+1 to Shawn on this. I joined the CIS community some time in the past but drifted away when I realized that the process really wasn't open.
I was truly excited when the SSG material hit the pavement and, as evidenced, has produced a very solid foundation that is slowly creeping toward the sweet spot of security and usability. Trevor On Thu, Apr 17, 2014 at 3:15 PM, Shawn Wells <[email protected]> wrote: > On 4/15/14, 12:03 PM, Andrew Gilmore wrote: > >> This is good news. I'm a graduate from the CIS community. :) >> >> I'd be interested in a concordance of rules from the current STIG target >> and the CIS product. I vaguely recall that the last time I ran the CIS >> benchmark, I found some items that probably should set in a "secure" system >> that didn't seem to be in the current SSG profiles. It's been 1.5 years >> now, and I'm not recalling what those were. >> >> And no, the mcstrans removal was not one of them. >> >> I note that Steve Grubb and I are listed as contributors still. >> > > When skimming through the C2S profile, one can quickly identify which CIS > sections don't map up to an existing XCCDF rule: > https://git.fedorahosted.org/cgit/scap-security-guide.git/ > tree/RHEL/6/input/profiles/C2S.xml > > Some are duplicate (e.g. 9.2.18 overlaps with 9.2.14), while CIS rules are > antiquated (e.g. 9.2.13). > > I ask the following sincerely and without malice, mostly because I've > personally never seen anyone use CIS: what purpose does CIS serve? > > Within the government we have civilian (USGCB) and DoD (STIG) baselines. > Within regulated commercial industries we have things like PCI and HIPAA. > I've always related the CIS baselines to non-regulated commercial > industries, though at RHT Summit, a very high amount of government people > said they were following the baseline. Why use CIS when you have STIG? > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 [email protected] -- This account not approved for unencrypted proprietary information --
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
