Sorry for the double post but I just realized that I forgot to ask about
the acceptance of SCE in the core SSG.
There are some things I just can't check without SCE such as:
* OpenLDAP configuration items
* Running IPTables Rules
* Running Auditd Rules
* Certs and settings in GnuTLS keystores
Thanks,
Trevor
On Mon, Oct 31, 2016 at 4:42 PM, Trevor Vaughan <tvaughan(a)onyxpoint.com>
wrote:
Hi All,
After much delaying, we're hoping to start integrating our SIMP-specific
methods for meeting the various policy requirements directly into the SSG.
Unfortunately, this is providing to be a bit hairy and I'd like to know
what you would prefer.
## Option 1: Fork the Entire RHEL base into SIMP/{6,7} etc...
- We're not another OS, we're a specific (flexible) configuration set for
RHEL and/or CentOS
- I'd really like to avoid this
## Option 2: Muck about directly in the RHEL space
- This is my preference and I can 100% start with a set of profiles that
mirror the existing profiles. I guess this would be prefaced with 'simp'.
So, simp-C2S.xml, simp-pci-dss.xml, etc...
- We will also need to add alternate OVAL checks that are specific to
SIMP. For instance, per policy, our auditd file is optimized, this means
that none of the included checks will pass and we need alternate checks.
And no, in general, there is no way to determine if you're on a SIMP
system unless it's the Puppet Server. It's just RHEL.
Advice appreciated.
Thanks,
Trevor
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --