<div dir="ltr"><div dir="ltr"> </div> <div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Mar 6, 2020 at 5:05 PM Trey Henefield <<a href="mailto:trey.henefield@ultra-ats.com">trey.henefield@ultra-ats.com</a>> wrote: </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <div lang="EN-US"> <div class="gmail-m_9127504191379093095WordSection1"> Copy that sir. Thanks for responding. I would love to contribute my changes. The problem is by the time we get the latest release all fixed up and in alignment with STIG requirements, a new release comes out and completely changes the way content is generated. For example, the last release changed a bunch of compliance code to now use templates and jinja. So now its not as simple to merge my existing content as I now need to learn how things are now done differently, fix issues in the new process and still get my code to work and be compliant. It is very tiresome doing this continuously every single release. We can never get things up to speed and commit changes because by the time we turn around, everything is yet again drastically changed.</div></div></blockquote><div> </div><div> Hello Trey, thanks for sharing your pain.</div><div> </div><div>I'd like to better understand the aspects of your changes, are they only related to content, like rules and remediation? Or do you also tweak the build system? </div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang="EN-US"><div class="gmail-m_9127504191379093095WordSection1"> I am all for innovation and finding better ways to accomplish tasks. But these types of changes need to be less frequently to simply allow the compliance code to mature. <div> In most development environments, including our own, there is the concept of major releases and minor releases. Where major releases incorporate “major” changes into the software, such as changing how things are done in the software. Minor releases provide for bug fixes to further improve the reliability of the the software. I consider changing how all the code is compiled, adding new processes and deprecating old processes, to be a major change as it has a cascading affect for much of the content. Whereas, minor changes would focus on simply improving the content utilizing the existing processes already in place.</div></div></div></blockquote><div> </div><div><div>There is an idea to separate the build system from the benchmark directory: <a href="https://github.com/ComplianceAsCode/content/issues/5125">https://github.com/ComplianceAsCode/content/issues/5125</a></div><div>Does this idea resonate with you? </div><div></div><div>Separating the content from the benchmark would minimize issues when compiling processes change, but it could bring another set of problems, like versioning, or upgrade paths. </div><div> </div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang="EN-US"><div class="gmail-m_9127504191379093095WordSection1"><div> I had brought this up before but it just seems to be ignored. I really would like to see a better effort from the maintainers of this content to improve on this issue so that those of us utilizing the content and improving the content can have ample opportunity to upload these improvements so that the rest of the community can benefit from these changes alike. Best regards, Trey Henefield, CISSP Cyber Security Manager <img style="width: 1.6562in; height: 0.3125in;" id="gmail-m_9127504191379093095_x0000_i1034" src="cid:170b0ae1d0a4ce8e91" width="159" height="30"> Ultra Intelligence & Communications 4101 Smith School Road Building IV, Suite 100 Austin, TX 78744 USA T: +1 512 327 6795 ext. 647 M: +1 512 541 6450 <a href="http://www.ultra.group" target="_blank">ultra.group</a> </div> <div> <div style="border-color:rgb(225,225,225) currentcolor currentcolor;border-style:solid none none;border-width:1pt medium medium;padding:3pt 0in 0in"> From: Matěj Týč <<a href="mailto:matyc@redhat.com" target="_blank">matyc@redhat.com</a>> Sent: Friday, March 6, 2020 4:13 AM To: Trey Henefield <<a href="mailto:trey.henefield@ultra-ats.com" target="_blank">trey.henefield@ultra-ats.com</a>>; RADUSINOVIC, IVAN J GS-12 USAF ACC 805 CTS/DOO <<a href="mailto:ivan.radusinovic@us.af.mil" target="_blank">ivan.radusinovic@us.af.mil</a>>; Sherwin Farhang <<a href="mailto:Sherwin.Farhang@newwave.io" target="_blank">Sherwin.Farhang@newwave.io</a>>; <a href="mailto:open-scap-list@redhat.com" target="_blank">open-scap-list@redhat.com</a> Subject: Re: [Open-scap] SCAP's for CentOS 7 & 8 </div> </div> Hello Trey and others, first of all, the openscap list is mainly about the scanner, while your points are about the content, for which I recommend the <a href="mailto:scap-security-guide@lists.fedorahosted.org" target="_blank">scap-security-guide@lists.fedorahosted.org</a> mailing list. Regarding the main topic, I vaguely recall discussions about whether to have CentOS profiles that would be inevitably failing (due to lack of certification of scanned systems), or whether to remove profiles that require certifications to pass altogether. The second approach has won, possibly driven by fears that the project would keep getting reports that a rule is failing, so maintainers should do something about it and fix it. The scanner can't say "I am sorry, your system is not certified, that's why the rule fails" - anyone using the scanner would see just another rule failing, and one has to read the guide/report to correctly understand what's the problem. <div> On 05. 03. 20 18:16, Trey Henefield wrote: </div> <blockquote style="margin-top:5pt;margin-bottom:5pt"> I don’t have access to it at the moment as I am out of the office this week and next, but I will provide this info when I return. <div> I was just as surprised as anyone else, but a customer informed me of this. Because it is open source software, they were able to do a complete source code review and approved it based on that, since the DoD opensource policy permits this now. We still prefer to use RedHat and bring them allot of business, but it feels that this open source community is more business driven than community driven, resulting in these types of decisions. But that should not be the case for an open source community project. </div> </blockquote> If any of you don't agree with decisions that were taken, let your take on this be heard in the appropriate mailing list. Community is inseparable from participation, maintainers will take shortcuts if there is no visible pushback against them. <blockquote style="margin-top:5pt;margin-bottom:5pt"> <div> While I am on my soap box, I will just reiterate again, I am not a fan of the drastic changes that are added every two months to a new release. Major changes like this and overhauling how compliance code gets built every two months is just bad. These major changes should be released in a new major release less frequently (6 months, or even once a year). Rather, the incrimental releases pushed out every two months should be more based on bring compliance code up to speed to provide more complete and accurate coverage of the requirements. Everytime I merge in the latest release with our code, we spend so much time going back and fixing all the things it breaks. </div> </blockquote> The Security Compliance field is gaining momentum, and it will continue to do so in the foreseeable future. Therefore, the project needs to accommodate ever-increasing requirements - such as introduction of new profiles, new products, and even new paradigms. The only way to do so is to refactor its parts and make them perform better. We are so far very successful in this effort, and what you describe is the inevitable downside of it. So Trey, do you think that your code could be upstreamed? That way, it would become possible for us to keep it in a good shape at a low cost. <blockquote style="margin-top:5pt;margin-bottom:5pt"> <div> Best regards, Trey Henefield, CISSP Cyber Security Manager <img style="width: 1.6562in; height: 0.3125in;" id="gmail-m_9127504191379093095_x0000_i1025" src="cid:170b0ae1d0a4ce8e91" width="159" height="30" border="0"> Ultra Intelligence & Communications 4101 Smith School Road Building IV, Suite 100 Austin, TX 78744 USA T: +1 512 327 6795 ext. 647 M: +1 512 541 6450 <a href="http://www.ultra.group" target="_blank">ultra.group</a> </div> <div> <div style="border-color:rgb(225,225,225) currentcolor currentcolor;border-style:solid none none;border-width:1pt medium medium;padding:3pt 0in 0in"> From: RADUSINOVIC, IVAN J GS-12 USAF ACC 805 CTS/DOO <a href="mailto:ivan.radusinovic@us.af.mil" target="_blank"> <ivan.radusinovic@us.af.mil></a> Sent: Thursday, March 5, 2020 10:54 AM To: Trey Henefield <a href="mailto:trey.henefield@ultra-ats.com" target="_blank"><trey.henefield@ultra-ats.com></a>; Sherwin Farhang <a href="mailto:Sherwin.Farhang@newwave.io" target="_blank"><Sherwin.Farhang@newwave.io></a>; <a href="mailto:open-scap-list@redhat.com" target="_blank"> open-scap-list@redhat.com</a> Subject: RE: SCAP's for CentOS 7 & 8 </div> </div> Hey, while we’re on the topic, does anyone have the link depicting it being on the APL? Which APL are we talking about? Thanks! <div> S/F Ivan Radusinovic “R+10”; “Sgt Rad” ISSE || 805th CTS / DOO mob. 916-934-6592 || off. 702-652-8499 || NIPR <a href="mailto:ivan.radusinovic@us.af.mil" target="_blank">ivan.radusinovic@us.af.mil</a> SIPR <a href="mailto:ivan.j.radusinovic.civ@mail.smil.mil" target="_blank"> ivan.j.radusinovic.civ@mail.smil.mil</a> "Comm…. works 60% of the time.. all the time!" - GySgt McCown </div> <div> <div style="border-color:rgb(225,225,225) currentcolor currentcolor;border-style:solid none none;border-width:1pt medium medium;padding:3pt 0in 0in"> From: <a href="mailto:open-scap-list-bounces@redhat.com" target="_blank"> open-scap-list-bounces@redhat.com</a> <<a href="mailto:open-scap-list-bounces@redhat.com" target="_blank">open-scap-list-bounces@redhat.com</a>> On Behalf Of Trey Henefield Sent: Thursday, March 5, 2020 8:47 AM To: Sherwin Farhang <<a href="mailto:Sherwin.Farhang@newwave.io" target="_blank">Sherwin.Farhang@newwave.io</a>>; <a href="mailto:open-scap-list@redhat.com" target="_blank">open-scap-list@redhat.com</a> Subject: [Non-DoD Source] Re: [Open-scap] SCAP's for CentOS 7 & 8 </div> </div> This is disappointing as it feels like a political move. There is no functional reason why it could not be supported. It is approved within DoD as it is on the approved software list. <div> Rather than removing its support, let the authorities that be make the decision as to if it is acceptable for use. Best regards, Trey Henefield, CISSP Cyber Security Manager <img style="width: 1.6562in; height: 0.3125in;" id="gmail-m_9127504191379093095Picture_x0020_1" src="cid:170b0ae1d0a4ce8e91" width="159" height="30" border="0"> Ultra Intelligence & Communications 4101 Smith School Road Building IV, Suite 100 Austin, TX 78744 USA T: +1 512 327 6795 ext. 647 M: +1 512 541 6450 <a href="http://www.ultra.group" target="_blank">ultra.group</a> </div> <div> <div style="border-color:rgb(225,225,225) currentcolor currentcolor;border-style:solid none none;border-width:1pt medium medium;padding:3pt 0in 0in"> From: <a href="mailto:open-scap-list-bounces@redhat.com" target="_blank"> open-scap-list-bounces@redhat.com</a> <<a href="mailto:open-scap-list-bounces@redhat.com" target="_blank">open-scap-list-bounces@redhat.com</a>> On Behalf Of Sherwin Farhang Sent: Wednesday, March 4, 2020 3:47 PM To: <a href="mailto:open-scap-list@redhat.com" target="_blank">open-scap-list@redhat.com</a> Subject: [Open-scap] SCAP's for CentOS 7 & 8 </div> </div> <div> Hi OpenSCAP team, </div> <div> </div> <div> I tried following a guide to deploy DISA STIG's from RedHat to CentOS I was dissapointed this functionality is intentionally not supported anymore. Can't a message be shot across saying "deploying this does not make you compliant to DISA STIG because this is CentOS and does not carry the proper certifications"? I just found this tool and tested it out to deploy pci-dss as a test to a vm and it was really convenient that it worked so well. It would be nice if that functionality still worked. Also when I run CentOS 8 and download the workbench no CentOS profiles are downloaded but they do download for CentOS - 7 Likely a bug unless your team is actually just removing all functionality for CentOS 8 moving forward which is disappointing as well. Whenever I see a project remove functionality a fork is made and the community splits. I hope to hear back. </div> <div> </div> <div> Thank you, </div> <div> </div> <div> -Sherwin </div> <div> <div> </div> <div id="gmail-m_9127504191379093095Signature"> <div id="gmail-m_9127504191379093095divtagdefaultwrapper"> <div> <table style="margin-left:0.5pt;background:white none repeat scroll 0% 0%;border-collapse:collapse" cellspacing="0" cellpadding="0" border="0"> <tbody> <tr style="height:7.7pt"> <td colspan="5" style="width:448.6pt;padding:0in 5.4pt;height:7.7pt" width="598"> Sherwin Farhang | CISSP | GCIH | CCSK </td> <td style="width:57.75pt;padding:0in;height:7.7pt" width="77"> </td> </tr> <tr style="height:8.2pt"> <td colspan="5" style="width:448.6pt;padding:0in 5.4pt;height:8.2pt" width="598"> ISSO </td> <td style="width:57.75pt;padding:0in;height:8.2pt" width="77"> </td> </tr> <tr style="height:9.05pt"> <td colspan="4" style="width:443.2pt;padding:0in 5.4pt;height:9.05pt" width="591"> 6518 Meadowridge Rd. | Ste. 100 | Elkridge, MD 21075 </td> <td style="width:5.4pt;padding:0in;height:9.05pt" width="7"> </td> <td style="width:57.75pt;padding:0in;height:9.05pt" width="77"> </td> </tr> <tr style="height:9.05pt"> <td colspan="4" style="width:443.2pt;padding:0in 5.4pt;height:9.05pt" width="591"> P 443.701.5266| F 1.866.824.8914 | <a href="https://www.newwave.io/" target="_blank">newwave.io</a> </td> <td style="width:5.4pt;padding:0in;height:9.05pt" width="7"> </td> <td style="width:57.75pt;padding:0in;height:9.05pt" width="77"> </td> </tr> <tr style="height:8.4pt"> <td colspan="4" style="width:443.2pt;padding:0in 5.4pt;height:8.4pt" width="591"> </td> <td style="width:5.4pt;padding:0in;height:8.4pt" width="7"> </td> <td style="width:57.75pt;padding:0in;height:8.4pt" width="77"> </td> </tr> <tr style="height:26.85pt"> <td style="width:28.5pt;padding:0in 5.4pt;height:26.85pt" width="38"> <a href="https://www.facebook.com/NewWave.Telecom.and.Technologies/" target="_blank"><img style="width: 0.25in; height: 0.2604in;" id="gmail-m_9127504191379093095_x0000_i1027" src="cid:170b0ae1d0a5b16b22" alt="cidimage011.png@01D5E32F.9731D090" width="24" height="25" border="0"></a> </td> <td style="width:26.15pt;padding:0in 5.4pt;height:26.85pt" width="35"> <a href="https://www.instagram.com/newwave_tech/" target="_blank"><img style="width: 0.25in; height: 0.25in;" id="gmail-m_9127504191379093095_x0000_i1028" src="cid:170b0ae1d0a692e333" alt="cidimage012.png@01D5E32F.9731D090" width="24" height="24" border="0"></a> </td> <td style="width:28.2pt;padding:0in 5.4pt;height:26.85pt" width="38"> <a href="https://twitter.com/NewWave_Tech" target="_blank"><img style="width: 0.2604in; height: 0.2187in;" id="gmail-m_9127504191379093095_x0000_i1029" src="cid:170b0ae1d0b7745b44" alt="cidimage013.png@01D5E32F.9731D090" width="25" height="21" border="0"></a> </td> <td style="width:360.25pt;padding:0in 5.4pt;height:26.85pt" width="480"> <a href="https://www.linkedin.com/company/newwave_technologies" target="_blank"><img style="width: 0.25in; height: 0.2604in;" id="gmail-m_9127504191379093095_x0000_i1030" src="cid:170b0ae1d0b855d355" alt="cidimage014.png@01D5E32F.9731D090" width="24" height="25" border="0"></a> </td> <td style="width:5.4pt;padding:0in;height:26.85pt" width="7"> </td> <td style="width:58.5pt;padding:0in;height:26.85pt" width="78"> </td> </tr> <tr style="height:9.25pt"> <td colspan="4" style="width:443.2pt;padding:0in 5.4pt;height:9.25pt" width="591"> <a href="https://newwave.io/" target="_blank"><img style="width: 5.302in; height: 1.0625in;" id="gmail-m_9127504191379093095_x0000_i1031" src="cid:170b0ae1d0b9374b66" alt="cidimage015.png@01D5E32F.9731D090" width="509" height="102" border="0"></a> </td> <td style="width:5.4pt;padding:0in;height:9.25pt" width="7"> </td> <td style="width:57.75pt;padding:0in;height:9.25pt" width="77"> </td> </tr> <tr> <td style="width:28.5pt;padding:0in" width="38"></td> <td style="width:28.5pt;padding:0in" width="38"></td> <td style="width:29.25pt;padding:0in" width="39"></td> <td style="width:5in;padding:0in" width="480"></td> <td style="width:5.25pt;padding:0in" width="7"></td> <td style="width:58.5pt;padding:0in" width="78"></td> </tr> </tbody> </table> </div> <div> MBE Certified; GSA Schedule 70 CMMI® Maturity Level 4 Rated SVC | Level 3 Rated DEV </div> <div> ISO 9001:2015 Certified </div> <div> Microsoft Partner: Gold Cloud Platform: Gold Datacenter; Silver Application Development </div> <img style="width: 0.4687in; height: 0.4375in;" id="gmail-m_9127504191379093095OWAPstImg458460" src="cid:170b0ae1d0ba18c377" width="45" height="42" border="0"><img style="width: 1.8333in; height: 0.3541in;" id="gmail-m_9127504191379093095OWAPstImg361351" src="cid:170b0ae1d0bafa3b88" width="176" height="34" border="0"> </div> </div> </div> Confidentiality Notice: This message and all attachments are for the sole use of the intended recipient(s) and may contain NewWave Telecom & Technologies confidential and privileged information or otherwise be protected by law. This message is intended for use by the individual or entity to which it is addressed and any unauthorized review, use, disclosure or distribution is prohibited . If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Disclaimer The information contained in this communication from <a href="mailto:trey.henefield@ultra-ats.com" target="_blank">trey.henefield@ultra-ats.com</a> sent at 2020-03-05 11:47:08 is private and may be legally privileged or export controlled. It is intended solely for use by <a href="mailto:open-scap-list@redhat.com" target="_blank">open-scap-list@redhat.com</a> and others authorized to receive it. If you are not <a href="mailto:open-scap-list@redhat.com" target="_blank">open-scap-list@redhat.com</a> you are hereby notified that any disclosure, copying, distribution or taking action in reliance of the contents of this information is strictly prohibited and may be unlawful. <pre>_______________________________________________</pre> <pre>Open-scap-list mailing list</pre> <pre><a href="mailto:Open-scap-list@redhat.com" target="_blank">Open-scap-list@redhat.com</a></pre> <pre><a href="https://www.redhat.com/mailman/listinfo/open-scap-list" target="_blank">https://www.redhat.com/mailman/listinfo/open-scap-list</a></pre> </blockquote> </div> </div> _______________________________________________ Open-scap-list mailing list <a href="mailto:Open-scap-list@redhat.com" target="_blank">Open-scap-list@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/open-scap-list" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/open-scap-list</a></blockquote></div> -- <div dir="ltr" class="gmail_signature"><div dir="ltr">Watson Sato Security Technologies | Red Hat, Inc </div></div></div>