We have been allowed to use CENTOS on a variety of DoD systems. We do not connect to the GIG however. These are systems which do not connect or connect to very controlled networks. RHEL is just costing our program too much money so we switched to CENTOS.
V/R Derek Warner – CISSP-ISSEP Information System Security Engineer Riptide Software w- 321-296-0068 x 136 c- 407-716-9223 [email protected] [email protected] On Thu, May 22, 2014 at 6:14 PM, < [email protected]> wrote: > Send scap-security-guide mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of scap-security-guide digest..." > > > Today's Topics: > > 1. Re: Scap for Centos (Shawn Wells) > 2. Re: Scap for Centos (Andrew Gilmore) > 3. Interesting RH specific discussion on OpenSCAP (Andrew Gilmore) > 4. Re: Scap for Centos (Colvin, Ron (GSFC-700.0)[VALADOR INC]) > 5. Re: Scap for Centos (Shawn Wells) > 6. Re: Scap for Centos (Mike Johnson) > 7. Re: Scap for Centos (Andrew Gilmore) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 22 May 2014 17:13:07 -0400 > From: Shawn Wells <[email protected]> > To: SCAP Security Guide <[email protected]> > Subject: Re: Scap for Centos > Message-ID: <[email protected]> > Content-Type: text/plain; charset=UTF-8; format=flowed > > > On 5/22/14, 5:06 PM, Shawn Wells wrote: > > > > On 5/22/14, 3:43 PM, Derek Warner wrote: > >> Any chance anyone is working on getting SCAP to work on CENTOS? I > >> would love to use the scap security guide and secstate to validate > >> CENTOS 6.5. Right now its a manual process going line by line in the > >> RHEL 5 STIG. I would really love to find out if anyone has anything > >> automated that works on CENTOS. > > > > Given that CentOS isn't allowed on DoD networks, there is no STIG, no > > common criteria, no support, and doesn't meet any of the mandatory > > regulatory requirements, what's driving the need? > > (p.s. Yes, that was worded a little silly, but I'm serious (and not just > because I'm @redhat.com)) > > And actually, this does bring up a good question: have many people been > briefed on the Fedora/CentOS/RHEL roadmap and divergence? It's an area > that RHT is extremely passionate to inform customers and partners on. If > there's interest, I might be able to setup a community call and bring in > the CentOS/RHEL leaders to chat about future plans. > > > ------------------------------ > > Message: 2 > Date: Thu, 22 May 2014 15:35:14 -0600 > From: Andrew Gilmore <[email protected]> > To: SCAP Security Guide <[email protected]> > Subject: Re: Scap for Centos > Message-ID: > <CAD1s7uzxvQ7KPn_0QKTd2D7cNw3Kp=9KUUUNJ5svMR1= > [email protected]> > Content-Type: text/plain; charset="utf-8" > > SSG is not just for DoD, I sure hope! > > I'm sure there are many CentOS deployments in .gov, I believe there are > several just in my agency alone. Do we really want to not support them, or > force them into manual edits to get scans to work? > > I've seen nothing announced on CentOS roadmap. More information would be > good. > > > > > On Thu, May 22, 2014 at 3:13 PM, Shawn Wells <[email protected]> wrote: > > > > > On 5/22/14, 5:06 PM, Shawn Wells wrote: > > > >> > >> On 5/22/14, 3:43 PM, Derek Warner wrote: > >> > >>> Any chance anyone is working on getting SCAP to work on CENTOS? I would > >>> love to use the scap security guide and secstate to validate CENTOS > 6.5. > >>> Right now its a manual process going line by line in the RHEL 5 STIG. I > >>> would really love to find out if anyone has anything automated that > works > >>> on CENTOS. > >>> > >> > >> Given that CentOS isn't allowed on DoD networks, there is no STIG, no > >> common criteria, no support, and doesn't meet any of the mandatory > >> regulatory requirements, what's driving the need? > >> > > > > (p.s. Yes, that was worded a little silly, but I'm serious (and not just > > because I'm @redhat.com)) > > > > And actually, this does bring up a good question: have many people been > > briefed on the Fedora/CentOS/RHEL roadmap and divergence? It's an area > that > > RHT is extremely passionate to inform customers and partners on. If > there's > > interest, I might be able to setup a community call and bring in the > > CentOS/RHEL leaders to chat about future plans. > > > > _______________________________________________ > > scap-security-guide mailing list > > [email protected] > > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > https://lists.fedorahosted.org/pipermail/scap-security-guide/attachments/20140522/6845d9ea/attachment-0001.html > > > > ------------------------------ > > Message: 3 > Date: Thu, 22 May 2014 15:38:45 -0600 > From: Andrew Gilmore <[email protected]> > To: SCAP Security Guide <[email protected]> > Subject: Interesting RH specific discussion on OpenSCAP > Message-ID: > <CAD1s7uweBe_XQ5tMn0ObMMhacQ= > [email protected]> > Content-Type: text/plain; charset="utf-8" > > https://access.redhat.com/site/discussions/666153 > > And yes, CIS shows up almost immediately. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > https://lists.fedorahosted.org/pipermail/scap-security-guide/attachments/20140522/0a76aa40/attachment-0001.html > > > > ------------------------------ > > Message: 4 > Date: Thu, 22 May 2014 22:00:09 +0000 > From: "Colvin, Ron (GSFC-700.0)[VALADOR INC]" <[email protected]> > To: SCAP Security Guide <[email protected]> > Subject: Re: Scap for Centos > Message-ID: <[email protected]> > Content-Type: text/plain; charset="us-ascii" > > Organizations and Agencies that allow CentOS on their networks? > > Mobile > > > On May 22, 2014, at 5:06 PM, "Shawn Wells" <[email protected]> wrote: > > > > > >> On 5/22/14, 3:43 PM, Derek Warner wrote: > >> Any chance anyone is working on getting SCAP to work on CENTOS? I would > love to use the scap security guide and secstate to validate CENTOS 6.5. > Right now its a manual process going line by line in the RHEL 5 STIG. I > would really love to find out if anyone has anything automated that works > on CENTOS. > > > > Given that CentOS isn't allowed on DoD networks, there is no STIG, no > common criteria, no support, and doesn't meet any of the mandatory > regulatory requirements, what's driving the need? > > _______________________________________________ > > scap-security-guide mailing list > > [email protected] > > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > > > ------------------------------ > > Message: 5 > Date: Thu, 22 May 2014 18:00:43 -0400 > From: Shawn Wells <[email protected]> > To: SCAP Security Guide <[email protected]> > Subject: Re: Scap for Centos > Message-ID: <[email protected]> > Content-Type: text/plain; charset=UTF-8; format=flowed > > > On 5/22/14, 5:35 PM, Andrew Gilmore wrote: > > SSG is not just for DoD, I sure hope! > > > > I'm sure there are many CentOS deployments in .gov, I believe there > > are several just in my agency alone. Do we really want to not support > > them, or force them into manual edits to get scans to work? > > Very correct -- there's broad content supporting a wide range of needs; > ranging from commercial (the C2S profile) to classified (e.g. STIG and > CS2). > > Lacking Common Criteria and FIPS certification, CentOS is not consumable > by the U.S. Government per the National Security Telecommunications and > Information Systems Security Policy (NSTISSP) #11, now known as the > Committee on National Security Systems (CNSS). It's always bugged me > that policies exist ("all software procurements must be common criteria > certified!"), of which Red Hat (my employer) is held to simply because > we're a commercial entity, yet freeware derivatives (e.g. Scientific > Linux) aren't held to the same standards. Anywhoo, I suppose that > conversation is a rabbit hole we need not go down. > > > > I've seen nothing announced on CentOS roadmap. More information would > > be good. > There's a ton of good information at > https://community.redhat.com/centos-faq/. > > In essence CentOS will be diverging from a RHEL derivative to being it's > own, organic community. CentOS variants will spin up and feed *into* > RHEL, instead of being a downstream derivative. I'll poke around > internally to RHT and setup a community call if there are others > interested in the Fedora/CentOS/RHEL roadmap. > > > ------------------------------ > > Message: 6 > Date: Thu, 22 May 2014 18:05:22 -0400 > From: Mike Johnson <[email protected]> > To: [email protected] > Subject: Re: Scap for Centos > Message-ID: > <CA+3jfow3ur1EN2VTvRzwBg_-P4mk+Roh3mP8HB76== > [email protected]> > Content-Type: text/plain; charset="utf-8" > > The VA has adopted the DISA STIG and CentOS has been approved for > development servers. I think there are enclave requirements, nevertheless, > it can be used. > > Mike > > > > Date: Thu, 22 May 2014 17:06:32 -0400 > > From: Shawn Wells <[email protected]> > > To: SCAP Security Guide <[email protected]> > > Subject: Re: Scap for Centos > > Message-ID: <[email protected]> > > Content-Type: text/plain; charset=UTF-8; format=flowed > > > > > > On 5/22/14, 3:43 PM, Derek Warner wrote: > > > Any chance anyone is working on getting SCAP to work on CENTOS? I > > > would love to use the scap security guide and secstate to validate > > > CENTOS 6.5. Right now its a manual process going line by line in the > > > RHEL 5 STIG. I would really love to find out if anyone has anything > > > automated that works on CENTOS. > > > > Given that CentOS isn't allowed on DoD networks, there is no STIG, no > > common criteria, no support, and doesn't meet any of the mandatory > > regulatory requirements, what's driving the need? > > > > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > https://lists.fedorahosted.org/pipermail/scap-security-guide/attachments/20140522/ed14094b/attachment-0001.html > > > > ------------------------------ > > Message: 7 > Date: Thu, 22 May 2014 16:14:31 -0600 > From: Andrew Gilmore <[email protected]> > To: SCAP Security Guide <[email protected]> > Subject: Re: Scap for Centos > Message-ID: > < > cad1s7uxecdmbdwotk1x23c2swbznzreuta6zmzj62tf0w29...@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > I don't get it. Reading this line from the FAQ > "No, CentOS releases will follow shortly after the release of Red Hat > Enterprise Linux source. " > leads me to believe that CentOS will be largely usable as it has been, as a > free, completely compatible version of RHEL. Yes, with challenges in errata > availability, but that's the use case. > > Suggesting that CentOS is going to be *upstream* of RHEL suggests several > other valuable, but completely different, uses. I'm not sure this is a > great move, as I see bigger challenges coming from the free and polished > desktop side (*cough* Ubuntu). > > RHEL 7 should be very interesting. > > > > On Thu, May 22, 2014 at 4:05 PM, Mike Johnson <[email protected] > >wrote: > > > The VA has adopted the DISA STIG and CentOS has been approved for > > development servers. I think there are enclave requirements, > nevertheless, > > it can be used. > > > > Mike > > > > > >> Date: Thu, 22 May 2014 17:06:32 -0400 > >> From: Shawn Wells <[email protected]> > >> To: SCAP Security Guide <[email protected]> > >> Subject: Re: Scap for Centos > >> Message-ID: <[email protected]> > >> Content-Type: text/plain; charset=UTF-8; format=flowed > >> > >> > >> > >> On 5/22/14, 3:43 PM, Derek Warner wrote: > >> > Any chance anyone is working on getting SCAP to work on CENTOS? I > >> > would love to use the scap security guide and secstate to validate > >> > CENTOS 6.5. Right now its a manual process going line by line in the > >> > RHEL 5 STIG. I would really love to find out if anyone has anything > >> > automated that works on CENTOS. > >> > >> Given that CentOS isn't allowed on DoD networks, there is no STIG, no > >> common criteria, no support, and doesn't meet any of the mandatory > >> regulatory requirements, what's driving the need? > >> > >> > >> > > _______________________________________________ > > scap-security-guide mailing list > > [email protected] > > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > https://lists.fedorahosted.org/pipermail/scap-security-guide/attachments/20140522/7cd6deff/attachment.html > > > > ------------------------------ > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > > > End of scap-security-guide Digest, Vol 33, Issue 38 > *************************************************** >
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
