OSCAL
OSCAL copied to clipboard
usnistgov
Review current approaches to defining rules to confirm minimal data fields in rules-related models
Review current approaches for security testing processes and tools, confirm we represent MVP data points for what a rule practically needs to encode.
Ideally, we would like to review the mechanics and characteristics of the different kinds of security testing tools.
- [ ] Traditional SCAP XCCDF-based security assessment for (1/2):
- Openshift Control Platform (OCPv4, Kubernetes variant) OpenSCAP scan profile
- ~A Linux operating system OpenSCAP scan profile, per taste/choice of assigned developers (A.J. and Dave to discuss)~
- [ ] Metrics-based security operations analysis, such as (1/2 of):
- Cloudsecurityalliance/continuous-audit-metrics
- ~Security operations metrics from the EU/ENISA MEDINA project, if available and publicly shareable~
- [ ] Stretch goal: cloud-based security tooling that is not a command-line based Unix tool (in contrast to OpenSCAP), implemented as an API and/or managed service
@david-waltermire-nist, I know this spike is about tool review. I am going to un-assign #1160 from this issue because the "update models' Metaschema and make content examples" is what we ended up doing towards the tail end of #1339 and is in flight, #1364.
Dave and I down-scoped which content examples we will look at for the two categories and sync back up to discuss my impressions in our next pairing session. Looking at the OCPv4 SCAP guides and OVAL profiles. Will prefer the CSA metrics over the MEDINA ones out of the interest of time if the latter are not currently public. The cloud-based API one is still TBD.
Added some sample data and will continue draft notes here until we are ready to publish in this issue, itemize next steps, and close this issue out.
https://hackmd.io/I_DdJG2RRtKuj39cvss1WA
We met today and planned to continue with this work in an afternoon pairing session tomorrow.
Not completed last sprint and not in scope for Sprint 63, moving to the backlog.