The last XCCDF is:
one XCCDF for OS intersection net (min)
Whereas functionality at risk of eclipse is
max - (OS intersection net )
-----Original Message-----
From: Brent Kimberley
Sent: Wednesday, November 2, 2016 3:52 PM
To: [email protected]
Subject: RE: VMs, containers vs. bare-metal machines in SSG
Hi Radzy.
Assuming a strawman consisting of: one OS(i.e. apps, libraries,
OSxContainer-Interface, etc.); and one container(i.e. app, libraries,
ContainerxOS-Interface, etc.).
There is
one XCCDF for the OS (baseline)
one XCCDF for the container (delta)
one XCCDF for OS + container (net)
one XCCDF for OS union net (max)
one XCCDF for max - (OS intersection net ) (min)
-----Original Message-----
From: Radzykewycz, T (Radzy) [mailto:[email protected]]
Sent: Friday, October 21, 2016 1:16 PM
To: [email protected]
Subject: RE: VMs, containers vs. bare-metal machines in SSG
> From: Brent Kimberley <[email protected]> As opposed to
> writing one XCCDF, why not write one XCCDF per point of interest
> (inside the container of interest, inside the OS but outside the
> container of interest, ...) - until upstream standards address Origin,
> Point (in SpaceTime), Frame of Reference, ... for a cyber-physical
> assembly?
When I start working on our container environment, I expect I need to write
custom XCCDF and custom OVAL for some of the checks.
Some of the management may be done in the container, but I expect most to be
done in the underlying host. So paths may be different, which would lead to
either more complex OVAL with parameterization, or duplication of the OVAL
content.
And as implied elsewhere, the XCCDF needs to be modified to indicate the
correct information for the environment.
Enjoy!
-- radzy
_______________________________________________
scap-security-guide mailing list -- [email protected]
To unsubscribe send an email to [email protected]
THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN
INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM
DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege
have been waived. If you are not the intended recipient, you are hereby
notified that any review, retransmission, dissemination, distribution, copying,
conversion to hard copy, taking of action in reliance on or other use of this
communication is strictly prohibited. If you are not the intended recipient and
have received this message in error, please notify me by return e-mail and
delete or destroy all copies of this message.
_______________________________________________
scap-security-guide mailing list -- [email protected]
To unsubscribe send an email to [email protected]
