On 5/22/14, 5:35 PM, Andrew Gilmore wrote:
SSG is not just for DoD, I sure hope!
I'm sure there are many CentOS deployments in .gov, I believe there
are several just in my agency alone. Do we really want to not support
them, or force them into manual edits to get scans to work?
Very correct -- there's broad content supporting a wide range of needs;
ranging from commercial (the C2S profile) to classified (e.g. STIG and CS2).
Lacking Common Criteria and FIPS certification, CentOS is not consumable
by the U.S. Government per the National Security Telecommunications and
Information Systems Security Policy (NSTISSP) #11, now known as the
Committee on National Security Systems (CNSS). It's always bugged me
that policies exist ("all software procurements must be common criteria
certified!"), of which Red Hat (my employer) is held to simply because
we're a commercial entity, yet freeware derivatives (e.g. Scientific
Linux) aren't held to the same standards. Anywhoo, I suppose that
conversation is a rabbit hole we need not go down.
I've seen nothing announced on CentOS roadmap. More information would
be good.
There's a ton of good information at
https://community.redhat.com/centos-faq/.
In essence CentOS will be diverging from a RHEL derivative to being it's
own, organic community. CentOS variants will spin up and feed *into*
RHEL, instead of being a downstream derivative. I'll poke around
internally to RHT and setup a community call if there are others
interested in the Fedora/CentOS/RHEL roadmap.
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
