[Open-scap] OpenSCAP 1.2.0 coming soon
Greg Elin
gregelin at gitmachines.com
Wed Nov 5 04:56:34 UTC 2014
This discussion just keeps getting more interesting...
Steve is saying that RHEL 7 could be released before OVAL 5.11 has been
adopted. This would mean the only way to fully scan RHEL 7 would be to use
a not-yet-certified version of OpenSCAP v1.2.x supporting an OVAL 5.11
specification that had not yet been adopted. Have I got that right?
It does seem smart to do the OpenSCAP work in pace with with RHEL7 even
though the certifying bodies may not keep up. But I do think it is
important to have a page that explains all this and could keep everyone
appraised with status.
Steve mentioned "Vendor Versioning Policy that was submitted during
validation."
Is there a validation package for OpenSCAP 1.0.8 that was submitted to
NIST? Is the package itself public? Here's the list of certified products:
http://nvd.nist.gov/scapproducts.cfm
And here is a press clip describing the 2014 certification:
http://www.atsec.com/us/news-red-hat-openscap-nist-certified-292.html
Greg
On Tue, Nov 4, 2014 at 1:31 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> On Tuesday, November 04, 2014 01:01:52 PM Shawn Wells wrote:
> > On 11/3/14, 8:21 AM, Steve Grubb wrote:
> > > On Monday, November 03, 2014 09:22:05 AM Petr Hracek wrote:
> > >> > Hi guys,
> > >> >
> > >> > do you plan to update RHEL6 and RHEL5 systems?
> > >
> > > openscap-1.0.8 is the certified version. Replacing it means we lose the
> > > certification. (Not to mention RHEL5 is in deep maintenance mode at
> this
> > > point.) I think this is likely an unnecessary risk. RHEL7 on the other
> > > hand
> > > needs OVAL 5.11 to be properly evaluated. So, it would be logical to
> > > assume a RHEL7 roll out. RHEL6 is kind of murky to me right now. RHEL5
> > > and 6 are nearly the same, so we can stay with 1.0.8 for certification
> > > purposes.
> >
> > Given that OpenSCAP certification appears to be version based (e.g.
> > v1.0.8), if a new version is going to be certified for RHEL7, why not
> > have that same version released into RHEL6?
>
> That is why I said its murky. As it stands right now, SCAP certification
> only
> covers OVAL 5.10.1. So, what happens to the new stuff that's needed? I am
> working through this with standards bodies and NIST. It'll probably be next
> year before I have an idea what we can realistically do. For now we should
> stay on the 1.0 branch for RHEL6.
>
> This actually brings up an important point that I'd like to make. Unlike
> FIPS,
> the SCAP validation does allow vendors to fix bugs without recertifying as
> long
> as they follow the Vendor Versioning Policy that was submitted during
> validation. Our policy allows for bug patching along the 1.0.x line but no
> new
> functionality. So, if one day people see a 1.0.9 openscap package, it
> retains
> the validation. A 1.1 or 1.2 release does not.
>
>
> > Much of the content has evolved to rely on OVAL 5.11 features, so having
> > an OpenSCAP version supporting OVAL 5.11 in RHEL 6 and RHEL 7 is needed.
>
> OVAL 5.11 is not released yet. :-)
>
> OVAL 5.11's main feature that we need on RHEL7 is the systemd_test...which
> is
> also not applicable to RHEL6. AFAIK, the systemd_test is the only thing in
> the
> 1.1 branch implemented from the OVAL 5.11 proposed change list. So, I
> suspect
> you are thinking of something else.
>
> -Steve
>
> _______________________________________________
> Open-scap-list mailing list
> Open-scap-list at redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20141104/6ff66702/attachment.htm>
More information about the Open-scap-list
mailing list