'RE: Policy source data format proposal is ready for comments'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       scap-security-guide
Subject:    RE: Policy source data format proposal is ready for comments
From:       Trey Henefield <trey.henefield () ultra-ats ! com>
Date:       2020-06-11 18:46:01
Message-ID: DM6PR04MB4634ADA1F250D16502838D06D0800 () DM6PR04MB4634 ! namprd04 ! prod ! outlook ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]

[Attachment #4 (text/plain)]

Thank you sir.

I will start the merge process and hopefully I can get things merged and commited \
before the next release next month.

Best regards,


Trey Henefield, CISSP
Cyber Security Manager


[cid:image001.jpg@01D63FF6.A3F6E620]

Ultra Intelligence & Communications
4101 Smith School Road
Building IV, Suite 100
Austin, TX 78744 USA
T: +1 512 327 6795 ext. 647
M: +1 512 541 6450
ultra.group<http://www.ultra.group>

From: Matej Tyc <matyc@redhat.com>
Sent: Thursday, June 11, 2020 9:31 AM
To: scap-security-guide@lists.fedorahosted.org
Subject: Re: Policy source data format proposal is ready for comments


Hello Trey,

I have some good news for you - I am not aware of any compatibility issues between \
0.1.48 and 0.1.50. In other words - no major changes for four months! Moreover, I can \
recall that some of those issues that you name have been fixed. It is difficult to \
say how those fixes interact with your, but I think that evaluating the upstream \
0.1.50 will be mostly a pleasant experience.

I have hoped to learn more about actual build API breakages, but as you are on \
0.1.48, Jinja got quite stable, and there are already the new templates in place \
(introduced in 0.1.47). Interestingly, the example of templates show that \
incompatible changes don't always necessarily cause major issues. Right now, there \
are not any proposals aiming to introduce changes breaking the build API. We may see \
an increased usage of Jinja macros in checks and remediations, but that's all \
incremental.

As we are Red Hat employees, our prioritization in fixing issues is driven by opened \
Bugzillas, so if your organization has a subscription, it can influence the \
development in this way. We would like to leverage your effort on getting the STIG \
stuff right, so I hope that the "rebase" that you have to go through will be smooth, \
and we can start to work on your pull requests. My experience is that when the \
content gets close to regulations, the "political" aspect of the PR is much more \
difficult to deal with than the actual implementation. For that reason, I am happy \
that you are aware which requirements influence rules in question - that should \
streamline the discussion.

All the best,
Matej
On 10. 06. 20 14:58, Trey Henefield wrote:
Hi Matej,

So to put things in perspective, I am still on the 0.1.48 release. I just now got it \
to a point to where I have addressed as many requirements as my system will allow. I \
have roughly just under 400 checkins.

This is how far behind the baseline is. I am scared to even look at 0.1.50 as I will \
have to do this all over again with any new challenges that release brings me. \
Keeping in mind, this is just one small aspect of many other things I am involved \
with.

So to give some examples.

The implementation of jinja was interesting. I spent hours trying to figure out why \
some remediations and checks would not run even though the syntax looked correct. \
Only to discover that some files had the jinja syntax defined differently causing \
certain lines not being processed. It would have been nice if this code had been \
properly tested for correctness before being merged into the baseline.

The audit rules have consistent inaccuracies.

It seems like someone thought it was a good idea to replace every instance of \
‘auid!=4294967295' with ‘auid!=unset'. While in theory, this may accomplish the \
same goal. But in practice, the STIG and its associated benchmark explicitly look for \
a specific value, which it no longer finds and is considered a finding. This results \
in allot of findings.

I also noticed that in support of the Suse Enterprise Linux STIG, all audit rules for \
privileged commands include ‘-perm x', which creates a finding for the RHEL7 STIG \
because it looks for the rules to exist without defining the execution bit as a \
filter.

Java and Firefox are a bit outdated.

Jinja bash macro for firefox is pointing to the wrong file locations and has a syntax \
error.

SELinux syntax is incorrect for the remediations.

SSH ciphers and MACs OVAL check and remediation are wrong.

Screenlock keybinding OVAL check is incorrect.

RHEL6 was not included as a platform for account_umask_etc_profile.

set_password_hashing_algorithm_systemauth does not also check password-auth and also \
does not check for non-compliant values.

No password complexity checks/remediations exist.

The checks and remediations for disable_ctrlaltdel_reboot do not align with the \
RHEL6/7 STIGs.

Login banner text is not defined correctly.

The list goes on and on. I don't have enough time to list everything. But luckily I \
have fixes for all of these things, among other things.

Does anyone on this project do any validation of the content against the requirements \
to ensure accurate implementation of the required configurations? Because if they \
did, they would see there is allot of work to get this content into a usable form.

I would highly advise someone there at Red Hat apply this content to a RHEL6 or RHEL7 \
system. Then run a scan using the latest official DISA benchmark. Then perform manual \
checks on the system using the latest version of the DISA STIG and the STG Viewer. \
You will then get an understanding of what I am seeing along with every other Red Hat \
customer using this content in an effort to try and be compliant.

Again, I would love to contribute my changes to help get this project back on track, \
but with the release of major changes to the structure and process every two months, \
its just impossible.

Best regards,


Trey Henefield, CISSP
Cyber Security Manager


Ultra Intelligence & Communications
4101 Smith School Road
Building IV, Suite 100
Austin, TX 78744 USA
T: +1 512 327 6795 ext. 647
M: +1 512 541 6450
ultra.group<http://www.ultra.group>

From: Matej Tyc <matyc@redhat.com><mailto:matyc@redhat.com>
Sent: Wednesday, June 10, 2020 4:50 AM
To: scap-security-guide@lists.fedorahosted.org<mailto:scap-security-guide@lists.fedorahosted.org>
                
Subject: Re: Policy source data format proposal is ready for comments


Hello Trey,

we are talking about two different things, and those are not mutually exclusive.

Some subjects see the projects as a gigantic jigsaw puzzle, where individual pieces \
are rules, and they can use those to compose custom profiles - I understood that this \
is your case as well. For those, everything else than rules and associated content \
doesn't really matter, and improvements to how rules are defined may become quite \
disruptive.

However, a huge number of subjects would like to use the high-level aspect of the \
project - profiles in datastreams that you can feed to the scanner right away, and \
that will scan your system. We get a huge number of requests for profiles, and we try \
to make things easier to profile authors, so they can start contributing to \
ComplianceAsCode, and we can focus on rules and on the testing infrastructure.

I disagree that we introduce new features just for the sake of creativity, and again, \
the announcement that started this discussion was about a backwards-compatible \
improvement that profile authors are on board with. In other words, this won't break \
anything, so you can relax about this.

I am really curious though what is it that broke your builds. Could you please share \
some details? We may be able to help, or to at least do a better job in this regard \
next time.

Best regards,
Matej
On 08. 06. 20 16:07, Trey Henefield wrote:
Hi Matej,

I see what you're saying.

It does improve readability.

Ultimately, automation is king. I had some code in the project once upon a time that \
would improve visibility of coverage of the requirements. Pulling the data from the \
source requirements (i.e. STIG), then aligning that data with the STIG overlay to \
identify total coverage of the STIG, then aligning that data with the mapped OVAL \
rules to identify overall coverage of requirements by the checks and remediations \
included. This probably could have been extended to compare the rules in the STIG \
profile with the rules in the STIG overlay to identify rules in the overlay not \
captured in the profile and rules in the profile that don't align to a requirement in \
the STIG overlay.

I still respectfully disagree with you.

The goal of this project is to provide content that facilitates helping organizations \
meet requirements. From the consumer side of this, this project is pretty pointless \
if it only gets you a fraction of the way there. To make this project useful, it \
needs to be more complete and accurate. Having it build better or include a better \
way showing what few requirements are addressed doesn't provide any value add if it \
still doesn't increase the percentage of coverage of requirements to be validated and \
mitigated.

You can change the frame of a picture, but it doesn't change the picture.

I just want to give you the perspective from a user of this content. I can't use the \
content as it's provided. I have to go in and address all the issues and add code to \
get compliant for our systems. But for the many other users out there that don't have \
the luxury of understanding how to deal with updating the code, they end up with a \
solution that gets them compliant after days\hours of manual changes to fix the \
issues it causes and make up for the lack of coverage where it doesn't.

If the goal of this project is to be a pet project for developers to try new things \
and be creative, then I can understand your current direction.

If the goal of this project is to help users in meeting industry standards with \
applicable software instaled, then the direction should be to provide complete and \
accurate checks and remedations. This is what end users really need and would value \
most from this project.

Best regards,


Trey Henefield, CISSP
Cyber Security Manager



Ultra Intelligence & Communications
4101 Smith School Road
Building IV, Suite 100
Austin, TX 78744 USA
T: +1 512 327 6795 ext. 647
M: +1 512 541 6450
ultra.group<http://www.ultra.group>

From: Matej Tyc <matyc@redhat.com><mailto:matyc@redhat.com>
Sent: Monday, June 8, 2020 4:52 AM
To: scap-security-guide@lists.fedorahosted.org<mailto:scap-security-guide@lists.fedorahosted.org>
                
Subject: Re: Policy source data format proposal is ready for comments


Hello Trey,

the change that is discussed here is a backwards-compatible one, so it wouldn't break \
anything for you.

I understand your pain, but as the repository increases in size both in rule count \
and profile count, actions need to be taken so the project retains its level of \
maintainability. For example, the recent redesign of templates was quite disruptive, \
but it also fixed tens of rules that nobody had capacity to fix before.

This change aims to introduce possibility to reuse chunks of rules between profiles, \
and to make profile definitions easier to read and to maintain.

How would you rate maintainability of \
https://github.com/ComplianceAsCode/content/blob/master/rhel7/profiles/ncp.profile<https://github.com/ComplianceAsCode/content/blob/master/rhel7/profiles/ncp.profile> \
and of https://github.com/ComplianceAsCode/content/blob/master/rhel8/profiles/ospp.pro \
file<https://github.com/ComplianceAsCode/content/blob/master/rhel8/profiles/ospp.profile> \
? Both profiles select over hundred of rules, and I am sure that the RHEL7 profile \
would make it very difficult for anybody to determine whether a rule is missing, or \
the profile is complete. The RHEL8 profile has comments that make things more clear, \
and the proposal we are discussing in this thread basically moves things one step \
further, from optional comments to a schema. It will still be possible to do things \
the old way though.

I am sure that all contributors feel disappointed when contributions are not \
accepted, and trust me, it happens to everybody. I would recommend you to have a fork \
with all rules that were rejected upstream added.

You say that the immediate focus should be content completeness and accuracy. I think \
that this should be the long-term focus. When you have incorrect copy-pasted code, \
the immediate thing to do is not fixing it again by more copy-pasting, but one should \
rather remove the copy-pasting, if it is possible. Unfortunately, this is what breaks \
the backwards compatibility, but it is always for a good reason.

If you have a particular backward-compatibility problem, please tell us, and we may \
write a blog post about it, so porting your old code will be fast and efficient: \
https://complianceascode.github.io<https://complianceascode.github.io>

Best regards,
Matej Tyc
On 05. 06. 20 20:25, Trey Henefield wrote:


This won't solve the problems with your content.

The problem is that there has been pushback to accept community suggestions due to \
personal perferences. There is much more focus on continuously changing the structure \
of the project, than the content of the project.

The ultimate goal for this project should be to provide checks and remediations that \
accurately reflect (no more and no less) what is required by a particular regulation.

Regaurdless of what default behaviors are present in the RedHat operating system, if \
a configuration is required to be explicitly configured, it should be configured. So \
that the intent of what the requirement is explicitly requiring is addressed. Saying \
that this does not apply because it does this already, does not hold well when this \
content is used and this discrepency has to be explained to validators.

Our organization has basically gave up contributing and maintain our own personal \
branch to ensure we provide solutions that meet the needed requirements.

To greatly improve this project, the immediate focus needs to be on content \
completeness and accuracy. This would provide the best value this project could offer \
to the community.

The structure of this project and how to better improve it should be a secondary \
focus, with these structural changes better thought out and implemented, before being \
integrated into the project. These major changes should be introduced less frequently \
(1 or 2 times a year) to allow contributors time to complete their changes. Just \
about every two months when a new release is pushed, we have to redo allot of stuff \
we did to get our changes working in the new release. This is very time consuming and \
difficult to maintain.

I truly hope someone there at RedHat is finally listening to this and takes our \
advice.

Best regards,


Trey Henefield, CISSP
Cyber Security Manager
Ultra Intelligence & Communications
4101 Smith School Road
Building IV, Suite 100
Austin, TX 78744 USA
T: +1 512 327 6795 ext. 647
M: +1 512 541 6450
ultra.group<http://ultra.group>

-----Original Message-----
From: Jan Cerny <jcerny@redhat.com><mailto:jcerny@redhat.com>
Sent: Friday, June 5, 2020 9:36 AM
To: SCAP Security Guide \
<scap-security-guide@lists.fedorahosted.org><mailto:scap-security-guide@lists.fedorahosted.org>
                
Subject: Policy source data format proposal is ready for comments

Hi,

The policy source data format proposal is available and ready for comments. The text \
has been submitted as a pull request on GitHub to make the discussion easier using \
comments and reviews. See \
https://github.com/ComplianceAsCode/content/pull/5817<https://github.com/ComplianceAsCode/content/pull/5817>
 We are looking forward to seeing your feedback on GitHub.

What is it about? We will use the policy source data format to improve development of \
our profiles. It will allow us to store security controls and requirements in the \
repository and then define profiles by using their IDs instead of separate rules.

This is done in order to solve the problem that there is no easy way to demonstrate \
to profile stakeholders the status of their profile.

Intended workflow:

* SME identifies security controls the policy consists of. Those controls serve as \
                direct input for our profiles.
* SME goes through controls, and makes sure that they are sufficiently covered by \
                rules.
* SME fine-tunes the profile by overriding a couple of individual rules in the \
profile file.

Once the format is accepted we can start developing tools that support this new \
workflow.

In future, we can also use it for further refactoring, for example streamlining the \
generation of HTML tables.

Best regards

--
Jan Černý
Security Technologies | Red Hat, Inc.
_______________________________________________
scap-security-guide mailing list -- \
scap-security-guide@lists.fedorahosted.org<mailto:scap-security-guide@lists.fedorahosted.org>
 To unsubscribe send an email to \
scap-security-guide-leave@lists.fedorahosted.org<mailto:scap-security-guide-leave@lists.fedorahosted.org>
 Fedora Code of Conduct: \
https://docs.fedoraproject.org/en-US/project/code-of-conduct<https://docs.fedoraproject.org/en-US/project/code-of-conduct>
 List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines<https://fedoraproject.org/wiki/Mailing_list_guidelines>
 List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists \
.fedorahosted.org<https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org>





Disclaimer
The information contained in this communication from \
trey.henefield@ultra-ats.com<mailto:trey.henefield@ultra-ats.com> sent at 2020-06-05 \
14:25:25 is private and may be legally privileged or export controlled. It is \
intended solely for use by \
scap-security-guide@lists.fedorahosted.org<mailto:scap-security-guide@lists.fedorahosted.org> \
and others authorized to receive it. If you are not \
scap-security-guide@lists.fedorahosted.org<mailto:scap-security-guide@lists.fedorahosted.org> \
you are hereby notified that any disclosure, copying, distribution or taking action \
in reliance of the contents of this information is strictly prohibited and may be \
unlawful.





_______________________________________________

scap-security-guide mailing list -- \
scap-security-guide@lists.fedorahosted.org<mailto:scap-security-guide@lists.fedorahosted.org>


To unsubscribe send an email to \
scap-security-guide-leave@lists.fedorahosted.org<mailto:scap-security-guide-leave@lists.fedorahosted.org>


Fedora Code of Conduct: \
https://docs.fedoraproject.org/en-US/project/code-of-conduct/<https://docs.fedoraproject.org/en-US/project/code-of-conduct/>


List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines<https://fedoraproject.org/wiki/Mailing_list_guidelines>


List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists. \
fedorahosted.org<https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org>





_______________________________________________

scap-security-guide mailing list -- \
scap-security-guide@lists.fedorahosted.org<mailto:scap-security-guide@lists.fedorahosted.org>


To unsubscribe send an email to \
scap-security-guide-leave@lists.fedorahosted.org<mailto:scap-security-guide-leave@lists.fedorahosted.org>


Fedora Code of Conduct: \
https://docs.fedoraproject.org/en-US/project/code-of-conduct/<https://docs.fedoraproject.org/en-US/project/code-of-conduct/>


List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines<https://fedoraproject.org/wiki/Mailing_list_guidelines>


List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists. \
fedorahosted.org<https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org>




_______________________________________________

scap-security-guide mailing list -- \
scap-security-guide@lists.fedorahosted.org<mailto:scap-security-guide@lists.fedorahosted.org>


To unsubscribe send an email to \
scap-security-guide-leave@lists.fedorahosted.org<mailto:scap-security-guide-leave@lists.fedorahosted.org>


Fedora Code of Conduct: \
https://docs.fedoraproject.org/en-US/project/code-of-conduct/<https://docs.fedoraproject.org/en-US/project/code-of-conduct/>


List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines<https://fedoraproject.org/wiki/Mailing_list_guidelines>


List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists. \
fedorahosted.org<https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org>



[Attachment #5 (text/html)]

<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Verdana;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
	{font-family:Consolas;
	panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
pre
	{mso-style-priority:99;
	mso-style-link:"HTML Preformatted Char";
	margin:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";}
p.msonormal0, li.msonormal0, div.msonormal0
	{mso-style-name:msonormal;
	mso-margin-top-alt:auto;
	margin-right:0in;
	mso-margin-bottom-alt:auto;
	margin-left:0in;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
span.HTMLPreformattedChar
	{mso-style-name:"HTML Preformatted Char";
	mso-style-priority:99;
	mso-style-link:"HTML Preformatted";
	font-family:Consolas;}
span.EmailStyle21
	{mso-style-type:personal;
	font-family:"Arial",sans-serif;
	color:#5B6770;}
span.EmailStyle22
	{mso-style-type:personal;
	font-family:"Arial",sans-serif;
	color:#5B6770;}
span.EmailStyle23
	{mso-style-type:personal;
	font-family:"Arial",sans-serif;
	color:#5B6770;}
span.EmailStyle24
	{mso-style-type:personal-reply;
	font-family:"Arial",sans-serif;
	color:#5B6770;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">Thank \
you sir.<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770"><o:p>&nbsp;</o:p></span></p>
 <div>
<p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">I will \
start the merge process and hopefully I can get things merged and commited before the \
next release next month.<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770"><o:p>&nbsp;</o:p></span></p>
 <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">Best \
regards,<br> <br>
<br>
</span><b><span style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770;mso-fareast-language:EN-GB">Trey \
Henefield, CISSP<o:p></o:p></span></b></p> <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770;mso-fareast-language:EN-GB">Cyber \
Security Manager<br> <br>
<o:p></o:p></span></p>
<p class="MsoNormal"><b><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770;mso-fareast-language:EN-GB"><o:p>&nbsp;</o:p></span></b></p>
 <p class="MsoNormal"><span lang="EN-GB" \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770;mso-fareast-language:EN-GB"><img \
width="159" height="30" style="width:1.6562in;height:.3125in" id="Picture_x0020_1" \
src="cid:image001.jpg@01D63FF6.A3F6E620"></span><b><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770;mso-fareast-language:EN-GB"><o:p></o:p></span></b></p>
 <p class="MsoNormal"><b><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770;mso-fareast-language:EN-GB"><br>
 </span></b><span lang="EN-GB" \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#595959;mso-fareast-language:EN-GB">Ultra</span><span \
lang="EN-GB" style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#1F497D;mso-fareast-language:EN-GB">
 </span><span lang="EN-GB" \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#595959;mso-fareast-language:EN-GB">Intelligence \
&amp; Communications</span><span lang="EN-GB" \
style="color:#5B6770"><o:p></o:p></span></p> <p class="MsoNormal"><span lang="EN-GB" \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#595959;mso-fareast-language:EN-GB">4101 \
Smith School Road<o:p></o:p></span></p> <p class="MsoNormal"><span lang="EN-GB" \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#595959;mso-fareast-language:EN-GB">Building \
IV, Suite 100<o:p></o:p></span></p> <p class="MsoNormal"><span lang="EN-GB" \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#595959;mso-fareast-language:EN-GB">Austin, \
TX 78744 USA<br> T</span><span lang="EN-GB" \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#4785D1;mso-fareast-language:EN-GB">:</span><span \
lang="EN-GB" style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#595959;mso-fareast-language:EN-GB"> \
&#43;1 512 327  6795 ext. 647</span><span lang="EN-GB" \
style="color:#5B6770"><o:p></o:p></span></p> <p class="MsoNormal"><span lang="EN-GB" \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#595959;mso-fareast-language:EN-GB">M</span><span \
lang="EN-GB" style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#4785D1;mso-fareast-language:EN-GB">:</span><span \
lang="EN-GB" style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#595959;mso-fareast-language:EN-GB">
  &#43;1 512 541 6450</span><span lang="EN-GB" \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:black;mso-fareast-language:EN-GB"><br>
 </span><span lang="EN-GB" style="color:#5B6770"><a \
href="http://www.ultra.group"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#0563C1;mso-fareast-language:EN-GB">ultra.group</span></a></span><span \
style="color:#5B6770"><o:p></o:p></span></p> </div>
<p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770"><o:p>&nbsp;</o:p></span></p>
 <div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Matej Tyc &lt;matyc@redhat.com&gt; <br>
<b>Sent:</b> Thursday, June 11, 2020 9:31 AM<br>
<b>To:</b> scap-security-guide@lists.fedorahosted.org<br>
<b>Subject:</b> Re: Policy source data format proposal is ready for \
comments<o:p></o:p></p> </div>
</div>
<p class="MsoNormal"><o:p>&nbsp;</o:p></p>
<p>Hello Trey,<o:p></o:p></p>
<p>I have some good news for you - I am not aware of any compatibility issues between \
0.1.48 and 0.1.50. In other words - no major changes for four months! Moreover, I can \
recall that some of those issues that you name have been fixed. It is difficult to \
say  how those fixes interact with your, but I think that evaluating the upstream \
0.1.50 will be mostly a pleasant experience.<o:p></o:p></p> <p>I have hoped to learn \
more about actual build API breakages, but as you are on 0.1.48, Jinja got quite \
stable, and there are already the new templates in place (introduced in 0.1.47). \
Interestingly, the example of templates show that incompatible changes  don't always \
necessarily cause major issues. Right now, there are not any proposals aiming to \
introduce changes breaking the build API. We may see an increased usage of Jinja \
macros in checks and remediations, but that's all incremental.<o:p></o:p></p> <p>As \
we are Red Hat employees, our prioritization in fixing issues is driven by opened \
Bugzillas, so if your organization has a subscription, it can influence the \
development in this way. We would like to leverage your effort on getting the STIG \
stuff right,  so I hope that the &quot;rebase&quot; that you have to go through will \
be smooth, and we can start to work on your pull requests. My experience is that when \
the content gets close to regulations, the &quot;political&quot; aspect of the PR is \
much more difficult to deal with than  the actual implementation. For that reason, I \
am happy that you are aware which requirements influence rules in question - that \
should streamline the discussion.<o:p></o:p></p> <p>All the best,<br>
Matej<o:p></o:p></p>
<div>
<p class="MsoNormal">On 10. 06. 20 14:58, Trey Henefield wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">Hi \
Matej,</span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">&nbsp;</span><o:p></o:p></p>
 <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">So to \
put things in perspective, I am still on the 0.1.48 release. I just now got it to a \
point to where I have addressed as many requirements as my system will  allow. I have \
roughly just under 400 checkins.</span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">&nbsp;</span><o:p></o:p></p>
 <div>
<p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">This \
is how far behind the baseline is. I am scared to even look at 0.1.50 as I will have \
to do this all over again with any new challenges that release brings me.  Keeping in \
mind, this is just one small aspect of many other things I am involved \
with.</span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">&nbsp;</span><o:p></o:p></p>
 <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">So to \
give some examples.</span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">&nbsp;</span><o:p></o:p></p>
 <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">The \
implementation of jinja was interesting. I spent hours trying to figure out why some \
remediations and checks would not run even though the syntax looked correct.  Only to \
discover that some files had the jinja syntax defined differently causing certain \
lines not being processed. It would have been nice if this code had been properly \
tested for correctness before being merged into the baseline.</span><o:p></o:p></p> \
<p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">&nbsp;</span><o:p></o:p></p>
 <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">The \
audit rules have consistent inaccuracies.</span><o:p></o:p></p> <p \
class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">&nbsp;</span><o:p></o:p></p>
 <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">It \
seems like someone thought it was a good idea to replace every instance of \
‘auid!=4294967295' with ‘auid!=unset'. While in theory, this may accomplish the \
same  goal. But in practice, the STIG and its associated benchmark explicitly look \
for a specific value, which it no longer finds and is considered a finding. This \
results in allot of findings.</span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">&nbsp;</span><o:p></o:p></p>
 <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">I also \
noticed that in support of the Suse Enterprise Linux STIG, all audit rules for \
privileged commands include ‘-perm x', which creates a finding for the RHEL7  STIG \
because it looks for the rules to exist without defining the execution bit as a \
filter.</span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">&nbsp;</span><o:p></o:p></p>
 <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">Java \
and Firefox are a bit outdated.</span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">&nbsp;</span><o:p></o:p></p>
 <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">Jinja \
bash macro for firefox is pointing to the wrong file locations and has a syntax \
error.</span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">&nbsp;</span><o:p></o:p></p>
 <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">SELinux \
syntax is incorrect for the remediations.</span><o:p></o:p></p> <p \
class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">&nbsp;</span><o:p></o:p></p>
 <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">SSH \
ciphers and MACs OVAL check and remediation are wrong.</span><o:p></o:p></p> <p \
class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">&nbsp;</span><o:p></o:p></p>
 <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">Screenlock \
keybinding OVAL check is incorrect.</span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">&nbsp;</span><o:p></o:p></p>
 <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">RHEL6 \
was not included as a platform for account_umask_etc_profile.</span><o:p></o:p></p> \
<p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">&nbsp;</span><o:p></o:p></p>
 <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">set_password_hashing_algorithm_systemauth \
does not also check password-auth and also does not check for non-compliant \
values.</span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">&nbsp;</span><o:p></o:p></p>
 <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">No \
password complexity checks/remediations exist.</span><o:p></o:p></p> <p \
class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">&nbsp;</span><o:p></o:p></p>
 <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">The \
checks and remediations for disable_ctrlaltdel_reboot do not align with the RHEL6/7 \
STIGs.</span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">&nbsp;</span><o:p></o:p></p>
 <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">Login \
banner text is not defined correctly.</span><o:p></o:p></p> <p \
class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">&nbsp;</span><o:p></o:p></p>
 <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">The \
list goes on and on. I don't have enough time to list everything. But luckily I have \
fixes for all of these things, among other things.</span><o:p></o:p></p> <p \
class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">&nbsp;</span><o:p></o:p></p>
 <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">Does \
anyone on this project do any validation of the content against the requirements to \
ensure accurate implementation of the required configurations? Because if  they did, \
they would see there is allot of work to get this content into a usable \
form.</span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">&nbsp;</span><o:p></o:p></p>
 <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">I \
would highly advise someone there at Red Hat apply this content to a RHEL6 or RHEL7 \
system. Then run a scan using the latest official DISA benchmark. Then perform  \
manual checks on the system using the latest version of the DISA STIG and the STG \
Viewer. You will then get an understanding of what I am seeing along with every other \
Red Hat customer using this content in an effort to try and be \
compliant.</span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">&nbsp;</span><o:p></o:p></p>
 <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">Again, \
I would love to contribute my changes to help get this project back on track, but \
with the release of major changes to the structure and process every two  months, its \
just impossible.</span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">&nbsp;</span><o:p></o:p></p>
 <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">Best \
regards,<br> <br>
<br>
</span><b><span style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770;mso-fareast-language:EN-GB">Trey \
Henefield, CISSP</span></b><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770;mso-fareast-language:EN-GB">Cyber \
Security Manager<br> <br>
<br>
</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-GB" \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#595959;mso-fareast-language:EN-GB">Ultra</span><span \
lang="EN-GB" style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#1F497D;mso-fareast-language:EN-GB">
 </span><span lang="EN-GB" \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#595959;mso-fareast-language:EN-GB">Intelligence \
&amp; Communications</span><o:p></o:p></p> <p class="MsoNormal"><span lang="EN-GB" \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#595959;mso-fareast-language:EN-GB">4101 \
Smith School Road</span><o:p></o:p></p> <p class="MsoNormal"><span lang="EN-GB" \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#595959;mso-fareast-language:EN-GB">Building \
IV, Suite 100</span><o:p></o:p></p> <p class="MsoNormal"><span lang="EN-GB" \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#595959;mso-fareast-language:EN-GB">Austin, \
TX 78744 USA<br> T</span><span lang="EN-GB" \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#4785D1;mso-fareast-language:EN-GB">:</span><span \
lang="EN-GB" style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#595959;mso-fareast-language:EN-GB"> \
&#43;1 512 327  6795 ext. 647</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-GB" \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#595959;mso-fareast-language:EN-GB">M</span><span \
lang="EN-GB" style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#4785D1;mso-fareast-language:EN-GB">:</span><span \
lang="EN-GB" style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#595959;mso-fareast-language:EN-GB">
  &#43;1 512 541 6450</span><span lang="EN-GB" \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:black;mso-fareast-language:EN-GB"><br>
 </span><span lang="EN-GB" style="color:#5B6770"><a \
href="http://www.ultra.group"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#0563C1;mso-fareast-language:EN-GB">ultra.group</span></a></span><o:p></o:p></p>
 </div>
<p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">&nbsp;</span><o:p></o:p></p>
 <div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Matej Tyc <a \
href="mailto:matyc@redhat.com">&lt;matyc@redhat.com&gt;</a> <br>
<b>Sent:</b> Wednesday, June 10, 2020 4:50 AM<br>
<b>To:</b> <a href="mailto:scap-security-guide@lists.fedorahosted.org">scap-security-guide@lists.fedorahosted.org</a><br>
 <b>Subject:</b> Re: Policy source data format proposal is ready for \
comments<o:p></o:p></p> </div>
</div>
<p class="MsoNormal">&nbsp;<o:p></o:p></p>
<p>Hello Trey, <o:p></o:p></p>
<p>we are talking about two different things, and those are not mutually \
exclusive.<o:p></o:p></p> <p>Some subjects see the projects as a gigantic jigsaw \
puzzle, where individual pieces are rules, and they can use those to compose custom \
profiles - I understood that this is your case as well. For those, everything else \
than rules and associated content doesn't  really matter, and improvements to how \
rules are defined may become quite disruptive.<o:p></o:p></p> <p>However, a huge \
number of subjects would like to use the high-level aspect of the project - profiles \
in datastreams that you can feed to the scanner right away, and that will scan your \
system. We get a huge number of requests for profiles, and we try to  make things \
easier to profile authors, so they can start contributing to ComplianceAsCode, and we \
can focus on rules and on the testing infrastructure.<o:p></o:p></p> <p>I disagree \
that we introduce new features just for the sake of creativity, and again, the \
announcement that started this discussion was about a backwards-compatible \
improvement that profile authors are on board with. In other words, this won't break \
anything,  so you can relax about this.<o:p></o:p></p>
<p>I am really curious though what is it that broke your builds. Could you please \
share some details? We may be able to help, or to at least do a better job in this \
regard next time.<o:p></o:p></p> <p>Best regards,<br>
Matej<o:p></o:p></p>
<div>
<p class="MsoNormal">On 08. 06. 20 16:07, Trey Henefield wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">Hi \
Matej,</span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">&nbsp;</span><o:p></o:p></p>
 <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">I see \
what you're saying.</span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">&nbsp;</span><o:p></o:p></p>
 <div>
<p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">It \
does improve readability.</span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">&nbsp;</span><o:p></o:p></p>
 <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">Ultimately, \
automation is king. I had some code in the project once upon a time that would \
improve visibility of coverage of the requirements. Pulling the data from  the source \
requirements (i.e. STIG), then aligning that data with the STIG overlay to identify \
total coverage of the STIG, then aligning that data with the mapped OVAL rules to \
identify overall coverage of requirements by the checks and remediations included.  \
This probably could have been extended to compare the rules in the STIG profile with \
the rules in the STIG overlay to identify rules in the overlay not captured in the \
profile and rules in the profile that don't align to a requirement in the STIG \
overlay.</span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">&nbsp;</span><o:p></o:p></p>
 <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">I \
still respectfully disagree with you.</span><o:p></o:p></p> <p \
class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">&nbsp;</span><o:p></o:p></p>
 <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">The \
goal of this project is to provide content that facilitates helping organizations \
meet requirements. From the consumer side of this, this project is pretty pointless  \
if it only gets you a fraction of the way there. To make this project useful, it \
needs to be more complete and accurate. Having it build better or include a better \
way showing what few requirements are addressed doesn't provide any value add if it \
still doesn't  increase the percentage of coverage of requirements to be validated \
and mitigated.</span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">&nbsp;</span><o:p></o:p></p>
 <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">You \
can change the frame of a picture, but it doesn't change the \
picture.</span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">&nbsp;</span><o:p></o:p></p>
 <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">I just \
want to give you the perspective from a user of this content. I can't use the content \
as it's provided. I have to go in and address all the issues and add  code to get \
compliant for our systems. But for the many other users out there that don't have the \
luxury of understanding how to deal with updating the code, they end up with a \
solution that gets them compliant after days\hours of manual changes to fix the  \
issues it causes and make up for the lack of coverage where it \
doesn't.</span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">&nbsp;</span><o:p></o:p></p>
 <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">If the \
goal of this project is to be a pet project for developers to try new things and be \
creative, then I can understand your current direction.</span><o:p></o:p></p> <p \
class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">&nbsp;</span><o:p></o:p></p>
 <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">If the \
goal of this project is to help users in meeting industry standards with applicable \
software instaled, then the direction should be to provide complete and  accurate \
checks and remedations. This is what end users really need and would value most from \
this project.</span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">&nbsp;</span><o:p></o:p></p>
 <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">Best \
regards,<br> <br>
<br>
</span><b><span style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770;mso-fareast-language:EN-GB">Trey \
Henefield, CISSP</span></b><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770;mso-fareast-language:EN-GB">Cyber \
Security Manager<br> <br>
<br>
<br>
</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-GB" \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#595959;mso-fareast-language:EN-GB">Ultra</span><span \
lang="EN-GB" style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#1F497D;mso-fareast-language:EN-GB">
 </span><span lang="EN-GB" \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#595959;mso-fareast-language:EN-GB">Intelligence \
&amp; Communications</span><o:p></o:p></p> <p class="MsoNormal"><span lang="EN-GB" \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#595959;mso-fareast-language:EN-GB">4101 \
Smith School Road</span><o:p></o:p></p> <p class="MsoNormal"><span lang="EN-GB" \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#595959;mso-fareast-language:EN-GB">Building \
IV, Suite 100</span><o:p></o:p></p> <p class="MsoNormal"><span lang="EN-GB" \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#595959;mso-fareast-language:EN-GB">Austin, \
TX 78744 USA<br> T</span><span lang="EN-GB" \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#4785D1;mso-fareast-language:EN-GB">:</span><span \
lang="EN-GB" style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#595959;mso-fareast-language:EN-GB"> \
&#43;1 512 327  6795 ext. 647</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-GB" \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#595959;mso-fareast-language:EN-GB">M</span><span \
lang="EN-GB" style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#4785D1;mso-fareast-language:EN-GB">:</span><span \
lang="EN-GB" style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#595959;mso-fareast-language:EN-GB">
  &#43;1 512 541 6450</span><span lang="EN-GB" \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:black;mso-fareast-language:EN-GB"><br>
 </span><span lang="EN-GB" style="color:#5B6770"><a \
href="http://www.ultra.group"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#0563C1;mso-fareast-language:EN-GB">ultra.group</span></a></span><o:p></o:p></p>
 </div>
<p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:&quot;Arial&quot;,sans-serif;color:#5B6770">&nbsp;</span><o:p></o:p></p>
 <div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Matej Tyc <a \
href="mailto:matyc@redhat.com">&lt;matyc@redhat.com&gt;</a> <br>
<b>Sent:</b> Monday, June 8, 2020 4:52 AM<br>
<b>To:</b> <a href="mailto:scap-security-guide@lists.fedorahosted.org">scap-security-guide@lists.fedorahosted.org</a><br>
 <b>Subject:</b> Re: Policy source data format proposal is ready for \
comments<o:p></o:p></p> </div>
</div>
<p class="MsoNormal">&nbsp;<o:p></o:p></p>
<p>Hello Trey,<o:p></o:p></p>
<p>the change that is discussed here is a backwards-compatible one, so it wouldn't \
break anything for you.<o:p></o:p></p> <p>I understand your pain, but as the \
repository increases in size both in rule count and profile count, actions need to be \
taken so the project retains its level of maintainability. For example, the recent \
redesign of templates was quite disruptive, but it  also fixed tens of rules that \
nobody had capacity to fix before.<o:p></o:p></p> <p>This change aims to introduce \
possibility to reuse chunks of rules between profiles, and to make profile \
definitions easier to read and to maintain.<o:p></o:p></p> <p>How would you rate \
maintainability of <a \
href="https://github.com/ComplianceAsCode/content/blob/master/rhel7/profiles/ncp.profile">
 https://github.com/ComplianceAsCode/content/blob/master/rhel7/profiles/ncp.profile</a> \
and of <a href="https://github.com/ComplianceAsCode/content/blob/master/rhel8/profiles/ospp.profile">
 https://github.com/ComplianceAsCode/content/blob/master/rhel8/profiles/ospp.profile</a> \
? Both profiles select over hundred of rules, and I am sure that the RHEL7 profile \
would make it very difficult for anybody to determine whether a rule is missing, or \
the  profile is complete. The RHEL8 profile has comments that make things more clear, \
and the proposal we are discussing in this thread basically moves things one step \
further, from optional comments to a schema. It will still be possible to do things \
the old way  though.<o:p></o:p></p>
<p>I am sure that all contributors feel disappointed when contributions are not \
accepted, and trust me, it happens to everybody. I would recommend you to have a fork \
with all rules that were rejected upstream added.<o:p></o:p></p> <p>You say that the \
immediate focus should be content completeness and accuracy. I think that this should \
be the long-term focus. When you have incorrect copy-pasted code, the immediate thing \
to do is not fixing it again by more copy-pasting, but one should  rather remove the \
copy-pasting, if it is possible. Unfortunately, this is what breaks the backwards \
compatibility, but it is always for a good reason.<o:p></o:p></p> <p>If you have a \
particular backward-compatibility problem, please tell us, and we may write a blog \
post about it, so porting your old code will be fast and efficient: <a \
href="https://complianceascode.github.io"> \
https://complianceascode.github.io</a><o:p></o:p></p> <p>Best regards,<br>
Matej Tyc<o:p></o:p></p>
<div>
<p class="MsoNormal">On 05. 06. 20 20:25, Trey Henefield wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
<br>
This won't solve the problems with your content.<br>
<br>
The problem is that there has been pushback to accept community suggestions due to \
personal perferences. There is much more focus on continuously changing the structure \
of the project, than the content of the project.<br> <br>
The ultimate goal for this project should be to provide checks and remediations that \
accurately reflect (no more and no less) what is required by a particular \
regulation.<br> <br>
Regaurdless of what default behaviors are present in the RedHat operating system, if \
a configuration is required to be explicitly configured, it should be configured. So \
that the intent of what the requirement is explicitly requiring is addressed. Saying \
that  this does not apply because it does this already, does not hold well when this \
content is used and this discrepency has to be explained to validators.<br> <br>
Our organization has basically gave up contributing and maintain our own personal \
branch to ensure we provide solutions that meet the needed requirements.<br> <br>
To greatly improve this project, the immediate focus needs to be on content \
completeness and accuracy. This would provide the best value this project could offer \
to the community.<br> <br>
The structure of this project and how to better improve it should be a secondary \
focus, with these structural changes better thought out and implemented, before being \
integrated into the project. These major changes should be introduced less frequently \
(1 or  2 times a year) to allow contributors time to complete their changes. Just \
about every two months when a new release is pushed, we have to redo allot of stuff \
we did to get our changes working in the new release. This is very time consuming and \
difficult to  maintain.<br>
<br>
I truly hope someone there at RedHat is finally listening to this and takes our \
advice.<br> <br>
Best regards,<br>
<br>
<br>
Trey Henefield, CISSP<br>
Cyber Security Manager<br>
Ultra Intelligence &amp; Communications<br>
4101 Smith School Road<br>
Building IV, Suite 100<br>
Austin, TX 78744 USA<br>
T: &#43;1 512 327 6795 ext. 647<br>
M: &#43;1 512 541 6450<br>
<a href="http://ultra.group">ultra.group</a><br>
<br>
-----Original Message-----<br>
From: Jan Cerny <a href="mailto:jcerny@redhat.com">&lt;jcerny@redhat.com&gt;</a> <br>
Sent: Friday, June 5, 2020 9:36 AM<br>
To: SCAP Security Guide <a href="mailto:scap-security-guide@lists.fedorahosted.org">
&lt;scap-security-guide@lists.fedorahosted.org&gt;</a><br>
Subject: Policy source data format proposal is ready for comments<br>
<br>
Hi,<br>
<br>
The policy source data format proposal is available and ready for comments. The text \
has been submitted as a pull request on GitHub to make the discussion easier using \
comments and reviews.<br> See <a \
href="https://github.com/ComplianceAsCode/content/pull/5817" target="_blank"> \
https://github.com/ComplianceAsCode/content/pull/5817</a><br> We are looking forward \
to seeing your feedback on GitHub.<br> <br>
What is it about? We will use the policy source data format to improve development of \
our profiles. It will allow us to store security controls and requirements in the \
repository and then define profiles by using their IDs instead of separate rules.<br> \
<br> This is done in order to solve the problem that there is no easy way to \
demonstrate to profile stakeholders the status of their profile.<br> <br>
Intended workflow:<br>
<br>
* SME identifies security controls the policy consists of. Those controls serve as \
                direct input for our profiles.<br>
* SME goes through controls, and makes sure that they are sufficiently covered by \
                rules.<br>
* SME fine-tunes the profile by overriding a couple of individual rules in the \
profile file.<br> <br>
Once the format is accepted we can start developing tools that support this new \
workflow.<br> <br>
In future, we can also use it for further refactoring, for example streamlining the \
generation of HTML tables.<br> <br>
Best regards<br>
<br>
--<br>
Jan Černý<br>
Security Technologies | Red Hat, Inc.<br>
_______________________________________________<br>
scap-security-guide mailing list -- <a \
href="mailto:scap-security-guide@lists.fedorahosted.org"> \
scap-security-guide@lists.fedorahosted.org</a><br> To unsubscribe send an email to <a \
href="mailto:scap-security-guide-leave@lists.fedorahosted.org"> \
scap-security-guide-leave@lists.fedorahosted.org</a><br> Fedora Code of Conduct: <a \
href="https://docs.fedoraproject.org/en-US/project/code-of-conduct" target="_blank"> \
https://docs.fedoraproject.org/en-US/project/code-of-conduct</a><br> List Guidelines: \
<a href="https://fedoraproject.org/wiki/Mailing_list_guidelines" target="_blank"> \
https://fedoraproject.org/wiki/Mailing_list_guidelines</a><br> List Archives: <a \
href="https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org" \
target="_blank"> https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org</a><br>
 <br>
<br>
<br>
<o:p></o:p></p>
<p style="margin-bottom:12.0pt"><b><span \
style="font-size:7.5pt;font-family:&quot;Verdana&quot;,sans-serif;color:#666666">Disclaimer</span></b><span \
style="font-size:7.5pt;font-family:&quot;Verdana&quot;,sans-serif;color:#666666"><br> \
The information contained in this communication from <b><a \
href="mailto:trey.henefield@ultra-ats.com">trey.henefield@ultra-ats.com</a> </b>sent \
at 2020-06-05 14:25:25 is private and may be legally privileged or export controlled. \
It is intended solely for use by <b><a \
href="mailto:scap-security-guide@lists.fedorahosted.org">scap-security-guide@lists.fedorahosted.org</a>
 </b>and others authorized to receive it. If you are not <b><a \
href="mailto:scap-security-guide@lists.fedorahosted.org">scap-security-guide@lists.fedorahosted.org</a>
 </b>you are hereby notified that any disclosure, copying, distribution or taking \
action in reliance of the contents of this information is strictly prohibited and may \
be unlawful.</span><o:p></o:p></p> <p class="MsoNormal"><br>
<br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>scap-security-guide mailing list -- <a \
href="mailto:scap-security-guide@lists.fedorahosted.org">scap-security-guide@lists.fedorahosted.org</a><o:p></o:p></pre>
 <pre>To unsubscribe send an email to <a \
href="mailto:scap-security-guide-leave@lists.fedorahosted.org">scap-security-guide-leave@lists.fedorahosted.org</a><o:p></o:p></pre>
 <pre>Fedora Code of Conduct: <a \
href="https://docs.fedoraproject.org/en-US/project/code-of-conduct/">https://docs.fedoraproject.org/en-US/project/code-of-conduct/</a><o:p></o:p></pre>
 <pre>List Guidelines: <a \
href="https://fedoraproject.org/wiki/Mailing_list_guidelines">https://fedoraproject.org/wiki/Mailing_list_guidelines</a><o:p></o:p></pre>
 <pre>List Archives: <a \
href="https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahos \
ted.org">https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org</a><o:p></o:p></pre>
 </blockquote>
<p class="MsoNormal"><br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>scap-security-guide mailing list -- <a \
href="mailto:scap-security-guide@lists.fedorahosted.org">scap-security-guide@lists.fedorahosted.org</a><o:p></o:p></pre>
 <pre>To unsubscribe send an email to <a \
href="mailto:scap-security-guide-leave@lists.fedorahosted.org">scap-security-guide-leave@lists.fedorahosted.org</a><o:p></o:p></pre>
 <pre>Fedora Code of Conduct: <a \
href="https://docs.fedoraproject.org/en-US/project/code-of-conduct/">https://docs.fedoraproject.org/en-US/project/code-of-conduct/</a><o:p></o:p></pre>
 <pre>List Guidelines: <a \
href="https://fedoraproject.org/wiki/Mailing_list_guidelines">https://fedoraproject.org/wiki/Mailing_list_guidelines</a><o:p></o:p></pre>
 <pre>List Archives: <a \
href="https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahos \
ted.org">https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org</a><o:p></o:p></pre>
 </blockquote>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>scap-security-guide mailing list -- <a \
href="mailto:scap-security-guide@lists.fedorahosted.org">scap-security-guide@lists.fedorahosted.org</a><o:p></o:p></pre>
 <pre>To unsubscribe send an email to <a \
href="mailto:scap-security-guide-leave@lists.fedorahosted.org">scap-security-guide-leave@lists.fedorahosted.org</a><o:p></o:p></pre>
 <pre>Fedora Code of Conduct: <a \
href="https://docs.fedoraproject.org/en-US/project/code-of-conduct/">https://docs.fedoraproject.org/en-US/project/code-of-conduct/</a><o:p></o:p></pre>
 <pre>List Guidelines: <a \
href="https://fedoraproject.org/wiki/Mailing_list_guidelines">https://fedoraproject.org/wiki/Mailing_list_guidelines</a><o:p></o:p></pre>
 <pre>List Archives: <a \
href="https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahos \
ted.org">https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org</a><o:p></o:p></pre>
 </blockquote>
</div>
</body>
</html>


["image001.jpg" (image/jpeg)]
[Attachment #7 (unknown)]

_______________________________________________
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org
To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic