A follow up from the SCAP workshops that Shawn and Jeff hosted this week (great job guys) on the topic of signed content.
What is the intent for having DISA / NIST / AuthorityX signing SCAP content for delivery? Are people looking for full attestation or validation? Neither addresses the challenge of what to do with local content for waivers, but each poses different options for the local maintainer. The tooling also has different challenges if there's a need to validate a digital signature versus verifying a digest. Disjointed ancillary thought, is there an include function in the XCCDF? I haven't been able to find one in the spec so far but it could be useful for local waiver overrides while preserving the official content. There's an obvious issue (as I type this) that any sort of standard include statement would allow someone to completely override policy for a scan while still mimicking the appropriate results. Having a reporting tool that can do diffs of the results and the policy settings could catch that, but that may not be sufficient for reporting or detection time. Regards, Matt Micene Engineering Team Lead RHCA #100-002-435 DLT Solutions Direct 703-773-1195 _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
