There are still many questions around using SCAP, such as the SCAP for CVE scanning thread a few days ago.
To begin documenting FAQs -- both for the OpenSCAP/SSG pages, and formal Red Hat documentation -- I've started to document common questions here:
https://github.com/OpenSCAP/scap-security-guide/wiki/What-should-go-into-an-...
What other topics/questions should be covered? Feel free to edit the wiki directly or reply to the list! This feedback will be driven into our wikis/manuals, and formal docs off redhat.com.
Don't limit to use SSG.... broader questions on how to store SCAP data, using OpenSCAP, how policy is developed all make sense!
On Wed, Mar 25, 2015 at 11:04 AM, Shawn Wells shawn@redhat.com wrote:
There are still many questions around using SCAP, such as the SCAP for CVE scanning thread a few days ago.
To begin documenting FAQs -- both for the OpenSCAP/SSG pages, and formal Red Hat documentation -- I've started to document common questions here:
https://github.com/OpenSCAP/scap-security-guide/wiki/What-should-go-into-an-...
What other topics/questions should be covered? Feel free to edit the wiki directly or reply to the list! This feedback will be driven into our wikis/manuals, and formal docs off redhat.com.
Don't limit to use SSG.... broader questions on how to store SCAP data, using OpenSCAP, how policy is developed all make sense! --
Okay, cool. My new joy is learning more about all this so I'll look for the "I'm an idiot, what the heck is all this?" question. ;)
Leam
On Wed, Mar 25, 2015 at 11:04 AM, Shawn Wells shawn@redhat.com wrote:
What other topics/questions should be covered? Feel free to edit the wiki directly or reply to the list! This feedback will be driven into our wikis/manuals, and formal docs off redhat.com.
Why are the Vulnerability IDs different for the issue across different STIGs? - Blame DISA
Where are the STIGs located? - iase.disa.mil
Is there a tool that correlates STIG Vuln IDs to CCE numbers, Nessus plugins, or XYZ? - Dunno.
To answer questions 4 and 5, right now I'd say "The STIG is a basis for measurement. The SCAP content contains some STIG material as well as community best practice."
Leam
Not sure these are FAQ's, more HOWTO's but I'll take a stab at it.
How do I install SCAP How do I use SCAP to remediate conditions How do I edit or create my own SCAP Policy Where can I find other SCAP profiles? [different public sources of xccdf scap profiles] Is there a way to detect exposure to a cve [CVE-2014-7169]? What tooling is available for scap [SCAP Workbench, ..., ...]?
On 26/03/15 04:04, Shawn Wells wrote:
There are still many questions around using SCAP, such as the SCAP for CVE scanning thread a few days ago.
To begin documenting FAQs -- both for the OpenSCAP/SSG pages, and formal Red Hat documentation -- I've started to document common questions here:
https://github.com/OpenSCAP/scap-security-guide/wiki/What-should-go-into-an-...
What other topics/questions should be covered? Feel free to edit the wiki directly or reply to the list! This feedback will be driven into our wikis/manuals, and formal docs off redhat.com.
Don't limit to use SSG.... broader questions on how to store SCAP data, using OpenSCAP, how policy is developed all make sense!
scap-security-guide@lists.fedorahosted.org
-
leam hall -
Shawn Wells -
Tim Moor