As opposed to writing one XCCDF, why not write one XCCDF per point of interest (inside the
container of interest, inside the OS but outside the container of interest, ...) - until
upstream standards address Origin, Point (in SpaceTime), Frame of Reference, ... for a
cyber-physical assembly?
-----Original Message-----
From: Martin Preisler [mailto:mpreisle@redhat.com]
Sent: Thursday, October 20, 2016 3:57 PM
To: SCAP Security Guide <scap-security-guide(a)lists.fedorahosted.org>
Subject: Re: VMs, containers vs. bare-metal machines in SSG
----- Original Message -----
From: "Shawn Wells" <shawn(a)redhat.com>
To: scap-security-guide(a)lists.fedorahosted.org
Sent: Thursday, October 20, 2016 2:45:39 PM
Subject: Re: VMs, containers vs. bare-metal machines in SSG
[snip]
Really like the idea of CPEs. We can always work with NIST to get
extra CPEs added.... but wouldn't that mean creation of redhat:docker,
redhat:openshift, Docker:docker, pivotal:cloudfoundry, etc?
I'd like for SSG to be agnostic of the tech so I would go for CPE ID for
container-image and that will be applicable when scanning docker images, rkt images, plain
LXC images, etc... Same with vm-image, applicable on all offline virtual machine scanning,
regardless of what is powering the VM or how it's stored.
--
Martin Preisler
Identity Management and Platform Security | Red Hat, Inc.
_______________________________________________
scap-security-guide mailing list -- scap-security-guide(a)lists.fedorahosted.org
To unsubscribe send an email to scap-security-guide-leave(a)lists.fedorahosted.org
THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN INFORMATION
THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM DISCLOSURE UNDER ANY
RELEVANT PRIVACY LEGISLATION. No rights to any privilege have been waived. If you are not
the intended recipient, you are hereby notified that any review, retransmission,
dissemination, distribution, copying, conversion to hard copy, taking of action in
reliance on or other use of this communication is strictly prohibited. If you are not the
intended recipient and have received this message in error, please notify me by return
e-mail and delete or destroy all copies of this message.