David, No scan will cover all of the 800-53 controls. In my experience, I’ve seen between 5 and 30 controls addressed. Lots of controls cover other disciplines like policy, personnel, physical, program management, etc.
Unless your colleague is saying that the scan results aren’t covering all of the *expected* requirements. In that case, you’ve probably selected the wrong one a the myriad of confusing command line options and profiles. In that case, you’ll need to provide specifics to include: OS and release, target benchmark/profile, exact command line used to initiate the scanner, and some statistics on pass/fail/not run. Thanks, Charlie Todd From: David Rose <[email protected]> Sent: Thursday, April 2, 2020 4:05 PM To: [email protected] Subject: [EXTERNAL] Questions about OSCAP for NIST Compliance checking Hello. I'm brand-new to compliance because my boss wants to run compliance on our servers. I have some questions please. I am running an OpenScap on my CentOS 7 Linux servers, but my boss wants to get compliance against NIST 800-53 initially. I run from OpenScap Workbench, 'US Govt Config Baseline (USGCB/STIG) - Draft Unclassified in Non-Federal Organization(800-171)'. But when I get the results and give them to my colleague, he says the results are only a subset of the 800-53. So I'm not really sure what to use to ensure our system is compliant against the full NIST 800-53.. And I don't know if I should run the compliance check from the OpenScap Workbench and SSH to the servers or if I should run 'oscap' from the commandline and SCP back all the output files. And, I'm not sure if the CentOS7 or the RHEL7 variants of the scan are really the same. and also, when I open an .HTML formatted output file from OpenScap Workbench, there is a 'grouping' where i can choose 800-53, but how do I know the percentage of the listed 800-53 controls against all 800-53 controls? And which type of scan do I want to use for a full 800-53 compliance check? (Or, at least, as full as can be scanned ..) I appreciate all constructive assistance! -dave This message and any enclosures are intended only for the addressee. Please notify the sender by email if you are not the intended recipient. If you are not the intended recipient, you may not use, copy, disclose, or distribute this message or its contents or enclosures to any other person and any such actions may be unlawful. Ball reserves the right to monitor and review all messages and enclosures sent to or from this email address.
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
