On Thursday, October 20, 2016 3:56:41 PM EDT Martin Preisler wrote: > ----- Original Message ----- > > > From: "Shawn Wells" <[email protected]> > > To: [email protected] > > Sent: Thursday, October 20, 2016 2:45:39 PM > > Subject: Re: VMs, containers vs. bare-metal machines in SSG > > > > [snip] > > > > Really like the idea of CPEs. We can always work with NIST to get extra > > CPEs added.... but wouldn't that mean creation of redhat:docker, > > redhat:openshift, Docker:docker, pivotal:cloudfoundry, etc? > > I'd like for SSG to be agnostic of the tech so I would go for CPE ID > for container-image and that will be applicable when scanning docker images, > rkt images, plain LXC images, etc... Same with vm-image, applicable on all > offline virtual machine scanning, regardless of what is powering the VM or > how it's stored.
Also at some point we will have to address SWID. Maybe that could be woven into everything? Containers should have their own SWID tag describing what's in them. There are NIST guidelines about CPE/SWID mappings. -Steve _______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
