Hello,
I noticed that the majority of the rule definitions now have NIST 800-53 identifiers or an empty set of quotes where an identifier will be added. Is there a way to get the already-added identifiers to show-up on the .html scan results? At the moment all I can see is the CCE number.
Thanks,
Luke K
On 3/11/14, 6:15 PM, Kordell, Luke T wrote:
Hello,
I noticed that the majority of the rule definitions now have NIST 800-53 identifiers or an empty set of quotes where an identifier will be added. Is there a way to get the already-added identifiers to show-up on the .html scan results? At the moment all I can see is the CCE number.
Thanks,
Luke K
(cross posting to open-scap-list since this is of interest to both communities, and the OpenSCAP guys are in the position to affect change)
This comes up frequently. From a content perspective the NIST 800-53 (+STIG) identifiers are handled in the <ref> tags. It's a matter of having the tool (e.g. OpenSCAP) place them into the results file. I recall a thread about this, however couldn't easily find it.
So, for the OpenSCAP guys: within SSG we utilize the <ref> tag to map additional policy regimes to XCCDF rules. Is there a way to get this information exposed within result files?
On 03/11/2014 09:45 PM, Shawn Wells wrote:
On 3/11/14, 6:15 PM, Kordell, Luke T wrote:
Hello,
I noticed that the majority of the rule definitions now have
NIST 800-53 identifiers or an empty set of quotes where an identifier will be added. Is there a way to get the already-added identifiers to show-up on the .html scan results? At the moment all I can see is the CCE number.
Thanks,
Luke K
(cross posting to open-scap-list since this is of interest to both communities, and the OpenSCAP guys are in the position to affect change)
This comes up frequently. From a content perspective the NIST 800-53 (+STIG) identifiers are handled in the <ref> tags. It's a matter of having the tool (e.g. OpenSCAP) place them into the results file. I recall a thread about this, however couldn't easily find it.
So, for the OpenSCAP guys: within SSG we utilize the <ref> tag to map additional policy regimes to XCCDF rules. Is there a way to get this information exposed within result files? _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Hi Shawn - sending the same piece of code I sent previously to get the NIST 800-53 into the results html. Forgive the crazy json serialization (It works, I had more json experience at the time than XML).
On 03/12/2014 02:45 AM, Shawn Wells wrote:
On 3/11/14, 6:15 PM, Kordell, Luke T wrote:
Hello,
I noticed that the majority of the rule definitions now have
NIST 800-53 identifiers or an empty set of quotes where an identifier will be added. Is there a way to get the already-added identifiers to show-up on the .html scan results? At the moment all I can see is the CCE number.
Thanks,
Luke K
(cross posting to open-scap-list since this is of interest to both communities, and the OpenSCAP guys are in the position to affect change)
This comes up frequently. From a content perspective the NIST 800-53 (+STIG) identifiers are handled in the <ref> tags. It's a matter of having the tool (e.g. OpenSCAP) place them into the results file. I recall a thread about this, however couldn't easily find it.
So, for the OpenSCAP guys: within SSG we utilize the <ref> tag to map additional policy regimes to XCCDF rules. Is there a way to get this information exposed within result files?
Hello,
We can add these identifiers to the HTML report. How should it look like?
For example Rule named "umask_for_daemons" contains reference to AC-6. The output now looks:
""" Security identifiers * CCE-27031-4 """
Once we include 800-53 references it could look like:
""" Security identifiers * Security Control ID (NIST SP 800-53): AC-6 * CCE-27031-4 """
Does that look reasonable to you? Do you have better suggestions?
Thanks!
On 3/12/14, 10:16 AM, Simon Lukasik wrote:
On 03/12/2014 02:45 AM, Shawn Wells wrote:
On 3/11/14, 6:15 PM, Kordell, Luke T wrote:
Hello,
I noticed that the majority of the rule definitions now have
NIST 800-53 identifiers or an empty set of quotes where an identifier will be added. Is there a way to get the already-added identifiers to show-up on the .html scan results? At the moment all I can see is the CCE number.
Thanks,
Luke K
(cross posting to open-scap-list since this is of interest to both communities, and the OpenSCAP guys are in the position to affect change)
This comes up frequently. From a content perspective the NIST 800-53 (+STIG) identifiers are handled in the <ref> tags. It's a matter of having the tool (e.g. OpenSCAP) place them into the results file. I recall a thread about this, however couldn't easily find it.
So, for the OpenSCAP guys: within SSG we utilize the <ref> tag to map additional policy regimes to XCCDF rules. Is there a way to get this information exposed within result files?
Hello,
We can add these identifiers to the HTML report. How should it look like?
For example Rule named "umask_for_daemons" contains reference to AC-6. The output now looks:
""" Security identifiers * CCE-27031-4 """
Once we include 800-53 references it could look like:
""" Security identifiers * Security Control ID (NIST SP 800-53): AC-6 * CCE-27031-4 """
Does that look reasonable to you? Do you have better suggestions?
Would it be possible to separate "Security identifiers" from "Security mappings"?
Identifiers such as CCEs are unique one-to-one mappings against the XCCDF rule, whereas "security mappings" provide a many-to-one relationship and really aren't meant to uniquely identify the XCCDF rule. e.g.:
Security Identifiers * CCE-27031-4
Security Mappings * NIST 800-53 AC-6 * DISA CCI 12345
It's completely acceptable if this isn't an option! Having this information in the report would be incredibly useful.
I am revisiting old e-mail thread, just to connect the dots.
I believe that this request has been recently implemented by Martin in https://git.fedorahosted.org/cgit/openscap.git/commit/?id=d91cd1ce997bf0fd08...
Thanks Martin!
On 03/12/2014 02:45 AM, Shawn Wells wrote:
On 3/11/14, 6:15 PM, Kordell, Luke T wrote:
Hello,
I noticed that the majority of the rule definitions now have
NIST 800-53 identifiers or an empty set of quotes where an identifier will be added. Is there a way to get the already-added identifiers to show-up on the .html scan results? At the moment all I can see is the CCE number.
Thanks,
Luke K
(cross posting to open-scap-list since this is of interest to both communities, and the OpenSCAP guys are in the position to affect change)
This comes up frequently. From a content perspective the NIST 800-53 (+STIG) identifiers are handled in the <ref> tags. It's a matter of having the tool (e.g. OpenSCAP) place them into the results file. I recall a thread about this, however couldn't easily find it.
So, for the OpenSCAP guys: within SSG we utilize the <ref> tag to map additional policy regimes to XCCDF rules. Is there a way to get this information exposed within result files?
On Aug 30, 2014 6:40 AM, "Simon Lukasik" slukasik@redhat.com wrote:
I am revisiting old e-mail thread, just to connect the dots.
I believe that this request has been recently implemented by Martin in
https://git.fedorahosted.org/cgit/openscap.git/commit/?id=d91cd1ce997bf0fd08...
Thanks Martin!
Indeed! Now, I want a transposed report indexed by 800-53 reference that lists the related tests and results. For extra credit, list the unevaluated and fulfilled by design references too... ;)
scap-security-guide@lists.fedorahosted.org