On 9/16/14, 3:06 PM, Trevor Vaughan wrote:
"Not to mention no single SCAP benchmark can encompass all of
the
minimum required controls from the different control families"
I'm not so sure about this one. Or rather, I'm wondering if a single
SCAP benchmark can encompass the *maximum* required controls from the
different control families.
In theory, a cross matrix of all regulations should provide a system
that meets all regulations (and is probably unusable, but that's a
different issue).
Do we have actual conflicting guidance between regs?
At the policy level (NIST C/I/A levels, STIG, USGCB) things are
generally the same, but there are certainly downrange conflicts as
agencies decide to customize the STIG. "My snowflake is more unique than
yours, so I'm making the passwords 2 characters longer! And retaining
logs for 30 days more!"
Snideness (sp?) aside, this is really a use case for overwrite/drift
files. People can take the STIG and drop in an overlay XML file that
deselects or adjusts refine values -- essentially an easy way for
end-users to have profile inheritance. Documentation can generously be
described as poor on this capability though...
/me nudges Simon & Martin to provide some URLS (I don't know any, and
authoring this EMail from a plane so can't google)
There's also been ideas of having OpenSCAP take multiple --profile
arguments. Would this be useful?