There definitely needs to be more information as there is moderate, high, and those like DHS5300A that select everything. CUI 800-171 is a subset of 800-53.
As rehashed over and over again, CentOS will never meet 800-53 or 800-171 requirements. It is not meant to. There is and won't be a USGCB or CUI profile for it, so that's a full stop on meeting compliance. https://wiki.centos.org/FAQ/General#What_is_CentOS_Linux.3F and https://wiki.centos.org/FAQ/General#What_is_CentOS.27s_relationship_with_Red_Hat.2BAK4.2C_Inc._or_RHEL.3F clearly state this if there is belief that CentOS == RHEL. On Thu, Apr 2, 2020 at 2:13 PM Todd, Charles <[email protected]> wrote: > David, > > No scan will cover all of the 800-53 controls. In my experience, I’ve > seen between 5 and 30 controls addressed. Lots of controls cover other > disciplines like policy, personnel, physical, program management, etc. > > > > Unless your colleague is saying that the scan results aren’t covering all > of the **expected* *requirements. In that case, you’ve probably selected > the wrong one a the myriad of confusing command line options and profiles. > In that case, you’ll need to provide specifics to include: OS and release, > target benchmark/profile, exact command line used to initiate the scanner, > and some statistics on pass/fail/not run. > > > > Thanks, > > Charlie Todd > > > > *From:* David Rose <[email protected]> > *Sent:* Thursday, April 2, 2020 4:05 PM > *To:* [email protected] > *Subject:* [EXTERNAL] Questions about OSCAP for NIST Compliance checking > > > > Hello. I'm brand-new to compliance because my boss wants to run compliance > on our servers. I have some questions please. I am running an OpenScap on > my CentOS 7 Linux servers, but my boss wants to get compliance against NIST > 800-53 initially. > > > > I run from OpenScap Workbench, 'US Govt Config Baseline (USGCB/STIG) - > Draft Unclassified in Non-Federal Organization(800-171)'. But when I get > the results and give them to my colleague, he says the results are only a > subset of the 800-53. So I'm not really sure what to use to ensure our > system is compliant against the full NIST 800-53.. > > > And I don't know if I should run the compliance check from the OpenScap > Workbench and SSH to the servers or if I should run 'oscap' from the > commandline and SCP back all the output files. > > And, I'm not sure if the CentOS7 or the RHEL7 variants of the scan are > really the same. > > and also, when I open an .HTML formatted output file from OpenScap > Workbench, there is a 'grouping' where i can choose 800-53, but how do I > know the percentage of the listed 800-53 controls against all 800-53 > controls? And which type of scan do I want to use for a full 800-53 > compliance check? (Or, at least, as full as can be scanned ..) > > > > I appreciate all constructive assistance! > > -dave > This message and any enclosures are intended only for the addressee. > Please > notify the sender by email if you are not the intended recipient. If you > are > not the intended recipient, you may not use, copy, disclose, or distribute > this > message or its contents or enclosures to any other person and any such > actions > may be unlawful. Ball reserves the right to monitor and review all > messages > and enclosures sent to or from this email address. > _______________________________________________ > scap-security-guide mailing list -- > [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] >
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
