<div dir="ltr">A OSSRG profile or GPOS profile can be created. The STIG for CentOS needs a vendor and its own STIGIDs which aren't RHEL stigids. <div>Going through the DoD OSS process does not preclude following DoD CIO policy, NSA/CSS policy, applicable Federal laws (FISMA), etc. and in general good and recognized cyber processes.</div><div>CentOS doesn't have a security team or QA team which means you get to be on the hook for attesting that CVEs are addressed correctly</div><div>which gets to happen every time because the source code was compiled and not from the originator. There is also no CVE feed or authority for CentOS.</div><div>Also, NIST is in the process (public PR in the works) for deprecating CPE in place of SWID meaning checksums and SWID IDs aren't going to match up at all.</div><div>FIPS validation occurs on compiled binaries and not against source code so taking source code and or recompiling means a new FIPS validation process.</div><div>The reason this question comes up over and over is the misconception and a very huuuggggeeee misconception that CentOS == RHEL. It doesn't. </div><div>CentOS as a project doesn't contain any certification or relation to RHEL (including mappings) which you can see at <a href="https://wiki.centos.org/FAQ/General#q1">https://wiki.centos.org/FAQ/General#q1</a> and <a href="https://wiki.centos.org/FAQ/General#q8">https://wiki.centos.org/FAQ/General#q8</a><a href="https://wiki.centos.org/FAQ/General#q1"></a></div><div>Creating an actual STIG does the community and even bigger disservice because there first off isn't an official one from DISA so there is nothing at all to map to.</div><div>And secondly, it does create a false perception that CentOS is a compliant OS... it's not. However, there is no problem at all in creating an OSSRG or GPOS profile.</div><div></div><div> </div></div> <div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Mar 9, 2020 at 10:01 AM Chuck Atkins <<a href="mailto:chuck.atkins@kitware.com">chuck.atkins@kitware.com</a>> wrote: </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>FWIW, I had a PR to the SSG that enables all the available profiles for RHEL derivatives even though they will fail the FIPS and vendor supported tests.</div><div> </div><div><a href="https://github.com/chuckatkins/scap-security-guide/commit/4de658370f3c4bace53eb43bc40c6579c3884b24" target="_blank">https://github.com/chuckatkins/scap-security-guide/commit/4de658370f3c4bace53eb43bc40c6579c3884b24</a></div><div> </div><div>It was quickly dismissed for the reasons already mentioned. It's something that regularly comes up a few times a year and is generally met with the same responses. It seems to be something that users and admins actively want but that the SSG maintainers are are not likely to budge on. </div><div> </div><div> </div><div><div><div dir="ltr"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr">---------- Chuck Atkins Staff R&D Engineer, Scientific Computing Kitware, Inc. (518) 881-1183 </div></div></div></div></div></div></div> </div></div> <div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Mar 6, 2020 at 3:04 PM Trey Henefield <<a href="mailto:trey.henefield@ultra-ats.com" target="_blank">trey.henefield@ultra-ats.com</a>> wrote: </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <div lang="EN-US"> <div> Hi Gabe, A majority of the RHEL STIG rules can directly map to CentOS, as it is largely based on RedHat releases. CentOS does release security patches that align with those released for RedHat. I can understand the FIPS and Common Criteria concerns. Let those checks fail as they may. I was previously an evaluator and consultant for Common Criteria in a prior life, so I do appreciate the hard effort and extreme costs involved with that. But moving into a system accredditation standpoint, it’s a simple IA control in RMF. One of many others which it can address. Trust me, I was severely disappointed about how little the large effort of Common Criteria goes unnoticed in a system accredditation process. There’s not even a requirement to ensure the system is in its evaluated configuration. Rather, they are more focused on ensuring it meets the STIG requirements. But in light of DoD’s stance on the acceptance of Open Source software, the need for Common Criteria certification seems to be left behind. It is a disappointing reality, but nonetheless a reality. For example, we utilize OpenSSH on Windows. We compile it ourselves utilizing the OpenSSL FIPS module to gain FIPS compliance. While technically since it offers an abundance of IA capabilities, one would think that it should also be Common Criteria certified. But that is not the case. I understand your reasonings. But the fact of the matter is that CentOS is approved for use and RHEL STIGs are used as guidance in configuring it to be compliant. With that said, there’s no reason why a CentOS profile could not be maintained within the ComplianceAsCode content. Best regards, Trey Henefield, CISSP Cyber Security Manager <img style="width: 1.6562in; height: 0.3125in;" id="gmail-m_7639588936243716182gmail-m_4013425397034402144Picture_x0020_1" src="cid:170c003ff584ce8e91" width="159" height="30"> Ultra Intelligence & Communications 4101 Smith School Road Building IV, Suite 100 Austin, TX 78744 USA T: +1 512 327 6795 ext. 647 M: +1 512 541 6450 <a href="http://www.ultra.group" target="_blank">ultra.group</a> From: Gabe Alford <<a href="mailto:redhatrises@gmail.com" target="_blank">redhatrises@gmail.com</a>> Sent: Friday, March 6, 2020 1:36 PM To: SCAP Security Guide <<a href="mailto:scap-security-guide@lists.fedorahosted.org" target="_blank">scap-security-guide@lists.fedorahosted.org</a>> Cc: Trey Henefield <<a href="mailto:trey.henefield@ultra-ats.com" target="_blank">trey.henefield@ultra-ats.com</a>>; RADUSINOVIC, IVAN J GS-12 USAF ACC 805 CTS/DOO <<a href="mailto:ivan.radusinovic@us.af.mil" target="_blank">ivan.radusinovic@us.af.mil</a>>; <a href="mailto:open-scap-list@redhat.com" target="_blank">open-scap-list@redhat.com</a>; Sherwin Farhang <<a href="mailto:Sherwin.Farhang@newwave.io" target="_blank">Sherwin.Farhang@newwave.io</a>>; Matěj Týč <<a href="mailto:matyc@redhat.com" target="_blank">matyc@redhat.com</a>> Subject: Re: [Open-scap] SCAP's for CentOS 7 & 8 <div> <div> CentOS STIG profile removal was NOT political in any way. There are multiple reasons: <div> </div> <div> - No vendor supports CentOS. </div> <div> - There is no security support for CVEs. </div> <div> - There is NO DISA STIG for CentOS. </div> <div> - RHEL-vendor supported and certified profiles do not map to CentOS... The CentOS project clearly states this. </div> <div> - CentOS is not common criteria certified. </div> <div> - CentOS components are not FIPS validated and using it violates Federal Law. </div> <div> - CentOS is not in alignment with STIG requirements because it doesn't meet them due to not meeting applicable laws and vendor support. </div> <div> - There are valid cybersecurity reasons for not using CentOS. </div> </div> <div> </div> <div> Now, if CentOS started to have a security team and handled it's own CVE content, FIPS-validation, and addressed issues, would be a completely different story. </div> <div> This is the same for the OSPP, CUI, etc. profiles as well. In fact, any profile that uses NIST 800-171 or NIST 800-53, CentOS fails to comply with and encouraging </div> <div> the community to support faulty security profiles is bad security practice in and of itself. </div> <div> </div> <div> <div> <div> On Fri, Mar 6, 2020 at 10:04 AM Watson Sato <<a href="mailto:wsato@redhat.com" target="_blank">wsato@redhat.com</a>> wrote: </div> <blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"> <div> <div> </div> <div> <div> On Fri, Mar 6, 2020 at 5:05 PM Trey Henefield <<a href="mailto:trey.henefield@ultra-ats.com" target="_blank">trey.henefield@ultra-ats.com</a>> wrote: </div> <blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"> <div> <div> Copy that sir. Thanks for responding. I would love to contribute my changes. The problem is by the time we get the latest release all fixed up and in alignment with STIG requirements, a new release comes out and completely changes the way content is generated. For example, the last release changed a bunch of compliance code to now use templates and jinja. So now its not as simple to merge my existing content as I now need to learn how things are now done differently, fix issues in the new process and still get my code to work and be compliant. It is very tiresome doing this continuously every single release. We can never get things up to speed and commit changes because by the time we turn around, everything is yet again drastically changed. </div> </div> </blockquote> <div> </div> <div> Hello Trey, thanks for sharing your pain. </div> <div> </div> <div> I'd like to better understand the aspects of your changes, are they only related to content, like rules and remediation? Or do you also tweak the build system? </div> <div> </div> <blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"> <div> <div> I am all for innovation and finding better ways to accomplish tasks. But these types of changes need to be less frequently to simply allow the compliance code to mature. <div> In most development environments, including our own, there is the concept of major releases and minor releases. Where major releases incorporate “major” changes into the software, such as changing how things are done in the software. Minor releases provide for bug fixes to further improve the reliability of the the software. I consider changing how all the code is compiled, adding new processes and deprecating old processes, to be a major change as it has a cascading affect for much of the content. Whereas, minor changes would focus on simply improving the content utilizing the existing processes already in place. </div> </div> </div> </blockquote> <div> </div> <div> <div> There is an idea to separate the build system from the benchmark directory: <a href="https://github.com/ComplianceAsCode/content/issues/5125" target="_blank"> https://github.com/ComplianceAsCode/content/issues/5125</a> </div> <div> Does this idea resonate with you? </div> <div> Separating the content from the benchmark would minimize issues when compiling processes change, but it could bring another set of problems, like versioning, or upgrade paths. </div> <div> </div> </div> <blockquote style="border-color:currentcolor currentcolor currentcolor rgb(204,204,204);border-style:none none none solid;border-width:medium medium medium 1pt;padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"> <div> <div> <div> I had brought this up before but it just seems to be ignored. I really would like to see a better effort from the maintainers of this content to improve on this issue so that those of us utilizing the content and improving the content can have ample opportunity to upload these improvements so that the rest of the community can benefit from these changes alike. Best regards, Trey Henefield, CISSP Cyber Security Manager <img style="width: 1.6562in; height: 0.3125in;" id="gmail-m_7639588936243716182gmail-m_4013425397034402144gmail-m_8366801996931252105gmail-m_9127504191379093095_x005f_x0000_i1034" src="cid:170c003ff584ce8e91" width="159" height="30" border="0"> Ultra Intelligence & Communications 4101 Smith School Road Building IV, Suite 100 Austin, TX 78744 USA T: +1 512 327 6795 ext. 647 M: +1 512 541 6450 <a href="http://www.ultra.group" target="_blank">ultra.group</a> </div> <div> <div style="border-style:solid none none;border-width:1pt medium medium;padding:3pt 0in 0in;border-color:currentcolor"> From: Matěj Týč <<a href="mailto:matyc@redhat.com" target="_blank">matyc@redhat.com</a>> Sent: Friday, March 6, 2020 4:13 AM To: Trey Henefield <<a href="mailto:trey.henefield@ultra-ats.com" target="_blank">trey.henefield@ultra-ats.com</a>>; RADUSINOVIC, IVAN J GS-12 USAF ACC 805 CTS/DOO <<a href="mailto:ivan.radusinovic@us.af.mil" target="_blank">ivan.radusinovic@us.af.mil</a>>; Sherwin Farhang <<a href="mailto:Sherwin.Farhang@newwave.io" target="_blank">Sherwin.Farhang@newwave.io</a>>; <a href="mailto:open-scap-list@redhat.com" target="_blank">open-scap-list@redhat.com</a> Subject: Re: [Open-scap] SCAP's for CentOS 7 & 8 </div> </div> Hello Trey and others, first of all, the openscap list is mainly about the scanner, while your points are about the content, for which I recommend the <a href="mailto:scap-security-guide@lists.fedorahosted.org" target="_blank">scap-security-guide@lists.fedorahosted.org</a> mailing list. Regarding the main topic, I vaguely recall discussions about whether to have CentOS profiles that would be inevitably failing (due to lack of certification of scanned systems), or whether to remove profiles that require certifications to pass altogether. The second approach has won, possibly driven by fears that the project would keep getting reports that a rule is failing, so maintainers should do something about it and fix it. The scanner can't say "I am sorry, your system is not certified, that's why the rule fails" - anyone using the scanner would see just another rule failing, and one has to read the guide/report to correctly understand what's the problem. <div> On 05. 03. 20 18:16, Trey Henefield wrote: </div> <blockquote style="margin-top:5pt;margin-bottom:5pt"> I don’t have access to it at the moment as I am out of the office this week and next, but I will provide this info when I return. <div> I was just as surprised as anyone else, but a customer informed me of this. Because it is open source software, they were able to do a complete source code review and approved it based on that, since the DoD opensource policy permits this now. We still prefer to use RedHat and bring them allot of business, but it feels that this open source community is more business driven than community driven, resulting in these types of decisions. But that should not be the case for an open source community project. </div> </blockquote> If any of you don't agree with decisions that were taken, let your take on this be heard in the appropriate mailing list. Community is inseparable from participation, maintainers will take shortcuts if there is no visible pushback against them. <blockquote style="margin-top:5pt;margin-bottom:5pt"> <div> While I am on my soap box, I will just reiterate again, I am not a fan of the drastic changes that are added every two months to a new release. Major changes like this and overhauling how compliance code gets built every two months is just bad. These major changes should be released in a new major release less frequently (6 months, or even once a year). Rather, the incrimental releases pushed out every two months should be more based on bring compliance code up to speed to provide more complete and accurate coverage of the requirements. Everytime I merge in the latest release with our code, we spend so much time going back and fixing all the things it breaks. </div> </blockquote> The Security Compliance field is gaining momentum, and it will continue to do so in the foreseeable future. Therefore, the project needs to accommodate ever-increasing requirements - such as introduction of new profiles, new products, and even new paradigms. The only way to do so is to refactor its parts and make them perform better. We are so far very successful in this effort, and what you describe is the inevitable downside of it. So Trey, do you think that your code could be upstreamed? That way, it would become possible for us to keep it in a good shape at a low cost. <blockquote style="margin-top:5pt;margin-bottom:5pt"> <div> Best regards, Trey Henefield, CISSP Cyber Security Manager <img style="width: 1.6562in; height: 0.3125in;" id="gmail-m_7639588936243716182gmail-m_4013425397034402144gmail-m_8366801996931252105gmail-m_9127504191379093095_x005f_x0000_i1025" src="cid:170c003ff584ce8e91" width="159" height="30" border="0"> Ultra Intelligence & Communications 4101 Smith School Road Building IV, Suite 100 Austin, TX 78744 USA T: +1 512 327 6795 ext. 647 M: +1 512 541 6450 <a href="http://www.ultra.group" target="_blank">ultra.group</a> </div> <div> <div style="border-style:solid none none;border-width:1pt medium medium;padding:3pt 0in 0in;border-color:currentcolor"> From: RADUSINOVIC, IVAN J GS-12 USAF ACC 805 CTS/DOO <a href="mailto:ivan.radusinovic@us.af.mil" target="_blank"><ivan.radusinovic@us.af.mil></a> Sent: Thursday, March 5, 2020 10:54 AM To: Trey Henefield <a href="mailto:trey.henefield@ultra-ats.com" target="_blank"> <trey.henefield@ultra-ats.com></a>; Sherwin Farhang <a href="mailto:Sherwin.Farhang@newwave.io" target="_blank"> <Sherwin.Farhang@newwave.io></a>; <a href="mailto:open-scap-list@redhat.com" target="_blank"> open-scap-list@redhat.com</a> Subject: RE: SCAP's for CentOS 7 & 8 </div> </div> Hey, while we’re on the topic, does anyone have the link depicting it being on the APL? Which APL are we talking about? Thanks! <div> S/F Ivan Radusinovic “R+10”; “Sgt Rad” ISSE || 805th CTS / DOO mob. 916-934-6592 || off. 702-652-8499 || NIPR <a href="mailto:ivan.radusinovic@us.af.mil" target="_blank">ivan.radusinovic@us.af.mil</a> SIPR <a href="mailto:ivan.j.radusinovic.civ@mail.smil.mil" target="_blank">ivan.j.radusinovic.civ@mail.smil.mil</a> "Comm…. works 60% of the time.. all the time!" - GySgt McCown </div> <div> <div style="border-style:solid none none;border-width:1pt medium medium;padding:3pt 0in 0in;border-color:currentcolor"> From: <a href="mailto:open-scap-list-bounces@redhat.com" target="_blank">open-scap-list-bounces@redhat.com</a> <<a href="mailto:open-scap-list-bounces@redhat.com" target="_blank">open-scap-list-bounces@redhat.com</a>> On Behalf Of Trey Henefield Sent: Thursday, March 5, 2020 8:47 AM To: Sherwin Farhang <<a href="mailto:Sherwin.Farhang@newwave.io" target="_blank">Sherwin.Farhang@newwave.io</a>>; <a href="mailto:open-scap-list@redhat.com" target="_blank">open-scap-list@redhat.com</a> Subject: [Non-DoD Source] Re: [Open-scap] SCAP's for CentOS 7 & 8 </div> </div> This is disappointing as it feels like a political move. There is no functional reason why it could not be supported. It is approved within DoD as it is on the approved software list. <div> Rather than removing its support, let the authorities that be make the decision as to if it is acceptable for use. Best regards, Trey Henefield, CISSP Cyber Security Manager <img style="width: 1.6562in; height: 0.3125in;" id="gmail-m_7639588936243716182gmail-m_4013425397034402144gmail-m_8366801996931252105gmail-m_9127504191379093095Picture_x0020_1" src="cid:170c003ff584ce8e91" width="159" height="30" border="0"> Ultra Intelligence & Communications 4101 Smith School Road Building IV, Suite 100 Austin, TX 78744 USA T: +1 512 327 6795 ext. 647 M: +1 512 541 6450 <a href="http://www.ultra.group" target="_blank">ultra.group</a> </div> <div> <div style="border-style:solid none none;border-width:1pt medium medium;padding:3pt 0in 0in;border-color:currentcolor"> From: <a href="mailto:open-scap-list-bounces@redhat.com" target="_blank">open-scap-list-bounces@redhat.com</a> <<a href="mailto:open-scap-list-bounces@redhat.com" target="_blank">open-scap-list-bounces@redhat.com</a>> On Behalf Of Sherwin Farhang Sent: Wednesday, March 4, 2020 3:47 PM To: <a href="mailto:open-scap-list@redhat.com" target="_blank">open-scap-list@redhat.com</a> Subject: [Open-scap] SCAP's for CentOS 7 & 8 </div> </div> <div> Hi OpenSCAP team, </div> <div> </div> <div> I tried following a guide to deploy DISA STIG's from RedHat to CentOS I was dissapointed this functionality is intentionally not supported anymore. Can't a message be shot across saying "deploying this does not make you compliant to DISA STIG because this is CentOS and does not carry the proper certifications"? I just found this tool and tested it out to deploy pci-dss as a test to a vm and it was really convenient that it worked so well. It would be nice if that functionality still worked. Also when I run CentOS 8 and download the workbench no CentOS profiles are downloaded but they do download for CentOS - 7 Likely a bug unless your team is actually just removing all functionality for CentOS 8 moving forward which is disappointing as well. Whenever I see a project remove functionality a fork is made and the community splits. I hope to hear back. </div> <div> </div> <div> Thank you, </div> <div> </div> <div> -Sherwin </div> <div> <div> </div> <div id="gmail-m_7639588936243716182gmail-m_4013425397034402144gmail-m_8366801996931252105gmail-m_9127504191379093095Signature"> <div id="gmail-m_7639588936243716182gmail-m_4013425397034402144gmail-m_8366801996931252105gmail-m_9127504191379093095divtagdefaultwrapper"> <div> <table style="margin-left:0.5pt;background:none 0% 0% repeat scroll white;border-collapse:collapse" cellspacing="0" cellpadding="0" border="0"> <tbody> <tr style="height:7.7pt"> <td colspan="5" style="width:448.6pt;padding:0in 5.4pt;height:7.7pt" width="598"> Sherwin Farhang | CISSP | GCIH | CCSK </td> <td style="width:57.75pt;padding:0in;height:7.7pt" width="77"> </td> </tr> <tr style="height:8.2pt"> <td colspan="5" style="width:448.6pt;padding:0in 5.4pt;height:8.2pt" width="598"> ISSO </td> <td style="width:57.75pt;padding:0in;height:8.2pt" width="77"> </td> </tr> <tr style="height:9.05pt"> <td colspan="4" style="width:443.2pt;padding:0in 5.4pt;height:9.05pt" width="591"> 6518 Meadowridge Rd. | Ste. 100 | Elkridge, MD 21075 </td> <td style="width:5.4pt;padding:0in;height:9.05pt" width="7"> </td> <td style="width:57.75pt;padding:0in;height:9.05pt" width="77"> </td> </tr> <tr style="height:9.05pt"> <td colspan="4" style="width:443.2pt;padding:0in 5.4pt;height:9.05pt" width="591"> P 443.701.5266| F 1.866.824.8914 | <a href="https://www.newwave.io/" target="_blank">newwave.io</a> </td> <td style="width:5.4pt;padding:0in;height:9.05pt" width="7"> </td> <td style="width:57.75pt;padding:0in;height:9.05pt" width="77"> </td> </tr> <tr style="height:8.4pt"> <td colspan="4" style="width:443.2pt;padding:0in 5.4pt;height:8.4pt" width="591"> </td> <td style="width:5.4pt;padding:0in;height:8.4pt" width="7"> </td> <td style="width:57.75pt;padding:0in;height:8.4pt" width="77"> </td> </tr> <tr style="height:26.85pt"> <td style="width:28.5pt;padding:0in 5.4pt;height:26.85pt" width="38"> <a href="https://www.facebook.com/NewWave.Telecom.and.Technologies/" target="_blank"><img style="width: 0.25in; height: 0.2604in;" id="gmail-m_7639588936243716182gmail-m_4013425397034402144gmail-m_8366801996931252105gmail-m_9127504191379093095_x005f_x0000_i1027" src="cid:170c003ff5a5b16b22" alt="cidimage011.png@01D5E32F.9731D090" width="24" height="25" border="0"></a> </td> <td style="width:26.15pt;padding:0in 5.4pt;height:26.85pt" width="35"> <a href="https://www.instagram.com/newwave_tech/" target="_blank"><img style="width: 0.25in; height: 0.25in;" id="gmail-m_7639588936243716182gmail-m_4013425397034402144gmail-m_8366801996931252105gmail-m_9127504191379093095_x005f_x0000_i1028" src="cid:170c003ff5b692e333" alt="cidimage012.png@01D5E32F.9731D090" width="24" height="24" border="0"></a> </td> <td style="width:28.2pt;padding:0in 5.4pt;height:26.85pt" width="38"> <a href="https://twitter.com/NewWave_Tech" target="_blank"><img style="width: 0.2604in; height: 0.2187in;" id="gmail-m_7639588936243716182gmail-m_4013425397034402144gmail-m_8366801996931252105gmail-m_9127504191379093095_x005f_x0000_i1029" src="cid:170c003ff5b7745b44" alt="cidimage013.png@01D5E32F.9731D090" width="25" height="21" border="0"></a> </td> <td style="width:360.25pt;padding:0in 5.4pt;height:26.85pt" width="480"> <a href="https://www.linkedin.com/company/newwave_technologies" target="_blank"><img style="width: 0.25in; height: 0.2604in;" id="gmail-m_7639588936243716182gmail-m_4013425397034402144gmail-m_8366801996931252105gmail-m_9127504191379093095_x005f_x0000_i1030" src="cid:170c003ff5b855d355" alt="cidimage014.png@01D5E32F.9731D090" width="24" height="25" border="0"></a> </td> <td style="width:5.4pt;padding:0in;height:26.85pt" width="7"> </td> <td style="width:58.5pt;padding:0in;height:26.85pt" width="78"> </td> </tr> <tr style="height:9.25pt"> <td colspan="4" style="width:443.2pt;padding:0in 5.4pt;height:9.25pt" width="591"> <a href="https://newwave.io/" target="_blank"><img style="width: 5.302in; height: 1.0625in;" id="gmail-m_7639588936243716182gmail-m_4013425397034402144gmail-m_8366801996931252105gmail-m_9127504191379093095_x005f_x0000_i1031" src="cid:170c003ff5c9374b66" alt="cidimage015.png@01D5E32F.9731D090" width="509" height="102" border="0"></a> </td> <td style="width:5.4pt;padding:0in;height:9.25pt" width="7"> </td> <td style="width:57.75pt;padding:0in;height:9.25pt" width="77"> </td> </tr> <tr> <td style="width:28.5pt;padding:0in" width="38"></td> <td style="width:28.5pt;padding:0in" width="38"></td> <td style="width:29.25pt;padding:0in" width="39"></td> <td style="width:5in;padding:0in" width="480"></td> <td style="width:5.25pt;padding:0in" width="7"></td> <td style="width:58.5pt;padding:0in" width="78"></td> </tr> </tbody> </table> </div> <div> MBE Certified; GSA Schedule 70 CMMI® Maturity Level 4 Rated SVC | Level 3 Rated DEV </div> <div> ISO 9001:2015 Certified </div> <div> Microsoft Partner: Gold Cloud Platform: Gold Datacenter; Silver Application Development </div> <img style="width: 0.4687in; height: 0.4375in;" id="gmail-m_7639588936243716182gmail-m_4013425397034402144gmail-m_8366801996931252105gmail-m_9127504191379093095OWAPstImg458460" src="cid:170c003ff5ca18c377" width="45" height="42" border="0"><img style="width: 1.8333in; height: 0.3541in;" id="gmail-m_7639588936243716182gmail-m_4013425397034402144gmail-m_8366801996931252105gmail-m_9127504191379093095OWAPstImg361351" src="cid:170c003ff5dafa3b88" width="176" height="34" border="0"> </div> </div> </div> Confidentiality Notice: This message and all attachments are for the sole use of the intended recipient(s) and may contain NewWave Telecom & Technologies confidential and privileged information or otherwise be protected by law. This message is intended for use by the individual or entity to which it is addressed and any unauthorized review, use, disclosure or distribution is prohibited . If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Disclaimer The information contained in this communication from <a href="mailto:trey.henefield@ultra-ats.com" target="_blank">trey.henefield@ultra-ats.com</a> sent at 2020-03-05 11:47:08 is private and may be legally privileged or export controlled. It is intended solely for use by <a href="mailto:open-scap-list@redhat.com" target="_blank">open-scap-list@redhat.com</a> and others authorized to receive it. If you are not <a href="mailto:open-scap-list@redhat.com" target="_blank">open-scap-list@redhat.com</a> you are hereby notified that any disclosure, copying, distribution or taking action in reliance of the contents of this information is strictly prohibited and may be unlawful. <pre>_______________________________________________</pre> <pre>Open-scap-list mailing list</pre> <pre><a href="mailto:Open-scap-list@redhat.com" target="_blank">Open-scap-list@redhat.com</a></pre> <pre><a href="https://www.redhat.com/mailman/listinfo/open-scap-list" target="_blank">https://www.redhat.com/mailman/listinfo/open-scap-list</a></pre> </blockquote> </div> </div> _______________________________________________ Open-scap-list mailing list <a href="mailto:Open-scap-list@redhat.com" target="_blank">Open-scap-list@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/open-scap-list" target="_blank">https://www.redhat.com/mailman/listinfo/open-scap-list</a> </blockquote> </div> -- <div> <div> Watson Sato Security Technologies | Red Hat, Inc </div> </div> </div> _______________________________________________ scap-security-guide mailing list -- <a href="mailto:scap-security-guide@lists.fedorahosted.org" target="_blank"> scap-security-guide@lists.fedorahosted.org</a> To unsubscribe send an email to <a href="mailto:scap-security-guide-leave@lists.fedorahosted.org" target="_blank"> scap-security-guide-leave@lists.fedorahosted.org</a> Fedora Code of Conduct: <a href="https://docs.fedoraproject.org/en-US/project/code-of-conduct/" target="_blank"> https://docs.fedoraproject.org/en-US/project/code-of-conduct/</a> List Guidelines: <a href="https://fedoraproject.org/wiki/Mailing_list_guidelines" target="_blank"> https://fedoraproject.org/wiki/Mailing_list_guidelines</a> List Archives: <a href="https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org" target="_blank"> https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org</a> </blockquote> </div> </div> </div> </div> </div> _______________________________________________ Open-scap-list mailing list <a href="mailto:Open-scap-list@redhat.com" target="_blank">Open-scap-list@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/open-scap-list" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/open-scap-list</a></blockquote></div> </blockquote></div>