[Open-scap] SCAP's for CentOS 7 & 8
Gabe Alford
redhatrises at gmail.com
Mon Mar 9 16:26:44 UTC 2020
A OSSRG profile or GPOS profile can be created. The STIG for CentOS needs a
vendor and its own STIGIDs which aren't RHEL stigids.
Going through the DoD OSS process does not preclude following DoD CIO
policy, NSA/CSS policy, applicable Federal laws (FISMA), etc. and in
general good and recognized cyber processes.
CentOS doesn't have a security team or QA team which means you get to be on
the hook for attesting that CVEs are addressed correctly
which gets to happen every time because the source code was compiled and
not from the originator. There is also no CVE feed or authority for CentOS.
Also, NIST is in the process (public PR in the works) for deprecating CPE
in place of SWID meaning checksums and SWID IDs aren't going to match up at
all.
FIPS validation occurs on compiled binaries and not against source code so
taking source code and or recompiling means a new FIPS validation process.
The reason this question comes up over and over is the misconception and a
very huuuggggeeee misconception that CentOS == RHEL. It doesn't.
CentOS as a project doesn't contain any certification or relation to RHEL
(including mappings) which you can see at
https://wiki.centos.org/FAQ/General#q1 and
https://wiki.centos.org/FAQ/General#q8
<https://wiki.centos.org/FAQ/General#q1>
Creating an actual STIG does the community and even bigger disservice
because there first off isn't an official one from DISA so there is nothing
at all to map to.
And secondly, it does create a false perception that CentOS is a compliant
OS... it's not. However, there is no problem at all in creating an OSSRG or
GPOS profile.
On Mon, Mar 9, 2020 at 10:01 AM Chuck Atkins <chuck.atkins at kitware.com>
wrote:
> FWIW, I had a PR to the SSG that enables all the available profiles for
> RHEL derivatives even though they will fail the FIPS and vendor supported
> tests.
>
>
> https://github.com/chuckatkins/scap-security-guide/commit/4de658370f3c4bace53eb43bc40c6579c3884b24
>
> It was quickly dismissed for the reasons already mentioned. It's
> something that regularly comes up a few times a year and is generally met
> with the same responses. It seems to be something that users and admins
> actively want but that the SSG maintainers are are not likely to budge on.
>
>
> ----------
> Chuck Atkins
> Staff R&D Engineer, Scientific Computing
> Kitware, Inc.
> (518) 881-1183
>
>
> On Fri, Mar 6, 2020 at 3:04 PM Trey Henefield <
> trey.henefield at ultra-ats.com> wrote:
>
>> Hi Gabe,
>>
>>
>>
>> A majority of the RHEL STIG rules can directly map to CentOS, as it is
>> largely based on RedHat releases.
>>
>>
>>
>> CentOS does release security patches that align with those released for
>> RedHat.
>>
>>
>>
>> I can understand the FIPS and Common Criteria concerns. Let those checks
>> fail as they may. I was previously an evaluator and consultant for Common
>> Criteria in a prior life, so I do appreciate the hard effort and extreme
>> costs involved with that. But moving into a system accredditation
>> standpoint, it’s a simple IA control in RMF. One of many others which it
>> can address.
>>
>>
>>
>> Trust me, I was severely disappointed about how little the large effort
>> of Common Criteria goes unnoticed in a system accredditation process.
>> There’s not even a requirement to ensure the system is in its evaluated
>> configuration. Rather, they are more focused on ensuring it meets the STIG
>> requirements. But in light of DoD’s stance on the acceptance of Open Source
>> software, the need for Common Criteria certification seems to be left
>> behind. It is a disappointing reality, but nonetheless a reality.
>>
>>
>>
>> For example, we utilize OpenSSH on Windows. We compile it ourselves
>> utilizing the OpenSSL FIPS module to gain FIPS compliance. While
>> technically since it offers an abundance of IA capabilities, one would
>> think that it should also be Common Criteria certified. But that is not the
>> case.
>>
>>
>>
>> I understand your reasonings. But the fact of the matter is that CentOS
>> is approved for use and RHEL STIGs are used as guidance in configuring it
>> to be compliant.
>>
>>
>>
>> With that said, there’s no reason why a CentOS profile could not be
>> maintained within the ComplianceAsCode content.
>>
>>
>>
>> Best regards,
>>
>>
>> *Trey Henefield, CISSP*
>>
>> Cyber Security Manager
>>
>>
>>
>>
>> Ultra Intelligence & Communications
>>
>> 4101 Smith School Road
>>
>> Building IV, Suite 100
>>
>> Austin, TX 78744 USA
>> T: +1 512 327 6795 ext. 647
>>
>> M: +1 512 541 6450
>> ultra.group <http://www.ultra.group>
>>
>>
>>
>> *From:* Gabe Alford <redhatrises at gmail.com>
>> *Sent:* Friday, March 6, 2020 1:36 PM
>> *To:* SCAP Security Guide <scap-security-guide at lists.fedorahosted.org>
>> *Cc:* Trey Henefield <trey.henefield at ultra-ats.com>; RADUSINOVIC, IVAN J
>> GS-12 USAF ACC 805 CTS/DOO <ivan.radusinovic at us.af.mil>;
>> open-scap-list at redhat.com; Sherwin Farhang <Sherwin.Farhang at newwave.io>;
>> Matěj Týč <matyc at redhat.com>
>> *Subject:* Re: [Open-scap] SCAP's for CentOS 7 & 8
>>
>>
>>
>> CentOS STIG profile removal was NOT political in any way. There are
>> multiple reasons:
>>
>>
>>
>> - No vendor supports CentOS.
>>
>> - There is no security support for CVEs.
>>
>> - There is NO DISA STIG for CentOS.
>>
>> - RHEL-vendor supported and certified profiles do not map to CentOS...
>> The CentOS project clearly states this.
>>
>> - CentOS is not common criteria certified.
>>
>> - CentOS components are not FIPS validated and using it violates Federal
>> Law.
>>
>> - CentOS is not in alignment with STIG requirements because it doesn't
>> meet them due to not meeting applicable laws and vendor support.
>>
>> - There are valid cybersecurity reasons for not using CentOS.
>>
>>
>>
>> Now, if CentOS started to have a security team and handled it's own CVE
>> content, FIPS-validation, and addressed issues, would be a completely
>> different story.
>>
>> This is the same for the OSPP, CUI, etc. profiles as well. In fact, any
>> profile that uses NIST 800-171 or NIST 800-53, CentOS fails to comply with
>> and encouraging
>>
>> the community to support faulty security profiles is bad security
>> practice in and of itself.
>>
>>
>>
>> On Fri, Mar 6, 2020 at 10:04 AM Watson Sato <wsato at redhat.com> wrote:
>>
>>
>>
>>
>>
>> On Fri, Mar 6, 2020 at 5:05 PM Trey Henefield <
>> trey.henefield at ultra-ats.com> wrote:
>>
>> Copy that sir.
>>
>>
>>
>> Thanks for responding.
>>
>>
>>
>> I would love to contribute my changes. The problem is by the time we get
>> the latest release all fixed up and in alignment with STIG requirements, a
>> new release comes out and completely changes the way content is generated.
>> For example, the last release changed a bunch of compliance code to now use
>> templates and jinja. So now its not as simple to merge my existing content
>> as I now need to learn how things are now done differently, fix issues in
>> the new process and still get my code to work and be compliant. It is very
>> tiresome doing this continuously every single release. We can never get
>> things up to speed and commit changes because by the time we turn around,
>> everything is yet again drastically changed.
>>
>>
>>
>> Hello Trey, thanks for sharing your pain.
>>
>>
>>
>> I'd like to better understand the aspects of your changes, are they only
>> related to content, like rules and remediation? Or do you also tweak the
>> build system?
>>
>>
>>
>>
>>
>> I am all for innovation and finding better ways to accomplish tasks. But
>> these types of changes need to be less frequently to simply allow the
>> compliance code to mature.
>>
>>
>>
>> In most development environments, including our own, there is the concept
>> of major releases and minor releases. Where major releases incorporate
>> “major” changes into the software, such as changing how things are done in
>> the software. Minor releases provide for bug fixes to further improve the
>> reliability of the the software.
>>
>>
>>
>> I consider changing how all the code is compiled, adding new processes
>> and deprecating old processes, to be a major change as it has a cascading
>> affect for much of the content. Whereas, minor changes would focus on
>> simply improving the content utilizing the existing processes already in
>> place.
>>
>>
>>
>> There is an idea to separate the build system from the benchmark
>> directory: https://github.com/ComplianceAsCode/content/issues/5125
>>
>> Does this idea resonate with you?
>>
>> Separating the content from the benchmark would minimize issues when
>> compiling processes change, but it could bring another set of problems,
>> like versioning, or upgrade paths.
>>
>>
>>
>>
>>
>> I had brought this up before but it just seems to be ignored.
>>
>>
>>
>> I really would like to see a better effort from the maintainers of this
>> content to improve on this issue so that those of us utilizing the content
>> and improving the content can have ample opportunity to upload these
>> improvements so that the rest of the community can benefit from these
>> changes alike.
>>
>>
>>
>> Best regards,
>>
>>
>> *Trey Henefield, CISSP*
>>
>> Cyber Security Manager
>>
>>
>>
>>
>> Ultra Intelligence & Communications
>>
>> 4101 Smith School Road
>>
>> Building IV, Suite 100
>>
>> Austin, TX 78744 USA
>> T: +1 512 327 6795 ext. 647
>>
>> M: +1 512 541 6450
>> ultra.group <http://www.ultra.group>
>>
>>
>>
>> *From:* Matěj Týč <matyc at redhat.com>
>> *Sent:* Friday, March 6, 2020 4:13 AM
>> *To:* Trey Henefield <trey.henefield at ultra-ats.com>; RADUSINOVIC, IVAN J
>> GS-12 USAF ACC 805 CTS/DOO <ivan.radusinovic at us.af.mil>; Sherwin Farhang
>> <Sherwin.Farhang at newwave.io>; open-scap-list at redhat.com
>> *Subject:* Re: [Open-scap] SCAP's for CentOS 7 & 8
>>
>>
>>
>> Hello Trey and others,
>>
>> first of all, the openscap list is mainly about the scanner, while your
>> points are about the content, for which I recommend the
>> scap-security-guide at lists.fedorahosted.org mailing list.
>>
>> Regarding the main topic, I vaguely recall discussions about whether to
>> have CentOS profiles that would be inevitably failing (due to lack of
>> certification of scanned systems), or whether to remove profiles that
>> require certifications to pass altogether. The second approach has won,
>> possibly driven by fears that the project would keep getting reports that a
>> rule is failing, so maintainers should do something about it and fix it.
>>
>> The scanner can't say "I am sorry, your system is not certified, that's
>> why the rule fails" - anyone using the scanner would see just another rule
>> failing, and one has to read the guide/report to correctly understand
>> what's the problem.
>>
>> On 05. 03. 20 18:16, Trey Henefield wrote:
>>
>> I don’t have access to it at the moment as I am out of the office this
>> week and next, but I will provide this info when I return.
>>
>>
>>
>> I was just as surprised as anyone else, but a customer informed me of
>> this. Because it is open source software, they were able to do a complete
>> source code review and approved it based on that, since the DoD opensource
>> policy permits this now.
>>
>>
>>
>> We still prefer to use RedHat and bring them allot of business, but it
>> feels that this open source community is more business driven than
>> community driven, resulting in these types of decisions. But that should
>> not be the case for an open source community project.
>>
>> If any of you don't agree with decisions that were taken, let your take
>> on this be heard in the appropriate mailing list. Community is inseparable
>> from participation, maintainers will take shortcuts if there is no visible
>> pushback against them.
>>
>>
>>
>> While I am on my soap box, I will just reiterate again, I am not a fan of
>> the drastic changes that are added every two months to a new release. Major
>> changes like this and overhauling how compliance code gets built every two
>> months is just bad. These major changes should be released in a new major
>> release less frequently (6 months, or even once a year). Rather, the
>> incrimental releases pushed out every two months should be more based on
>> bring compliance code up to speed to provide more complete and accurate
>> coverage of the requirements. Everytime I merge in the latest release with
>> our code, we spend so much time going back and fixing all the things it
>> breaks.
>>
>> The Security Compliance field is gaining momentum, and it will continue
>> to do so in the foreseeable future. Therefore, the project needs to
>> accommodate ever-increasing requirements - such as introduction of new
>> profiles, new products, and even new paradigms. The only way to do so is to
>> refactor its parts and make them perform better. We are so far very
>> successful in this effort, and what you describe is the inevitable downside
>> of it.
>>
>> So Trey, do you think that your code could be upstreamed? That way, it
>> would become possible for us to keep it in a good shape at a low cost.
>>
>>
>>
>> Best regards,
>>
>>
>> *Trey Henefield, CISSP*
>>
>> Cyber Security Manager
>>
>>
>>
>>
>> Ultra Intelligence & Communications
>>
>> 4101 Smith School Road
>>
>> Building IV, Suite 100
>>
>> Austin, TX 78744 USA
>> T: +1 512 327 6795 ext. 647
>>
>> M: +1 512 541 6450
>> ultra.group <http://www.ultra.group>
>>
>>
>>
>> *From:* RADUSINOVIC, IVAN J GS-12 USAF ACC 805 CTS/DOO
>> <ivan.radusinovic at us.af.mil> <ivan.radusinovic at us.af.mil>
>> *Sent:* Thursday, March 5, 2020 10:54 AM
>> *To:* Trey Henefield <trey.henefield at ultra-ats.com>
>> <trey.henefield at ultra-ats.com>; Sherwin Farhang
>> <Sherwin.Farhang at newwave.io> <Sherwin.Farhang at newwave.io>;
>> open-scap-list at redhat.com
>> *Subject:* RE: SCAP's for CentOS 7 & 8
>>
>>
>>
>> Hey, while we’re on the topic, does anyone have the link depicting it
>> being on the APL? Which APL are we talking about?
>>
>>
>>
>> Thanks!
>>
>>
>>
>> S/F
>>
>>
>>
>> Ivan Radusinovic
>>
>> “R+10”; “Sgt Rad”
>>
>> ISSE || 805th CTS / DOO
>>
>> mob. 916-934-6592 || off. 702-652-8499 ||
>>
>> NIPR ivan.radusinovic at us.af.mil
>>
>> SIPR ivan.j.radusinovic.civ at mail.smil.mil
>>
>>
>>
>> "Comm…. works 60% of the time.. all the time!"
>>
>> - GySgt McCown
>>
>>
>>
>> *From:* open-scap-list-bounces at redhat.com <
>> open-scap-list-bounces at redhat.com> *On Behalf Of *Trey Henefield
>> *Sent:* Thursday, March 5, 2020 8:47 AM
>> *To:* Sherwin Farhang <Sherwin.Farhang at newwave.io>;
>> open-scap-list at redhat.com
>> *Subject:* [Non-DoD Source] Re: [Open-scap] SCAP's for CentOS 7 & 8
>>
>>
>>
>>
>>
>> This is disappointing as it feels like a political move. There is no
>> functional reason why it could not be supported. It is approved within DoD
>> as it is on the approved software list.
>>
>>
>>
>> Rather than removing its support, let the authorities that be make the
>> decision as to if it is acceptable for use.
>>
>>
>>
>> Best regards,
>>
>>
>> *Trey Henefield, CISSP*
>>
>> Cyber Security Manager
>>
>>
>>
>>
>> Ultra Intelligence & Communications
>>
>> 4101 Smith School Road
>>
>> Building IV, Suite 100
>>
>> Austin, TX 78744 USA
>> T: +1 512 327 6795 ext. 647
>>
>> M: +1 512 541 6450
>> ultra.group <http://www.ultra.group>
>>
>>
>>
>> *From:* open-scap-list-bounces at redhat.com <
>> open-scap-list-bounces at redhat.com> *On Behalf Of *Sherwin Farhang
>> *Sent:* Wednesday, March 4, 2020 3:47 PM
>> *To:* open-scap-list at redhat.com
>> *Subject:* [Open-scap] SCAP's for CentOS 7 & 8
>>
>>
>>
>> Hi OpenSCAP team,
>>
>>
>>
>> I tried following a guide to deploy DISA STIG's from RedHat to CentOS I
>> was dissapointed this functionality is intentionally not supported
>> anymore. Can't a message be shot across saying "deploying this does not
>> make you compliant to DISA STIG because this is CentOS and does not carry
>> the proper certifications"? I just found this tool and tested it out to
>> deploy pci-dss as a test to a vm and it was really convenient that it
>> worked so well. It would be nice if that functionality still worked. Also
>> when I run CentOS 8 and download the workbench no CentOS profiles are
>> downloaded but they do download for CentOS - 7 Likely a bug unless your
>> team is actually just removing all functionality for CentOS 8 moving
>> forward which is disappointing as well. Whenever I see a project remove
>> functionality a fork is made and the community splits. I hope to hear back.
>>
>>
>>
>> Thank you,
>>
>>
>>
>> -Sherwin
>>
>>
>>
>> *Sherwin Farhang* | CISSP | GCIH | CCSK
>>
>>
>>
>> ISSO
>>
>>
>>
>> 6518 Meadowridge Rd. | Ste. 100 | Elkridge, MD 21075
>>
>>
>>
>>
>>
>> P 443.701.5266| F 1.866.824.8914 | newwave.io <https://www.newwave.io/>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> [image: cidimage011.png at 01D5E32F.9731D090]
>> <https://www.facebook.com/NewWave.Telecom.and.Technologies/>
>>
>> [image: cidimage012.png at 01D5E32F.9731D090]
>> <https://www.instagram.com/newwave_tech/>
>>
>> [image: cidimage013.png at 01D5E32F.9731D090]
>> <https://twitter.com/NewWave_Tech>
>>
>> [image: cidimage014.png at 01D5E32F.9731D090]
>> <https://www.linkedin.com/company/newwave_technologies>
>>
>>
>>
>>
>>
>> [image: cidimage015.png at 01D5E32F.9731D090] <https://newwave.io/>
>>
>>
>>
>>
>>
>> MBE Certified; GSA Schedule 70
>> CMMI® Maturity Level 4 Rated SVC | Level 3 Rated DEV
>>
>> ISO 9001:2015 Certified
>>
>> *Microsoft* *Partner:* Gold Cloud Platform: Gold Datacenter; Silver
>> Application Development
>>
>> Confidentiality Notice: This message and all attachments are for the sole
>> use of the intended recipient(s) and may contain NewWave Telecom &
>> Technologies confidential and privileged information or otherwise be
>> protected by law. This message is intended for use by the individual or
>> entity to which it is addressed and any unauthorized review, use,
>> disclosure or distribution is prohibited . If you are not the intended
>> recipient, please contact the sender by reply e-mail and destroy all copies
>> of the original message.
>>
>>
>>
>> *Disclaimer*
>> The information contained in this communication from *trey.henefield at ultra-ats.com
>> <trey.henefield at ultra-ats.com> *sent at 2020-03-05 11:47:08 is private
>> and may be legally privileged or export controlled. It is intended solely
>> for use by *open-scap-list at redhat.com <open-scap-list at redhat.com> *and
>> others authorized to receive it. If you are not *open-scap-list at redhat.com
>> <open-scap-list at redhat.com> *you are hereby notified that any
>> disclosure, copying, distribution or taking action in reliance of the
>> contents of this information is strictly prohibited and may be unlawful.
>>
>>
>>
>> _______________________________________________
>>
>> Open-scap-list mailing list
>>
>> Open-scap-list at redhat.com
>>
>> https://www.redhat.com/mailman/listinfo/open-scap-list
>>
>> _______________________________________________
>> Open-scap-list mailing list
>> Open-scap-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/open-scap-list
>>
>>
>>
>> --
>>
>> Watson Sato
>> Security Technologies | Red Hat, Inc
>>
>> _______________________________________________
>> scap-security-guide mailing list --
>> scap-security-guide at lists.fedorahosted.org
>> To unsubscribe send an email to
>> scap-security-guide-leave at lists.fedorahosted.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org
>>
>> _______________________________________________
>> Open-scap-list mailing list
>> Open-scap-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/open-scap-list
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20200309/b89b765c/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 1909 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20200309/b89b765c/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 1054 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20200309/b89b765c/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 1067 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20200309/b89b765c/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 840 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20200309/b89b765c/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 1050 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20200309/b89b765c/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.png
Type: image/png
Size: 67445 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20200309/b89b765c/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007.png
Type: image/png
Size: 1535 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20200309/b89b765c/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image008.png
Type: image/png
Size: 7121 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20200309/b89b765c/attachment-0006.png>
More information about the Open-scap-list
mailing list