On 7/21/17 10:18 AM, Meinecke, Lee wrote: > > I find it interesting that DISA is not planning on publishing RHEL7 > benchmark content for use with SPAWAR SCC tool. Most of my > DoD customers request non-compliance results in that format. >
Tools != Content. Usage of SPAWAR SCC does not predicate using vendor provided content. From a content perspective, the OpenSCAP/SCAP Security Guide community has a really good relationship with the SPAWAR SCC team. They give us pre-release editions of SCC for beta testing to make sure everything is kosher. It's generally myself who does the initial testing and writeups. A fairly recent example: https://shawnwells.io/2017/02/03/quick-review-of-spawar-scc-4-2-beta-1-with-openscapscap-security-guide/ (Note: The issues identified in the SCC tool were fixed prior to public release) Like OpenSCAP, SPAWAR SCC is a NIST-validated SCAP configuration scanner for RHEL6 and RHEL7. Content should be interoperable between the two tools. From a tooling perspective, both OpenSCAP and SPAWAR SCC are approved configuration scanners by the US Government: SPAWAR SCC Validation: https://nvd.nist.gov/scap/validation/140 OpenSCAP Validation: https://nvd.nist.gov/scap/validation/142 Usage boils down to your workflow and report expectations. There are uses for both, e.g. how SCC works on Windows. > As for accreditation the SCA-V teams are typically asking for STIG > Viewer manual checklists for each host during their site visits. I > suppose if we can use oscap to generate the results and then import > them successfully into the STIG Viewer that would suffice. The manual > checklists would be painful to complete if you couldn't import > automated scan results. > Use the vendor-provided content in SPAWAR SCC then import the SCC results into STIG Viewer. _______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
