> the flexibility to support per-profile specialized rules is a great > capability of the SSG project! Agreed here. It's expected that additional profile(s) will be needed within the CCP context. For example, Manager Service Providers (a type of CCP) are one use case where customization of RHEL images is expected. MSP's often install their own monitoring/backup packages, etc that would be flagged by a non-RH package check. We'll need to build a profile to account for such circumstances (I'm working on that deliverable).
-Matt Matthew Mariani Cloud Solution Architect M: +1-717-756-6834 [email protected] ----- Original Message ----- From: "Shawn Wells" <[email protected]> To: [email protected] Sent: Tuesday, November 12, 2013 8:33:35 PM Subject: Re: Additional Checks for RH Cloud Provider Profile (rht-ccp) On 11/11/13, 11:37 PM, Jeffrey Blank wrote: I might be more concerned that the "non-rh_packages" Rule would drive developers to / not / package software into RPMs at all. But of course, I have very little context with regard to when/how this CCP profile would be exercised. It's certainly possible to add these sorts of things to the project in a manner that makes explicit their specialized scenario. As part of Red Hat's larger certified cloud provider (CCP) program, third party cloud providers must provide Red Hat evidence that their RHEL AMIs/images meet certain standards imposed by Red Hat. Historically these standards have been enforced with bash and python hackery. We're trying to standardize things via SCAP. The rht-ccp profile will scan the base image/AMI. Standards aren't as stringent as, say, a STIG, but we want to ensure all CCPs enable things like SSHv2, partitions for /tmp and /var/log/audit, SELinux is running, etc. Once the image is certified between Red Hat and the CCP, the images are released to the CCP end users. CCP certification is largely done to ensure consistency of the initial RHEL experience to end-users between multiple cloud providers. End users will be able to do whatever they please -- install additional software, turn off the original security controls, etc. It's unlikely other profiles will use non-rh_packages, however as you noted, the flexibility to support per-profile specialized rules is a great capability of the SSG project! _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
