Comments (9)
Yes the hardcoded packages are in the STIG as they're the FIPS validated versions, plus a couple of updated packages specifically to meet STIG requirements.
I'm still thinking about how we can do something without using the commercial packages, although it won't be a setup that could be used by organisations that actually need STIG compliance, but it should be at least interesting/useful to the community for e.g. security researchers.
from wiki.
@codyro yes a CIS/STIG blog post sounds like a good idea, i'll work on that and maybe make it coincide with AlmaLinux/almalinux.org#563 by which time the updated benchmark should be published.
Tagging all of the tuxcare-specific bits so they can be skipped (most already are) and writing a README.md for CIS/STIG rather than just the whole repo is on my TODO list and obviously needs to be done before this wiki update.
from wiki.
Tagging all of the tuxcare-specific bits so they can be skipped (most already are) and writing a README.md for CIS/STIG rather than just the whole repo is on my TODO list and obviously needs to be done before this wiki update.
Let me know if I can be of any assistance :).
from wiki.
I've separated the commercial stuff out (moved all tuxcare tags into tuxcare.yml) and added a README:
https://github.com/sej7278/virt-installs/tree/master/alma9_stig_ansible
For community users it has the caveat that it will upgrade them to 9.4, but its nice to see that the hardening works for 9.x even if the STIG is strictly speaking for 9.2 only (due to FIPS validation) at the moment.
P.S. the CIS benchmark v2.0.0 got published on the 24th and I made a minor update, so the alma9cis stuff can be considered final for that too.
from wiki.
If possible, I prefer to keep paid/proprietary stuff out of any officially endorsed guides; otherwise, we're opening a can of worms for any product/service to inundate us with "guides" that are essentially ads for their services, putting us in an awkward situation.
Can Simon separate the TuxCare-specific stuff into another repository or branch? Or conversely, can he make a new one with any AL/EL-agnostic stuff in its own repository with an appropriate license (https://choosealicense.com/)?
Does the license here conflict with any of the TuxCare-specific stuff?
from wiki.
If we make an AlmaLinux repo to hold it, I can just not upload the STIG i guess, and stick to the CIS benchmarks etc; seems a shame though.
In the meantime if we link to my repo it just mentions using a TuxCare license key to get the FIPS packages etc:
We have a review process (this!) so we don't have to accept guides that are adverts.
from wiki.
I mentioned this to @sej7278 briefly on a call, but if we can have the playbooks either skip over the TuxCare portion(s) if the esu_key
isn't defined or prompt the user with vars_prompt
to handle it so if the user isn't required to register with TuxCare to follow the tutorial, I'd feel a lot better about this.
Are all of the TuxCare packages listed here necessary (w/ the hardcoded version as well), or can we use some from upstream directly instead?
from wiki.
I used to use the OSCAP remediation's personally, but I prefer your playbooks after using them. I ended up tweaking a few tasks/tags so I could --skip-tags tuxcare
and run through everything sans the commercial portion, which I find very useful. I think a good segment of our users would, too (or something similar), as I/we don't need full compliance in most cases. These playbooks would also see a ton more usage, which would benefit TuxCare/AlmaLinux more in the long run (IMO).
These are too helpful/good not to publish in some capacity, so if you're not comfortable @sej7278 tweaking some things, I think it's fine as long as it's very clear to the user that they will not be able to run these as-is without going through some hoops.
I'd go as far as saying we (me?)/you (if you have time) should write a blog post about their usage, as it's worth highlighting.
from wiki.
Related Issues (20)
- Why not add AlmaLinux 9 and 8 into microsoft official WSL distribution Info json? HOT 2
- Rename `Building Packages for AlmaLinux` to `AlmaLinux Package Building Guide`
- Problem with building the wiki HOT 1
- Cron job command within the mirrors wiki doesn't seem to work HOT 8
- Add systemd timer instructions for mirrors
- Enhancing Main Page of Wiki with Mind Map-style Sitemap HOT 2
- The Using of Generic Cloud Images on local machine guide needs refresh
- Azure marketplace link to official image is broken HOT 4
- Document steps necessary to ELevate from 7 to 9 HOT 1
- Add a page on the wiki & a table about all of the places chat is available and bridged HOT 2
- Document ELevate migration for disconnected environments HOT 2
- Add more guidelines how to contribute to documentation HOT 2
- Add a separate page how to get assistance HOT 3
- Enumeration error in "Contributing to the AlmaLinux project" doc HOT 3
- update discourse links HOT 3
- Proposed Content: Add variant for NVIDIA installation from RPM Fusion
- Support i18 HOT 3
- Adjust navigation - release notes HOT 7
- Pls add a Sample to the Wiki Page how to run the Almalinux8-init container
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from wiki.