21 PM Shawn Wells <sh...@redhat.com> wrote:

>
> On 6/18/19 3:45 PM, Trevor Vaughan wrote:
> > At some point, these should probably be changed to correlate with the
> > Vulnerability Severity Assessment Scale as outlined in the NIST 800-30
> > since it is well defined, a public standard at no cost, and 0-100
> > which lines up with most people's internal "gut feeling".
>
>
> Sounds reasonable. Looks like "TABLE D-6: ASSESSMENT SCALE – RANGE OF
> EFFECTS FOR NON-ADVERSARIAL THREAT SOURCES" seems most applicable [0].
> Is that what you were thinking?
>
> Worried the broader 800-30 requires advanced multidimensional
> calculus.... yes, could result in better ratings than the DISA scale,
> but if its to hard to use... nobody will use it.
>
>
> [0] Page 68 @
>
> https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
>
> _______________________________________________
> Open-scap-list mailing list
> Open-scap-list@redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list



-- 
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788

-- This account not approved for unencrypted proprietary information --
_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Reply via email to