The current way of dealing with a SCAP configuration file is unwieldy. Let's look at the process as I read it in the documentation:
- Take a starting config file (CIS, DISA STIG, OpenSCAP reference)
- Make changes manually to reflect reference at our organization.
The problem with this that it represents a great deal of manual (error-prone) work. I did a test with a CIS SCAP file and scanned our reference OS and there were 325 differences. Multiply this by Windows, CentOS/Red Hat, and Ubuntu and version updates with new config options as time passes. And this is not counting ay local changes in config that occur. We need a good fraction of a FTE just to manage this. We do not have the person-time to make this happen.
What I am looking for is a tool that will take a reference (gold) system and build the config file. When we change the gold image, we just rebuild the config from the new image.
Does such a tool exist?
Thanks