We have been allowed to use CENTOS on a variety of DoD systems. We do not connect to the GIG however. These are systems which do not connect or connect to very controlled networks. RHEL is just costing our program too much money so we switched to CENTOS.
V/R
Derek Warner – CISSP-ISSEP
Information System Security Engineer
Riptide Software
w- 321-296-0068 x 136
c- 407-716-9223
derek.warner@riptidesoftware.com
derek.a.warner@us.army.mil
On Thu, May 22, 2014 at 6:14 PM, < scap-security-guide-request@lists.fedorahosted.org> wrote:
Send scap-security-guide mailing list submissions to scap-security-guide@lists.fedorahosted.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide or, via email, send a message with subject or body 'help' to scap-security-guide-request@lists.fedorahosted.org
You can reach the person managing the list at scap-security-guide-owner@lists.fedorahosted.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of scap-security-guide digest..."
Today's Topics:
- Re: Scap for Centos (Shawn Wells)
- Re: Scap for Centos (Andrew Gilmore)
- Interesting RH specific discussion on OpenSCAP (Andrew Gilmore)
- Re: Scap for Centos (Colvin, Ron (GSFC-700.0)[VALADOR INC])
- Re: Scap for Centos (Shawn Wells)
- Re: Scap for Centos (Mike Johnson)
- Re: Scap for Centos (Andrew Gilmore)
Message: 1 Date: Thu, 22 May 2014 17:13:07 -0400 From: Shawn Wells shawn@redhat.com To: SCAP Security Guide scap-security-guide@lists.fedorahosted.org Subject: Re: Scap for Centos Message-ID: 537E6863.3050704@redhat.com Content-Type: text/plain; charset=UTF-8; format=flowed
On 5/22/14, 5:06 PM, Shawn Wells wrote:
On 5/22/14, 3:43 PM, Derek Warner wrote:
Any chance anyone is working on getting SCAP to work on CENTOS? I would love to use the scap security guide and secstate to validate CENTOS 6.5. Right now its a manual process going line by line in the RHEL 5 STIG. I would really love to find out if anyone has anything automated that works on CENTOS.
Given that CentOS isn't allowed on DoD networks, there is no STIG, no common criteria, no support, and doesn't meet any of the mandatory regulatory requirements, what's driving the need?
(p.s. Yes, that was worded a little silly, but I'm serious (and not just because I'm @redhat.com))
And actually, this does bring up a good question: have many people been briefed on the Fedora/CentOS/RHEL roadmap and divergence? It's an area that RHT is extremely passionate to inform customers and partners on. If there's interest, I might be able to setup a community call and bring in the CentOS/RHEL leaders to chat about future plans.
Message: 2 Date: Thu, 22 May 2014 15:35:14 -0600 From: Andrew Gilmore agilmore2@gmail.com To: SCAP Security Guide scap-security-guide@lists.fedorahosted.org Subject: Re: Scap for Centos Message-ID: <CAD1s7uzxvQ7KPn_0QKTd2D7cNw3Kp=9KUUUNJ5svMR1= 6atY3Q@mail.gmail.com> Content-Type: text/plain; charset="utf-8"
SSG is not just for DoD, I sure hope!
I'm sure there are many CentOS deployments in .gov, I believe there are several just in my agency alone. Do we really want to not support them, or force them into manual edits to get scans to work?
I've seen nothing announced on CentOS roadmap. More information would be good.
On Thu, May 22, 2014 at 3:13 PM, Shawn Wells shawn@redhat.com wrote:
On 5/22/14, 5:06 PM, Shawn Wells wrote:
On 5/22/14, 3:43 PM, Derek Warner wrote:
Any chance anyone is working on getting SCAP to work on CENTOS? I would love to use the scap security guide and secstate to validate CENTOS
6.5.
Right now its a manual process going line by line in the RHEL 5 STIG. I would really love to find out if anyone has anything automated that
works
on CENTOS.
Given that CentOS isn't allowed on DoD networks, there is no STIG, no common criteria, no support, and doesn't meet any of the mandatory regulatory requirements, what's driving the need?
(p.s. Yes, that was worded a little silly, but I'm serious (and not just because I'm @redhat.com))
And actually, this does bring up a good question: have many people been briefed on the Fedora/CentOS/RHEL roadmap and divergence? It's an area
that
RHT is extremely passionate to inform customers and partners on. If
there's
interest, I might be able to setup a community call and bring in the CentOS/RHEL leaders to chat about future plans.
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
-------------- next part -------------- An HTML attachment was scrubbed... URL: < https://lists.fedorahosted.org/pipermail/scap-security-guide/attachments/201...
Message: 3 Date: Thu, 22 May 2014 15:38:45 -0600 From: Andrew Gilmore agilmore2@gmail.com To: SCAP Security Guide scap-security-guide@lists.fedorahosted.org Subject: Interesting RH specific discussion on OpenSCAP Message-ID: <CAD1s7uweBe_XQ5tMn0ObMMhacQ= LjBD23XQ_K8dQSeOAYgy4Vg@mail.gmail.com> Content-Type: text/plain; charset="utf-8"
https://access.redhat.com/site/discussions/666153
And yes, CIS shows up almost immediately. -------------- next part -------------- An HTML attachment was scrubbed... URL: < https://lists.fedorahosted.org/pipermail/scap-security-guide/attachments/201...
Message: 4 Date: Thu, 22 May 2014 22:00:09 +0000 From: "Colvin, Ron (GSFC-700.0)[VALADOR INC]" ron.colvin@nasa.gov To: SCAP Security Guide scap-security-guide@lists.fedorahosted.org Subject: Re: Scap for Centos Message-ID: 8D12BAED-0B1C-40C6-82B5-B43984A99838@nasa.gov Content-Type: text/plain; charset="us-ascii"
Organizations and Agencies that allow CentOS on their networks?
Mobile
On May 22, 2014, at 5:06 PM, "Shawn Wells" shawn@redhat.com wrote:
On 5/22/14, 3:43 PM, Derek Warner wrote: Any chance anyone is working on getting SCAP to work on CENTOS? I would
love to use the scap security guide and secstate to validate CENTOS 6.5. Right now its a manual process going line by line in the RHEL 5 STIG. I would really love to find out if anyone has anything automated that works on CENTOS.
Given that CentOS isn't allowed on DoD networks, there is no STIG, no
common criteria, no support, and doesn't meet any of the mandatory regulatory requirements, what's driving the need?
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Message: 5 Date: Thu, 22 May 2014 18:00:43 -0400 From: Shawn Wells shawn@redhat.com To: SCAP Security Guide scap-security-guide@lists.fedorahosted.org Subject: Re: Scap for Centos Message-ID: 537E738B.4010100@redhat.com Content-Type: text/plain; charset=UTF-8; format=flowed
On 5/22/14, 5:35 PM, Andrew Gilmore wrote:
SSG is not just for DoD, I sure hope!
I'm sure there are many CentOS deployments in .gov, I believe there are several just in my agency alone. Do we really want to not support them, or force them into manual edits to get scans to work?
Very correct -- there's broad content supporting a wide range of needs; ranging from commercial (the C2S profile) to classified (e.g. STIG and CS2).
Lacking Common Criteria and FIPS certification, CentOS is not consumable by the U.S. Government per the National Security Telecommunications and Information Systems Security Policy (NSTISSP) #11, now known as the Committee on National Security Systems (CNSS). It's always bugged me that policies exist ("all software procurements must be common criteria certified!"), of which Red Hat (my employer) is held to simply because we're a commercial entity, yet freeware derivatives (e.g. Scientific Linux) aren't held to the same standards. Anywhoo, I suppose that conversation is a rabbit hole we need not go down.
I've seen nothing announced on CentOS roadmap. More information would be good.
There's a ton of good information at https://community.redhat.com/centos-faq/.
In essence CentOS will be diverging from a RHEL derivative to being it's own, organic community. CentOS variants will spin up and feed *into* RHEL, instead of being a downstream derivative. I'll poke around internally to RHT and setup a community call if there are others interested in the Fedora/CentOS/RHEL roadmap.
Message: 6 Date: Thu, 22 May 2014 18:05:22 -0400 From: Mike Johnson mikerjohnson@gmail.com To: scap-security-guide@lists.fedorahosted.org Subject: Re: Scap for Centos Message-ID: <CA+3jfow3ur1EN2VTvRzwBg_-P4mk+Roh3mP8HB76== yvdN2fFQ@mail.gmail.com> Content-Type: text/plain; charset="utf-8"
The VA has adopted the DISA STIG and CentOS has been approved for development servers. I think there are enclave requirements, nevertheless, it can be used.
Mike
Date: Thu, 22 May 2014 17:06:32 -0400 From: Shawn Wells shawn@redhat.com To: SCAP Security Guide scap-security-guide@lists.fedorahosted.org Subject: Re: Scap for Centos Message-ID: 537E66D8.9040604@redhat.com Content-Type: text/plain; charset=UTF-8; format=flowed
On 5/22/14, 3:43 PM, Derek Warner wrote:
Any chance anyone is working on getting SCAP to work on CENTOS? I would love to use the scap security guide and secstate to validate CENTOS 6.5. Right now its a manual process going line by line in the RHEL 5 STIG. I would really love to find out if anyone has anything automated that works on CENTOS.
Given that CentOS isn't allowed on DoD networks, there is no STIG, no common criteria, no support, and doesn't meet any of the mandatory regulatory requirements, what's driving the need?
-------------- next part -------------- An HTML attachment was scrubbed... URL: < https://lists.fedorahosted.org/pipermail/scap-security-guide/attachments/201...
Message: 7 Date: Thu, 22 May 2014 16:14:31 -0600 From: Andrew Gilmore agilmore2@gmail.com To: SCAP Security Guide scap-security-guide@lists.fedorahosted.org Subject: Re: Scap for Centos Message-ID: < CAD1s7uxEcdMbDWOtK1x23C2SWbznZreuTa6zmzJ62tf0w29Vwg@mail.gmail.com> Content-Type: text/plain; charset="utf-8"
I don't get it. Reading this line from the FAQ "No, CentOS releases will follow shortly after the release of Red Hat Enterprise Linux source. " leads me to believe that CentOS will be largely usable as it has been, as a free, completely compatible version of RHEL. Yes, with challenges in errata availability, but that's the use case.
Suggesting that CentOS is going to be *upstream* of RHEL suggests several other valuable, but completely different, uses. I'm not sure this is a great move, as I see bigger challenges coming from the free and polished desktop side (*cough* Ubuntu).
RHEL 7 should be very interesting.
On Thu, May 22, 2014 at 4:05 PM, Mike Johnson <mikerjohnson@gmail.com
wrote:
The VA has adopted the DISA STIG and CentOS has been approved for development servers. I think there are enclave requirements,
nevertheless,
it can be used.
Mike
Date: Thu, 22 May 2014 17:06:32 -0400 From: Shawn Wells shawn@redhat.com To: SCAP Security Guide scap-security-guide@lists.fedorahosted.org Subject: Re: Scap for Centos Message-ID: 537E66D8.9040604@redhat.com Content-Type: text/plain; charset=UTF-8; format=flowed
On 5/22/14, 3:43 PM, Derek Warner wrote:
Any chance anyone is working on getting SCAP to work on CENTOS? I would love to use the scap security guide and secstate to validate CENTOS 6.5. Right now its a manual process going line by line in the RHEL 5 STIG. I would really love to find out if anyone has anything automated that works on CENTOS.
Given that CentOS isn't allowed on DoD networks, there is no STIG, no common criteria, no support, and doesn't meet any of the mandatory regulatory requirements, what's driving the need?
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
-------------- next part -------------- An HTML attachment was scrubbed... URL: < https://lists.fedorahosted.org/pipermail/scap-security-guide/attachments/201...
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
End of scap-security-guide Digest, Vol 33, Issue 38
scap-security-guide@lists.fedorahosted.org
-
Derek Warner