Lista de itens utilizados no SCAP e OpenSCAP

security-checklist-components.md

Itens mútuos com SCAP e OpenSCAP

• Open Vulnerability Assessment Language (OVAL) -- SCAP e OpenSCAP
• Assert Report Format (ARF) -- SCAP e OpenSCAP
• Extensible Configuration Checklist Description Format (XCCDF) -- SCAP e OpenSCAP
• Common Vulnerability Exposures (CVE) -- SCAP e OpenSCAP
• Common Platform Enumeration (CPE) -- SCAP e OpenSCAP
• Common Weakness Enumeration (CWE) -- SCAP e OpenSCAP
• DataStream -- OpenSCAP -> Isso foi introduzido no SCAP 1.2. Para que consiga entender o que é o "DataStream" do OpenSCAP: Imagine um arquivo XCCDF que tem ligação com o OVAL e, nele, tem ligações com informações das plataformas vulneráveis (CPE). Esse arquivo interligado pode ser chamado de "DataStream". Ele não faz parte do SCAP, apenas do OpenSCAP.

Abaixo são os itens utilizados apenas no SCAP, NIST.gov:

• Open Checklist Interactive List (OCIL) -- SCAP
• Common Configuration Enumeration (CCE) -- SCAP
• Common Configuration Scoring System (CCSS) -- SCAP
• Software Identification (SWID) -- SCAP
• Common Vulnerability Scoring System (CVSS) -- SCAP
• Trust Model for Security Automation Data (TMSAD) -- SCAP

1. Language

Nome dos itens	SCAP	OpenSCAP
Open Checklist Interactive List	YES	NO
Open Vulnerability Assessment Language	YES	YES
Extensible Configuration Checklist Description Format	YES	YES
DataStream	NO	YES

2. Reporting Formats

Nome dos itens	SCAP	OpenSCAP
Asset Reporting Format	YES	NO
Asset Identification	YES	NO

3. Identification Schemes

Nome dos itens	SCAP	OpenSCAP
Common Configuration Enumeration	YES	NO
Common Platform Enumeration	YES	YES
Common Vulnerability Exposures	YES	YES
Software Identification	YES	NO

4. Scoring System

Nome dos itens	SCAP	OpenSCAP
Common Vulnerability Scoring System	YES	NO
Common Configuration Scoring System	YES	NO

5. Integrity

Nome dos itens	SCAP	OpenSCAP
Trust Model for Security Automation Data	YES	NO