Hello. I'm brand-new to compliance because my boss wants to run compliance
on our servers. I have some questions please. I am running an OpenScap on
my CentOS 7 Linux servers, but my boss wants to get compliance against NIST
800-53 initially.
I run from OpenScap Workbench, 'US Govt Config Baseline (USGCB/STIG) -
Draft Unclassified in Non-Federal Organization(800-171)'. But when I get
the results and give them to my colleague, he says the results are only a
subset of the 800-53. So I'm not really sure what to use to ensure our
system is compliant against the full NIST 800-53..
And I don't know if I should run the compliance check from the OpenScap
Workbench and SSH to the servers or if I should run 'oscap' from the
commandline and SCP back all the output files.
And, I'm not sure if the CentOS7 or the RHEL7 variants of the scan are
really the same.
and also, when I open an .HTML formatted output file from OpenScap
Workbench, there is a 'grouping' where i can choose 800-53, but how do I
know the percentage of the listed 800-53 controls against all 800-53
controls? And which type of scan do I want to use for a full 800-53
compliance check? (Or, at least, as full as can be scanned ..)
I appreciate all constructive assistance!
-dave