[Open-scap] NIST 800-53 identifiers

Shawn Wells shawn at redhat.com
Thu Mar 13 01:06:57 UTC 2014 

On 3/12/14, 10:16 AM, Simon Lukasik wrote:
> On 03/12/2014 02:45 AM, Shawn Wells wrote:
>> On 3/11/14, 6:15 PM, Kordell, Luke T wrote:
>>> Hello,
>>>
>>>       I noticed that the majority of the rule definitions now have
>>> NIST 800-53 identifiers or an empty set of quotes where an identifier
>>> will be added. Is there a way to get the already-added identifiers to
>>> show-up on the .html scan results? At the moment all I can see is the
>>> CCE number.
>>>
>>> Thanks,
>>>
>>> Luke K
>>
>> (cross posting to open-scap-list since this is of interest to both
>> communities, and the OpenSCAP guys are in the position to affect change)
>>
>> This comes up frequently. From a content perspective the NIST 800-53
>> (+STIG) identifiers are handled in the <ref> tags. It's a matter of
>> having the tool (e.g. OpenSCAP) place them into the results file. I
>> recall a thread about this, however couldn't easily find it.
>>
>> So, for the OpenSCAP guys: within SSG we utilize the <ref> tag to map
>> additional policy regimes to XCCDF rules. Is there a way to get this
>> information exposed within result files?
>>
>
> Hello,
>
> We can add these identifiers to the HTML report. How should it look like?
>
> For example Rule named "umask_for_daemons" contains reference to AC-6. 
> The output now looks:
>
> """
>     Security identifiers
>        * CCE-27031-4
> """
>
> Once we include 800-53 references it could look like:
>
> """
>     Security identifiers
>        * Security Control ID (NIST SP 800-53): AC-6
>        * CCE-27031-4
> """
>
> Does that look reasonable to you? Do you have better suggestions? 

Would it be possible to separate "Security identifiers" from "Security 
mappings"?

Identifiers such as CCEs are unique one-to-one mappings against the 
XCCDF rule, whereas "security mappings" provide a many-to-one 
relationship and really aren't meant to uniquely identify the XCCDF 
rule. e.g.:

Security Identifiers
     * CCE-27031-4

Security Mappings
     * NIST 800-53 AC-6
     * DISA CCI 12345

It's completely acceptable if this isn't an option! Having this 
information in the report would be incredibly useful.

More information about the Open-scap-list mailing list