Hi, it ended up going well. I am not able to share my entire comparison sheet but security has granted me permission to list some important instances where SCAP does not compare to our SECSCN control selections.
1) Remove rhost support in PAM config files 2) Ensure x-server is configured to prevent listening on port 6000/TCP 3) Check the TCP max_syn_backlog setting 4) Verify no legacy + entries exist in passwd, shadow or group files I am told I will be receiving a more expansive set of controls sometime in the next couple weeks which may add to or omit elements of my current requirements. Does anyone know where I may have missed a corresponding rule? Luke K ________________________________________ From: [email protected] [[email protected]] on behalf of Shawn Wells [[email protected]] Sent: Monday, November 18, 2013 5:01 PM To: [email protected] Subject: Re: EXTERNAL: Re: SECSCN and all_rules profile On 11/12/13, 4:49 PM, Kordell, Luke T wrote: > Thank you for all the useful feedback! I am actually comparing the SCAP rules > against SECSCNcontrols that have already been selected. My team may choose to > utilize additional SCAP scans as we see fit, but my minimum requirements are > somewhat straight-forward. I realize that many of the controls are open to > interpretation but I think in some of these cases a series of SCAP rules can > be called to check all aspects. For instance one of our user account > configuration control requirements can be covered by calling two SCAP rules. > I know this may not work in all cases, but to me it's worth putting in the > time to connect all the dots. In some situations SCAP seems more precise than > SECSCN which can make the two difficult to compare. How'd the comparison go? Many parties would love to read your comments! _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
