Re: VMs, containers vs. bare-metal machines in SSG

Rules for a subsystem should only apply if the subsystem to which they apply actually exist on the system. 1) The *Docker* methodology for containers would have us not use SSH in containers, but the LXC/LXD methodology (the OG of containers) would. 2) There is no reason that you need to have SSH

Re: VMs, containers vs. bare-metal machines in SSG

On 19/01/17 18:40, Watson Yuuma Sato wrote: On 20/10/16 20:30, Martin Preisler wrote: We have had increasing requests to scan containers and VM storage images for compliance. In those use-cases a lot of our rules don't make sense. For example separate partition for /tmp isn't really applicable

Re: VMs, containers vs. bare-metal machines in SSG

On 19/01/17 18:40, Watson Yuuma Sato wrote: On 20/10/16 20:30, Martin Preisler wrote: We have had increasing requests to scan containers and VM storage images for compliance. In those use-cases a lot of our rules don't make sense. For example separate partition for /tmp isn't really applicable

Re: VMs, containers vs. bare-metal machines in SSG

On 20/10/16 20:30, Martin Preisler wrote: We have had increasing requests to scan containers and VM storage images for compliance. In those use-cases a lot of our rules don't make sense. For example separate partition for /tmp isn't really applicable to containers. I thought about how we can

RE: VMs, containers vs. bare-metal machines in SSG

) [mailto:ra...@windriver.com] Sent: Monday, November 7, 2016 1:14 PM To: scap-security-guide@lists.fedorahosted.org Subject: RE: VMs, containers vs. bare-metal machines in SSG > From: Brent Kimberley <brent.kimber...@durham.ca> Mon, 7 Nov 2016 > 17

RE: VMs, containers vs. bare-metal machines in SSG

ste. But I think it's worth spending some time to avoid it. Enjoy! -- radzy > -Original Message- > From: Radzykewycz, T (Radzy) [mailto:ra...@windriver.com] > Sent: Friday, November 4, 2016 4:52 PM > To: scap-security-guide@lists.fedorahosted.org > Subject: RE: VMs,

RE: VMs, containers vs. bare-metal machines in SSG

@lists.fedorahosted.org Subject: RE: VMs, containers vs. bare-metal machines in SSG > -Original Message- > From: Radzykewycz, T (Radzy) [mailto:ra...@windriver.com] Friday, > October 21, 2016 1:16 PM > > From: Brent Kimberley <brent.kimber...@dur

RE: VMs, containers vs. bare-metal machines in SSG

> -Original Message- > From: Radzykewycz, T (Radzy) [mailto:ra...@windriver.com] Friday, October 21, > 2016 1:16 PM > > From: Brent Kimberley As opposed to > > writing one XCCDF, why not write one XCCDF per point of

RE: VMs, containers vs. bare-metal machines in SSG

: RE: VMs, containers vs. bare-metal machines in SSG Hi Radzy. Assuming a strawman consisting of: one OS(i.e. apps, libraries, OSxContainer-Interface, etc.); and one container(i.e. app, libraries, ContainerxOS-Interface, etc.). There is one XCCDF for the OS(baseline) one XCCDF

RE: VMs, containers vs. bare-metal machines in SSG

: RE: VMs, containers vs. bare-metal machines in SSG > From: Brent Kimberley <brent.kimber...@durham.ca> As opposed to > writing one XCCDF, why not write one XCCDF per point of interest > (inside the container of interest, inside the OS but outside the > container of interest, ...

Re: VMs, containers vs. bare-metal machines in SSG

I'd like to approach this from a usability point of view and re-request a feature that I feel is crippling adoption of SCAP in orgs that can't have dedicated SCAP-fu experts. Adding additional layers of complexity is going to further drive away adoption, particularly without good command line

RE: VMs, containers vs. bare-metal machines in SSG

> From: Brent Kimberley > As opposed to writing one XCCDF, why not write one XCCDF per > point of interest (inside the container of interest, inside the > OS but outside the container of interest, ...) - until upstream > standards address Origin, Point (in SpaceTime),

RE: VMs, containers vs. bare-metal machines in SSG

? -Original Message- From: Martin Preisler [mailto:mprei...@redhat.com] Sent: Thursday, October 20, 2016 3:57 PM To: SCAP Security Guide <scap-security-guide@lists.fedorahosted.org> Subject: Re: VMs, containers vs. bare-metal machines in SSG - Original Message - > From: &qu

RE: VMs, containers vs. bare-metal machines in SSG

-metal machines in SSG - Original Message - > From: "Shawn Wells" <sh...@redhat.com> > To: scap-security-guide@lists.fedorahosted.org > Sent: Thursday, October 20, 2016 2:45:39 PM > Subject: Re: VMs, containers vs. bare-metal machines in SSG > > [snip]

Re: VMs, containers vs. bare-metal machines in SSG

On Thursday, October 20, 2016 3:56:41 PM EDT Martin Preisler wrote: > - Original Message - > > > From: "Shawn Wells" <sh...@redhat.com> > > To: scap-security-guide@lists.fedorahosted.org > > Sent: Thursday, October 20, 2016 2:45:39 PM > &g

Re: VMs, containers vs. bare-metal machines in SSG

- Original Message - > From: "Shawn Wells" <sh...@redhat.com> > To: scap-security-guide@lists.fedorahosted.org > Sent: Thursday, October 20, 2016 2:45:39 PM > Subject: Re: VMs, containers vs. bare-metal machines in SSG > > [snip] > > Really l

Re: VMs, containers vs. bare-metal machines in SSG

- Original Message - > From: "Leland J Sr CTR DISA DD Steinke (US)" <leland.j.steinke@mail.mil> > To: "SCAP Security Guide" <scap-security-guide@lists.fedorahosted.org> > Sent: Thursday, October 20, 2016 2:50:54 PM > Subject: RE: VMs, contain

RE: VMs, containers vs. bare-metal machines in SSG

Have you considered the CPE Applicability Language (NISTIR 7698)? It facilitates this without overloading CPE IDs. Thanks, Leland > -Original Message- > From: Martin Preisler [mailto:mprei...@redhat.com] > Sent: Thursday, October 20, 2016 2:31 PM > To: SCAP Security Guide > Subject:

Re: VMs, containers vs. bare-metal machines in SSG

On 10/20/16 2:30 PM, Martin Preisler wrote: > We have had increasing requests to scan containers and VM storage images > for compliance. In those use-cases a lot of our rules don't make sense. > For example separate partition for /tmp isn't really applicable to containers. > > I thought about