Hello Tobias, What exactly do you mean by compliance mapping? Are You interested to see
- (A) how is given control requirement covered by OpenSCAP checks - (B) what controls are related to given OpenSCAP check ? Or is it something else? I guess, the answer will depend on which particular regulation you are looking at. For some there has been a bit more work done previously than for others. For example for DISA STIG there are SRG mapping tables [1] build in upstream [2]. For others, you will find that each OpenSCAP checks contains references to relevant controls. Kind regards, -- Šimon Lukašík Member of technical staff Office of the Chief Technologist Red Hat Public Sector [1]: http://atopathways.redhatgov.io/cac/tables/table-rhel8-srgmap-flat.html [2]: https://github.com/ComplianceAsCode/content Tobias Svenblad <tobias.svenb...@crosskey.fi> writes: > Hello, > > I hope I came to the right place and that I’m not making a fool of myself. > > We are having internal discussions on how to compliance mapping of several > regulations. I noticed that OpenSCAP has a lot of compliance requirements as > references in the SCAP control activities. Is this a manual process; is > OpenSCAP maintain this compliance mapping without any tools? Or is it > completely automatic, and if so, how? I.e. how does OpenSCAP map certain > regulation requirements to certain control activities? > > If anyone has the answer, I’d be very grateful. Thanks. > > Mvh/BR, > > Tobias Svenblad > Security Analyst, Crosskey<https://www.crosskey.fi/> > _______________________________________________ > Open-scap-list mailing list > Open-scap-list@redhat.com > https://www.redhat.com/mailman/listinfo/open-scap-list _______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
