I'm piggy backing on what Shawn is saying because I routinely bump into the FIPS and Common Criteria issue.
Common Criteria is actually easier to hand wave around since I haven't seen many systems that stick to CC as documented. FIPS is more difficult since it is quite concrete and, until that changes, any non-FIPS certified system cannot be used to protect sensitive information. This is the section from the CMVP website that always hits home: FIPS 140-2 precludes the use of unvalidated cryptography *for the cryptographic protection* of sensitive or valuable data within Federal systems. Unvalidated cryptography is viewed by NIST as providing *no protection* to the information or data - in effect the data would be considered unprotected plaintext. *If the agency specifies that the information or data be cryptographically protected*, then FIPS 140-2 is applicable. In essence, if cryptography is required, then it must be validated. Mapping Arch is definitely a good idea but, in theory, you can't do anything that requires data protection, like SSH, until Arch has a FIPS 140-2 approved cryptographic module (or Q4 2018 rolls around and/if the automated system rolls out). Hopefully this is helpful. Thanks, Trevor On Mon, Apr 17, 2017 at 2:28 PM, Major Hayden <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On 04/17/2017 12:42 PM, [email protected] wrote: > > My name is Tim Bradt. I am software developer at Signature Research, > Inc. I have been charged with getting SCAP up and running on some of our > systems. > > > > We are running Arch Linux. I was wondering what the process would be for > porting the RHEL7 guide to Arch as we need the DISA STIG for system > approval. > > Hello Tim, > > As others have mentioned already, the big job is to get an actual standard > assembled for Arch Linux. Once that's done, writing SCAP content or other > scripts is much more straightforward. > > We've tried to tackle a translation of the RHEL 7 STIG into something that > works for CentOS 7 and Ubuntu 16.04: > > https://github.com/openstack/openstack-ansible-security > https://docs.openstack.org/developer/openstack-ansible-security/ > > (There's also a RHEL 6 STIG implementation for Ubuntu 14.04, but we're > deprecating that now.) > > Some of that work may help you figure out how to translate the RHEL 7 STIG > requirements for Arch Linux. Feel free to reach out if you need pointers. > :) > > - -- > Major Hayden > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQIcBAEBCAAGBQJY9RdZAAoJEHNwUeDBAR+xjCAP/1xFonXK1mh0X7bzFtNedXe/ > QUhNDx8rRayPCKWb5aWT3n4qarsdq97AVpaLnxgGI+SArZwGEY6/tZdZiq4Znfkr > yZZ71XcARp3CzDk1pw5ukZWXgZ464mBC2wnEawkuYHCGy9J2oo1t1LL/7XikSpXw > g6MqZqC/E+WOR9lLTAQi0yBdBfj27P3Imn4DB7aHqFEC4GgBJavBrFIW58fSxh/D > qU9xORrS3QbE039/mAsvf9lqlA2yyATey+bMeeVKVs/c72F5fWql8lpXhnYa2Z5C > lBQJF/A9ECHinQtLxcCeZUDR5sGhhDgd0IrlSC5wnVURoBGF7UAezSNSORZvjJUS > f5yWkYOpIY5aPmQxnzPPcDMBKajjag0m9Q3sfTPOJgRb3tBHtCjkChGeun9xIhLd > +7MwMZVp+IZzQh3e4VPJFJk+RdfAIAHmQK2ocT2fVkNnJwr1WB4yJq2awaa/348O > P5AQx1YhiPEsMiem60gZrO1SC5KkZgNEo3DA4cNXMwYP/IbzIv2ZlGmzzzGaiW9H > FfYSLUCBweg8488/SbdolgpTfws1pKcwaHmEyb00S1lmj7AwxmyYR1KSlDdKNzsm > sPd8MJiUXJkhTR908OQbI1+5bXmXB80DwS8Grr63n+y7+fph3H5BNoLoyCE4h+Rd > is+dK0rEGg7MoBxvsY8g > =Iwuf > -----END PGP SIGNATURE----- > _______________________________________________ > scap-security-guide mailing list -- scap-security-guide@lists. > fedorahosted.org > To unsubscribe send an email to scap-security-guide-leave@ > lists.fedorahosted.org > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 -- This account not approved for unencrypted proprietary information --
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
