Classification: UNCLASSIFIED Caveats: NONE Does anyone know if there's been an official approval from DISA for the use of SSG content and the openSCAP utility on RHEL 6 systems for providing official vulnerability reports to IA inspectors? Our local IA folks tell us that SCC is the only DISA approved/provided product that we can use for scanning our systems and providing scan results to IA for inspection and analysis. However, SCC only provides content up to RHEL 5, which is of no help with RHEL 6. We have our own homemade script for scanning, but that's only good for in-house use. We need something for producing official SCAP formatted vulnerability reports. We believe our best option for automated scanning is the openSCAP tool with SSG content, which is what we want to use, but there doesn't seem to be any official acceptance for its use.
Basically, my IA folks want to see something in writing from DISA that says they officially approve the use of SSG content and the openSCAP tool for proving IA compliance on RHEL 6 systems. I know that the DISA FSO is working closely with Red Hat on SSG, but I can't find anything like an official release from DISA. Thanks. Classification: UNCLASSIFIED Caveats: NONE _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
