Has any work been done to be able to say what checks are mapped to a single NIST control? For example: AC-3: userowner_shadow_file groupowner_shadow_file groupowner_group_file ...
IIUC, the current tools generate something more akin to userowner_shadow_file: AC-3, CM-6 where AC-3 and CM-6 are in the same nist ref
joe
Not exactly yet, but it shouldn't be hard to make a little lxml.etree script to do this. Alternatively, an XSLT transform could probably do it. I'll see what I can do.
I committed another transform (xccdf2table-byref.xslt) to the repository, just to show how Rules can be printed based on their reference. (Sorting the Rules by reference could likely also be added without much trouble; right now it's just document order.)
"make table-refs" to see.
The only mostly-populated one is the NIST references, of course.
On 01/26/2012 03:09 PM, Joe Nall wrote:
Has any work been done to be able to say what checks are mapped to a single NIST control? For example: AC-3: userowner_shadow_file groupowner_shadow_file groupowner_group_file ...
IIUC, the current tools generate something more akin to userowner_shadow_file: AC-3, CM-6 where AC-3 and CM-6 are in the same nist ref
joe
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/scap-security-guide
I added a new transform to break apart comma-separated items in a particular reference document, as well as another transform to sort the resulting HTML table. See last commands in the Makerule for "table-refs" ... I think the output file rhel6-table-nistrefs-delim.html might be close to what you're looking for.
There should probably be some examples/scripts to do this using lxml.etree too.
Ensuring completeness wrt requirements is a lot more difficult than sorting/presenting XML elements, but hopefully this helps...
On 01/26/2012 03:09 PM, Joe Nall wrote:
Has any work been done to be able to say what checks are mapped to a single NIST control? For example: AC-3: userowner_shadow_file groupowner_shadow_file groupowner_group_file ...
IIUC, the current tools generate something more akin to userowner_shadow_file: AC-3, CM-6 where AC-3 and CM-6 are in the same nist ref
joe
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org