Rules for a subsystem should only apply if the subsystem to which they
apply actually exist on the system.
1) The *Docker* methodology for containers would have us not use SSH in
containers, but the LXC/LXD methodology (the OG of containers) would.
2) There is no reason that you need to have SSH
On 19/01/17 18:40, Watson Yuuma Sato wrote:
On 20/10/16 20:30, Martin Preisler wrote:
We have had increasing requests to scan containers and VM storage images
for compliance. In those use-cases a lot of our rules don't make sense.
For example separate partition for /tmp isn't really applicable
On 19/01/17 18:40, Watson Yuuma Sato wrote:
On 20/10/16 20:30, Martin Preisler wrote:
We have had increasing requests to scan containers and VM storage images
for compliance. In those use-cases a lot of our rules don't make sense.
For example separate partition for /tmp isn't really applicable
On 20/10/16 20:30, Martin Preisler wrote:
We have had increasing requests to scan containers and VM storage images
for compliance. In those use-cases a lot of our rules don't make sense.
For example separate partition for /tmp isn't really applicable to containers.
I thought about how we can
) [mailto:ra...@windriver.com]
Sent: Monday, November 7, 2016 1:14 PM
To: scap-security-guide@lists.fedorahosted.org
Subject: RE: VMs, containers vs. bare-metal machines in SSG
> From: Brent Kimberley <brent.kimber...@durham.ca> Mon, 7 Nov 2016
> 17
ste.
But I think it's worth spending some time to avoid it.
Enjoy!
-- radzy
> -Original Message-
> From: Radzykewycz, T (Radzy) [mailto:ra...@windriver.com]
> Sent: Friday, November 4, 2016 4:52 PM
> To: scap-security-guide@lists.fedorahosted.org
> Subject: RE: VMs,
@lists.fedorahosted.org
Subject: RE: VMs, containers vs. bare-metal machines in SSG
> -Original Message-
> From: Radzykewycz, T (Radzy) [mailto:ra...@windriver.com] Friday,
> October 21, 2016 1:16 PM
> > From: Brent Kimberley <brent.kimber...@dur
> -Original Message-
> From: Radzykewycz, T (Radzy) [mailto:ra...@windriver.com] Friday, October 21,
> 2016 1:16 PM
> > From: Brent Kimberley As opposed to
> > writing one XCCDF, why not write one XCCDF per point of
: RE: VMs, containers vs. bare-metal machines in SSG
Hi Radzy.
Assuming a strawman consisting of: one OS(i.e. apps, libraries,
OSxContainer-Interface, etc.); and one container(i.e. app, libraries,
ContainerxOS-Interface, etc.).
There is
one XCCDF for the OS(baseline)
one XCCDF
: RE: VMs, containers vs. bare-metal machines in SSG
> From: Brent Kimberley <brent.kimber...@durham.ca> As opposed to
> writing one XCCDF, why not write one XCCDF per point of interest
> (inside the container of interest, inside the OS but outside the
> container of interest, ...
I'd like to approach this from a usability point of view and re-request a
feature that I feel is crippling adoption of SCAP in orgs that can't have
dedicated SCAP-fu experts.
Adding additional layers of complexity is going to further drive away
adoption, particularly without good command line
> From: Brent Kimberley
> As opposed to writing one XCCDF, why not write one XCCDF per
> point of interest (inside the container of interest, inside the
> OS but outside the container of interest, ...) - until upstream
> standards address Origin, Point (in SpaceTime),
?
-Original Message-
From: Martin Preisler [mailto:mprei...@redhat.com]
Sent: Thursday, October 20, 2016 3:57 PM
To: SCAP Security Guide <scap-security-guide@lists.fedorahosted.org>
Subject: Re: VMs, containers vs. bare-metal machines in SSG
- Original Message -
> From: &qu
-metal machines in SSG
- Original Message -
> From: "Shawn Wells" <sh...@redhat.com>
> To: scap-security-guide@lists.fedorahosted.org
> Sent: Thursday, October 20, 2016 2:45:39 PM
> Subject: Re: VMs, containers vs. bare-metal machines in SSG
>
> [snip]
On Thursday, October 20, 2016 3:56:41 PM EDT Martin Preisler wrote:
> - Original Message -
>
> > From: "Shawn Wells" <sh...@redhat.com>
> > To: scap-security-guide@lists.fedorahosted.org
> > Sent: Thursday, October 20, 2016 2:45:39 PM
> &g
- Original Message -
> From: "Shawn Wells" <sh...@redhat.com>
> To: scap-security-guide@lists.fedorahosted.org
> Sent: Thursday, October 20, 2016 2:45:39 PM
> Subject: Re: VMs, containers vs. bare-metal machines in SSG
>
> [snip]
>
> Really l
- Original Message -
> From: "Leland J Sr CTR DISA DD Steinke (US)" <leland.j.steinke@mail.mil>
> To: "SCAP Security Guide" <scap-security-guide@lists.fedorahosted.org>
> Sent: Thursday, October 20, 2016 2:50:54 PM
> Subject: RE: VMs, contain
Have you considered the CPE Applicability Language (NISTIR 7698)? It
facilitates this without overloading CPE IDs.
Thanks,
Leland
> -Original Message-
> From: Martin Preisler [mailto:mprei...@redhat.com]
> Sent: Thursday, October 20, 2016 2:31 PM
> To: SCAP Security Guide
> Subject:
On 10/20/16 2:30 PM, Martin Preisler wrote:
> We have had increasing requests to scan containers and VM storage images
> for compliance. In those use-cases a lot of our rules don't make sense.
> For example separate partition for /tmp isn't really applicable to containers.
>
> I thought about
19 matches
Mail list logo