On 02/20/2013 07:01 PM, Jeffrey Blank wrote: > 2) …I also fear that this > will divert effort away from QA on the OVAL content, which is the > checking system used in baselines (and against which your systems would > be "officially" scanned in most compliance regimes, including DoD's). > … > I'm just saying that this project still has high-quality OVAL content as > a goal. And the point of formatting the script actions into <fix> tags > is that they'd only be activated in case of check failure anyway. > (Right?)
There is a problem if the remedy is not consonant with the assessment. Usable OVAL content is useful at this point in time, since supposedly-SCAP-compliant tools should be able to ingest and use it. There are no current SCAP-compliant alternatives — a pity. (Good non-SCAP-compliant alternatives can certainly be postulated or implemented, but that is a separate discussion.) Many (not all) assessments can be done using OVAL. That is immediately useful. "Actions", namely, proposed system perturbations, are separate from assessments (certainly related, but evaluation does not entail perturbation). I think that high-quality *assessment* content is immediately useful and will always remain so. When one adds correction, discussion ensues. > For example, I cannot really imagine Puppet modules or Ansible playbooks > or Chef recipes living in scap-security-guide. Ensuring that providers > of such *very valuable* resources (which allow administrators to > actually, uh, manage their systems instead of just do C&A and deploy > them) can interoperate is worthwhile. Why not? These are just alternative representations. They need not be normative, just serviceable. They need not be in the same code base. I do not understand why such recipes could not exist in, or be related to, the guide as corrective actions related to relevant assessments. I think a reasonable goal state is "systems security posture can be assessed" augmented by "system security posture can be automated". And, on both, assured. I am willing to consider alterations or alternatives to SCAP, as it has some shortcomings with respect to both goals. _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
