Dear Red Hat /OpenSCAP team:
Today 26 Sep 2016 Ihad the opportunity to run OpenSCAP on RHEL 7 for the first time, andI am very pleased.
Installing OpenSCAP,and the SCAP Workbench was very straight forward with the yum installcommand.
- The content thatcame with the package was easy to run. I used the Workbench to run the XCCDF content, created an XML report and looked at the report in another browser.
- It was very niceto see a good use of the CCE specification. The first questioncoming to mind is, do you maintain a CCE dictionary that you can makeavailable? A second question is, if a user wants to identify aconfigurable parameter and no CCE is available, can the user (verylikely a developer) request a CCE number?
- Analyzing theoutput XML reveals that the findings are mapped to the securitycontrols of SP 800-53 Rev 4. What a nice feature!.
- One of the videoson your site (https://www.open-scap.org/security-policies/scap-security-guide/#documentation)indicates that you are engaging a remediation mechanism and not justdiscovering vulnerabilities. Are you using a remediation protocolor specification in particular?
- The output XMLshows a very nice use of the CPE specification.
- The use of XCCDFis also very good. Can you please, point me to a Red Hat XCCDFrepository? Are you planning your content in the NationalVulnerabilities Database?
- I am interested inrunning a vulnerability scan (I would like to see how OpenSCAP usesCVEs and CVSS)
- I did not see anyindication of using the Asset Identification (AI) specification.
- I did not see anyindication of using the Asset Reporting Format (ARF) specification.
- I did not see anyindication of using the Common Configuration Scoring System (CCSS)specification.
- I did not see anyindication of using the TMSAD specification.
- I did not see anyindication of using the Open Checklist Interactive Language (OCIL)specification. I am interested in your use of this specificationbecause many security functions are not “automatable” (can not bechecked with security automation tools).
- Are you planningto implement the Software Identification (SWID) specification of SCAP1.3?
_______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
