Re: [Open-scap] Help needed - to Quantify severity levels
Yes, this is the one that I was thinking of. I agree that going further than that would make things too confusing. The nice thing about this is that it provides standard language that could result in a Q&A segment that allows users to be prompted for the threat level based on likelihood. At some point, we're going to have to come up with some level of combinatorics to make this more reasonable. As a quick couple of examples: PAM is configured to allow remote root logins on a non-Internet facing system: Indeterminate PAM is configured to allow remote root logins AND SSH is configured to allow root logins with a password: Moderate PAM is configured to allow remote root logins AND SSH is configured to allow root logins with a blank password: Very High If the system is Internet/untrusted network facing, these would need to be adjusted. Trevor On Tue, Jun 18, 2019 at 9:21 PM Shawn Wells wrote: > > On 6/18/19 3:45 PM, Trevor Vaughan wrote: > > At some point, these should probably be changed to correlate with the > > Vulnerability Severity Assessment Scale as outlined in the NIST 800-30 > > since it is well defined, a public standard at no cost, and 0-100 > > which lines up with most people's internal "gut feeling". > > > Sounds reasonable. Looks like "TABLE D-6: ASSESSMENT SCALE – RANGE OF > EFFECTS FOR NON-ADVERSARIAL THREAT SOURCES" seems most applicable [0]. > Is that what you were thinking? > > Worried the broader 800-30 requires advanced multidimensional > calculus yes, could result in better ratings than the DISA scale, > but if its to hard to use... nobody will use it. > > > [0] Page 68 @ > > https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf > > ___ > Open-scap-list mailing list > Open-scap-list@redhat.com > https://www.redhat.com/mailman/listinfo/open-scap-list -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 -- This account not approved for unencrypted proprietary information -- ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
Re: [Open-scap] Help needed - to Quantify severity levels
On 6/18/19 3:45 PM, Trevor Vaughan wrote: At some point, these should probably be changed to correlate with the Vulnerability Severity Assessment Scale as outlined in the NIST 800-30 since it is well defined, a public standard at no cost, and 0-100 which lines up with most people's internal "gut feeling". Sounds reasonable. Looks like "TABLE D-6: ASSESSMENT SCALE – RANGE OF EFFECTS FOR NON-ADVERSARIAL THREAT SOURCES" seems most applicable [0]. Is that what you were thinking? Worried the broader 800-30 requires advanced multidimensional calculus yes, could result in better ratings than the DISA scale, but if its to hard to use... nobody will use it. [0] Page 68 @ https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
Re: [Open-scap] Help needed - to Quantify severity levels
On 6/7/19 5:02 AM, harshad wadkar wrote: Respected Madam / Sir, I am referring the following url to know about open-scap and Ubuntu secure configuration. https://static.open-scap.org/ssg-guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html I have one query : 1. At present, the severities are labelled as unknown, low, medium and high. a) Is there any mechanism or logic, which will quantify these severity levels. e.g. low : 0 to < 3, medium : 3 to < 6 and high : 6 to 9 (as given in OWASP - Owasp risk rating methodology. https://www.owasp.org/index.php/OWASP_ Risk_Rating_Methodolog) b) If yes, requesting you share the information / document / url with me. Your guidance is vital to me - waiting for the reply. They correlate to the DISA Vulnerability Severity Category Code Definitions: CAT I (HIGH): Any vulnerability, the exploitation of which will directly and immediately result in loss of Confidentiality, Availability, or Integrity. CAT II (MEDIUM): Any vulnerability, the exploitation of which has a potential to result in loss of Confidentiality, Availability, or Integrity. CAT III (LOW): Any vulnerability, the existence of which degrades measures to protect against loss of Confidentiality, Availability, or Integrity. Historically used the DISA ratings because much of the original community was from Government work (United States, then international) and the language was fairly standardized. ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
[Open-scap] Help needed - to Quantify severity levels
Respected Madam / Sir, I am referring the following url to know about open-scap and Ubuntu secure configuration. https://static.open-scap.org/ssg-guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html I have one query : 1. At present, the severities are labelled as unknown, low, medium and high. a) Is there any mechanism or logic, which will quantify these severity levels. e.g. low : 0 to < 3, medium : 3 to < 6 and high : 6 to 9 (as given in OWASP - Owasp risk rating methodology. https://www.owasp.org/index.php/OWASP_ Risk_Rating_Methodolog) b) If yes, requesting you share the information / document / url with me. Your guidance is vital to me - waiting for the reply. Thanks & Regards Harshad ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list