On 9/16/14, 3:06 PM, Trevor Vaughan wrote: > "Not to mention no single SCAP benchmark can encompass all of the > minimum required controls from the different control families" > > I'm not so sure about this one. Or rather, I'm wondering if a single > SCAP benchmark can encompass the *maximum* required controls from the > different control families. > > In theory, a cross matrix of all regulations should provide a system > that meets all regulations (and is probably unusable, but that's a > different issue). > > Do we have actual conflicting guidance between regs?
At the policy level (NIST C/I/A levels, STIG, USGCB) things are generally the same, but there are certainly downrange conflicts as agencies decide to customize the STIG. "My snowflake is more unique than yours, so I'm making the passwords 2 characters longer! And retaining logs for 30 days more!" Snideness (sp?) aside, this is really a use case for overwrite/drift files. People can take the STIG and drop in an overlay XML file that deselects or adjusts refine values -- essentially an easy way for end-users to have profile inheritance. Documentation can generously be described as poor on this capability though... /me nudges Simon & Martin to provide some URLS (I don't know any, and authoring this EMail from a plane so can't google) There's also been ideas of having OpenSCAP take multiple --profile arguments. Would this be useful?
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
