Hello, On Thursday, April 2, 2020 4:04:50 PM EDT David Rose wrote: > I'm brand-new to compliance because my boss wants to run compliance > on our servers. I have some questions please. I am running an OpenScap on > my CentOS 7 Linux servers, but my boss wants to get compliance against NIST > 800-53 initially. > > I run from OpenScap Workbench, 'US Govt Config Baseline (USGCB/STIG) - > Draft Unclassified in Non-Federal Organization(800-171)'. But when I get > the results and give them to my colleague, he says the results are only a > subset of the 800-53. So I'm not really sure what to use to ensure our > system is compliant against the full NIST 800-53..
I will chime in on this but others can answer the other parts of your question. The 800-53 is a controls catalog. Nothing will ever have them all. Think of it as a list of good ideas to choose from should you have a need. So, what you do is define a policy based on a threat model and enable those controls. Example policies are the STIG, USGCB, OSPP, or many others. They will always be a subset of the whole catalog. And each will be a little different because they aim at a different threat model. -Steve _______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
