Kazuwa facebook? ________________________________________ From: 面和毅 <[email protected]> Sent: Thursday, November 16, 2017 1:10 AM To: SCAP Security Guide Subject: Re: CentOS CESA OVAL file
Dear Shawn-san, > CIS maintains their content outside of the CentOS community and has no > relation with the SCAP Security Guide project. You'd have to check with CIS > about their baselines. Sorry, I posted this question to wrong ML. I'll ask the question to CIS ML. > Not sure anyone has asked before. Generally lack of a license means default > copyright laws apply... no reproduction/distribution/derivative works. > Clearly that's not the Red Hat way and something that should get cleared up. > > Consider emailing [email protected] to get an official answer. > Thanks. I'll ask to the ML for getting an official answer. > You'll also want to review what the CentOS team had to say about their CVE > process. They make no claims their patches align to Red Hat CVEs -- which is > why the Red Hat OVAL feed does not support scanning of CentOS hosts. You may > be giving users a very false sense of security. Even more so for regulated > environments (who would actually be checking for CVEs). > > https://lists.centos.org/pipermail/centos/2014-May/143094.html > Thanks for the information. I understood the CentOS team and CVE relation. I respect that Red Hat Security team are keeping their distro as secure. I'll add several comments for CentOS security issues when I put several documents/files on my github. Kind Regards, OMO 2017-11-16 11:00 GMT+09:00 Shawn Wells <[email protected]>: > > > On 11/15/17 8:08 PM, 面和毅 wrote: > > Dear all, > > I'm writing openscap article for Web magazine(ThinkIT/Japan) > , then I found CentOS OVAL file's CESA-2017:XX is not > included on it. > > https://oval.cisecurity.org/repository/download/5.11.1/compliance/centos_linux_7.xml > > Does somebody know how is the status for the xml file? > > > CIS maintains their content outside of the CentOS community and has no > relation with the SCAP Security Guide project. You'd have to check with CIS > about their baselines. > > I wish to update it if it will not be released, but before do it > I just want to know is there any reason to stop to develop the xml file. > > What's your goal? Would the SSG CentOS content work, or are you looking to > develop something with CIS (they are two different communities)? > > Also, I modified Red Hat OVAL file for CentOS 7. > But I guess there is some problem if I publish it > on my github, right? > > https://www.redhat.com/security/data/oval/ > > Not sure anyone has asked before. Generally lack of a license means default > copyright laws apply... no reproduction/distribution/derivative works. > Clearly that's not the Red Hat way and something that should get cleared up. > > Consider emailing [email protected] to get an official answer. > > You'll also want to review what the CentOS team had to say about their CVE > process. They make no claims their patches align to Red Hat CVEs -- which is > why the Red Hat OVAL feed does not support scanning of CentOS hosts. You may > be giving users a very false sense of security. Even more so for regulated > environments (who would actually be checking for CVEs). > > https://lists.centos.org/pipermail/centos/2014-May/143094.html > > > > _______________________________________________ > scap-security-guide mailing list -- > [email protected] > To unsubscribe send an email to > [email protected] > -- Kazuki Omo: [email protected] OSS &Security Evangelist OSS Business Planning Dept. CISSP #366942 Tel: +81364015149 _______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] _______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
