In addition to Jeremiah's comment, there are many commercial organizations outside of the government who are interested in following the government standards for secure baselines as a best practice. I think it would be a benefit to all to encourage the use of secure baselines against all platforms whose consumers are security conscious. In addition, you have the added benefit of capturing more end users, I know of many organizations who start off with freely available open source and then migrate to professional grade support at a later date, it is much easier to migrate from CentOS to say RH then it would be from Ubuntu or other distro to RH and by that time many organizations will stick with what they know and the skills of the current support personnel. That being said I understand that everyone has limited time and resources, but if there is a way to help downstream consumers implement secure baselines I think it would benefit all.
On Tue, Aug 19, 2014 at 9:51 AM, Jeremiah Jahn < jerem...@goodinassociates.com> wrote: > I understand the no government certification thing and not going to > argue with it. But as someone who uses Scientific linux most of the > time. I'd like to propose that we either add sl and cent or a generic > rhel derivative, perhaps by simply using a tailoring var. In a perfect > world I'd even suggest that RHEL is treated as a specific > RHEL_derivitive, just like SL or Cent. But I can only imagine the pain > that would cause. I think what would be nice is if we make some > centos and sl generic profiles, and fix the platform check in the OVAL > definition. In a way that the derivative producers wouldn't have to > mess with, but a specific user/ admin could with a simple tailoring > file. > > The problem as I see it right now, is that there is a pretty big > barrier to entry for admins of derivative systems. Which means that > there won't be a lot of eyes on the guide except for the die hards, > who also happen to have the time. And that doesn't seem like a good > long term thing. > > I also get the sense that some of this cent os stuff is changing a > "little" bit with RH pulling cent in under it's wing, but they'd be > foolish to get Cent certified in any official way. If you want true > certification, you should probably pay. > > just my 2 cents, > -jj- > > > On Fri, Aug 15, 2014 at 6:09 PM, Shawn Wells <sh...@redhat.com> wrote: > > On 8/15/14, 6:30 PM, Greg Elin wrote: > >> Shawn, > >> > >> Really interesting points. > >> > >> Can you also speak to Fedora vs RHEL and why Fedora is included? > >> > >> I think a CentOs generic is a smart approach. > > > > > > We've been very careful to not claim any gov baseline compliance with > > the Fedora content. Currently there is a generic/common profile: > > > > > https://github.com/OpenSCAP/scap-security-guide/tree/master/Fedora/input/profiles > > -- > > SCAP Security Guide mailing list > > scap-security-guide@lists.fedorahosted.org > > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > > https://github.com/OpenSCAP/scap-security-guide/ > -- > SCAP Security Guide mailing list > scap-security-guide@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > https://github.com/OpenSCAP/scap-security-guide/ > -- Sincerely, James
-- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
