In the meantime we do everything with Tenable.sc/Nessus - it works for us - but You are right - some parameters are categorized as "Medium" in the scan results, which means, that Tenable was not able to recognize if a parameter is set or not correctly.
The quality of the CIS audit files is a little bit better than STIG - STIG is also behind regarding OS versions. The parameters are partly different, but sufficient for our baseline.
If necessary, You can also adapt the audit files and import it. So You can improve the quality or even check for parameters that are not part of the original STIG guidelines or CIS benchmarks.
I don't know if an openscap implementation would provide better results than Tenable/Nessus. The problem here is that the scripts that deliver the information are the key point - the openscap community is mainly operating Linux systems - but none of them has an IBM Power system at home. So the expectation should be lower than with the Linux platforms.
And the openscap files for Linux are delivered by the distributors - e.g. if You have a request for SLES, You may write to security@suse.com and they consider if the request can be implemented.
So for AIX, IBM needs not only to deliver the tool - they also need to provide the scap files.
But it still would be interesting for us to have openscap - because the HTML reports are really great structured. Better than with Tenable.
------------------------------
Opensource the Planet ;-)
------------------------------
Original Message:
Sent: Fri April 26, 2024 12:01 PM
From: Vasiliy Gokoyev
Subject: openscap for AIX?
How is everyone is able to keep AIX in compliance these days?
Are there any new developments with compliance checking for AIX? We evaluated the PowerSC product and it fell short of expectations. Also looked at the tenable/nessus audit results, but the baseline profile appears infested with bugs and incorrect check logic https://www.tenable.com/audits/DISA_STIG_AIX_7.x_v2r9.
openscap seems to produce the cleanest and most readable reports I've seen so far for Power LE linux, it would be ideal if it can be ported to AIX.
so here another vote for IBM to contribute an openscap AIX package and the AIX compliance profiles.
------------------------------
Vasiliy Gokoyev
Original Message:
Sent: Thu August 06, 2020 06:21 AM
From: SANKET RATHI
Subject: openscap for AIX?
Hi Martin,
We have looked in past for porting openscap on AIX but encountered some Linux specific code in packages.
Hence it is difficult to port this packages.
Right now we do not have plan to pursue it further because of Linux specific requirement from package.
------------------------------
SANKET RATHI
Original Message:
Sent: Tue August 04, 2020 12:37 PM
From: Martin Rödlach
Subject: openscap for AIX?
Hi,
could You imagine to provide us with openscap for AIX?
On Linux this tool generates great reports which I need for external crontrollers.
Thanks
------------------------------
Opensource the Planet ;-)
------------------------------