Re: [Open-scap] Compliance Mapping

2020-10-27 Thread Šimon Lukašík 

Hello Tobias,

What exactly do you mean by compliance mapping? Are You interested to
see

 - (A) how is given control requirement covered by OpenSCAP checks
 - (B) what controls are related to given OpenSCAP check

?

Or is it something else?

I guess, the answer will depend on which particular regulation you are
looking at. For some there has been a bit more work done previously than
for others. For example for DISA STIG there are SRG mapping tables [1] build
in upstream [2]. For others, you will find that each OpenSCAP checks
contains references to relevant controls.

Kind regards,
--
Šimon Lukašík
Member of technical staff
Office of the Chief Technologist
Red Hat Public Sector



[1]:
http://atopathways.redhatgov.io/cac/tables/table-rhel8-srgmap-flat.html
[2]: https://github.com/ComplianceAsCode/content


Tobias Svenblad  writes:

> Hello,
>
> I hope I came to the right place and that I’m not making a fool of myself.
>
> We are having internal discussions on how to compliance mapping of several 
> regulations. I noticed that OpenSCAP has a lot of compliance requirements as 
> references in the SCAP control activities. Is this a manual process; is 
> OpenSCAP maintain this compliance mapping without any tools? Or is it 
> completely automatic, and if so, how? I.e. how does OpenSCAP map certain 
> regulation requirements to certain control activities?
>
> If anyone has the answer, I’d be very grateful. Thanks.
>
> Mvh/BR,
>
> Tobias Svenblad
> Security Analyst, Crosskey
> ___
> Open-scap-list mailing list
> Open-scap-list@redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list


___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

[Open-scap] Compliance Mapping

2020-10-26 Thread Tobias Svenblad 
Hello,

I hope I came to the right place and that I’m not making a fool of myself.

We are having internal discussions on how to compliance mapping of several 
regulations. I noticed that OpenSCAP has a lot of compliance requirements as 
references in the SCAP control activities. Is this a manual process; is 
OpenSCAP maintain this compliance mapping without any tools? Or is it 
completely automatic, and if so, how? I.e. how does OpenSCAP map certain 
regulation requirements to certain control activities?

If anyone has the answer, I’d be very grateful. Thanks.

Mvh/BR,

Tobias Svenblad
Security Analyst, Crosskey
___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list