Shawn and all I am moving to the Product Business Unit as the JBoss Technology Evangelist. James Lopez will be leading the EAP content effort along with Shawn.
V/r Kenneth W. Peeples, C|HFI, Security+ Red Hat Middleware Evangelist OASIS and OMG Member Cell: 843.636.3719 Office: 843.323.4261 [email protected] http://www.redhat.com ----- Original Message ----- From: "Shawn Wells" <[email protected]> To: [email protected] Sent: Sunday, February 17, 2013 8:51:55 PM Subject: Re: Draft RHEL6 STIG Released! On 2/17/13 12:08 PM, Jeffrey Blank wrote: >>> >>A patch would force the issue / be most helpful. >>> >>Thanks for the feedback! >> > >> >Happy to help, let me know if this is how you would like the feedback >> >moving forward. > Yes, definitely. A patch from someone (like yourself) whom we trust has > tested it at least once is extremely valuable. This saves so much time! > >>>> >>>I'm keeping track of everything as I develop the STIG content, so will >>>> >>>report back as I mow through everything. > Great! > >>> >>"Content" remains a confusingly overloaded word. If it's not too much >>> >>to ask, I'd request that everyone use it only to describe SCAP-formatted >>> >>content, such as the STIG itself or the other SCAP content on >>> >>scap-security-guide. >> > >> >Sorry, that¹s the Aqueduct side of me talking. By content I mean >> >remediation content. > Okay, this makes it less confusing, so it is a step in the right > direction, but will still be confusing in some contexts. Remediation > content (in SCAP formats) has never really taken off, though I've heard > some plans remain afoot. In fact I am still waiting on an email to the > list from someone about this, cough cough... > > Here's an older slide deck discussing remediation formats: > http://scap.nist.gov/events/2009/itsac/presentations/day3/Day3_DoD_Wojcik.pdf > > From my perspective, there's nothing wrong with calling them scripts. > But of course you can call it whatever you'd like, just please be aware > that it will cause some confusion when interacting with those in the > SCAP world, where "content" tends to mean something formatted in some > kind of (probably overengineered though highly flexible) XML schema. > > A possibility going forward is for RHEL 6 scripts from Aqueduct to be > formatted into SCAP or SCAP-like formats (such as XCCDF <fix>es), at > which time I'd be quite happy to call it remediation content. > > This is much like what SecState does, dynamically. > But there is quite a bit up in the air here... > >> >Agreed, there is an upcoming internal Aqueduct call happening next week in >> >regards to Jboss STIG remediation content. Hopefully yourself and/or >> >Shawn can attend. > Yes -- please shoot me an invite. I'll definitely do so if I can (or > send an alternate). Thanks! That'd be great! Please include Kenny Peeples (who authored much of the EAP5 content). He lurks on this list, and I've BCC'd him to prod him a little ;) _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
