On Thursday, October 20, 2016 3:56:41 PM EDT Martin Preisler wrote:
----- Original Message -----
From: "Shawn Wells" shawn@redhat.com To: scap-security-guide@lists.fedorahosted.org Sent: Thursday, October 20, 2016 2:45:39 PM Subject: Re: VMs, containers vs. bare-metal machines in SSG
[snip]
Really like the idea of CPEs. We can always work with NIST to get extra CPEs added.... but wouldn't that mean creation of redhat:docker, redhat:openshift, Docker:docker, pivotal:cloudfoundry, etc?
I'd like for SSG to be agnostic of the tech so I would go for CPE ID for container-image and that will be applicable when scanning docker images, rkt images, plain LXC images, etc... Same with vm-image, applicable on all offline virtual machine scanning, regardless of what is powering the VM or how it's stored.
Also at some point we will have to address SWID. Maybe that could be woven into everything? Containers should have their own SWID tag describing what's in them. There are NIST guidelines about CPE/SWID mappings.
-Steve