On 25/10/2013 01:47, Shawn Wells wrote:
On 10/24/13, 2:12 PM, wm-lists wrote:
Shawn, Happy to contribute. As I get it together, I'll provide what
I have. I have a PCI-DSS QSA onsite for the foreseeable future to
validate what I'm doing against the PCI-DSS 2.0 standards (3.0 will
be out soon enough)..
If you're willing, as you create your profile, check which OVAL checks
you're using have been signed off. The signed off ones will have a
line similar to the following, somewhere in the <metadata> tags:
<reference source="DS" ref_id="20130928" ref_url="test_attestation" />
Give the list a shout if/as you find things without signoff. It'll
help prioritize OVAL unit testing, especially since we'll know which
ones are used within your PCI profile.
I use openscap in conjunction with Red Hat Satellite for reporting
purposes to validate in scope systems
How do you manage distributing the SCAP RPMs to the clients? There's
been a few writeups about custom RHN channels, dropping the XCCDF into
configuration channels, etc.... very interested to see how things are
being done in field deployments!
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
+1 Beer from me too!
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
