On Wed, Dec 18, 2019 at 4:40 AM Shawn Wells <[email protected]> wrote:
> > On 12/16/19 9:53 AM, Watson Sato wrote: > > Hello, > > Security Content for el7 and el8 systems are not the same, for example, > there is support for crypto-policies in el8, and method to enable FIPS mode > is different for each. > > And currently "rhv4 > <https://github.com/ComplianceAsCode/content/tree/master/rhv4>" product > is focused on el7, and it is expected to be supported for quite some time. > Question: How can we better support el8 based hosts? > > One way is to "split" rhv4 product into two, creating one product for el7 > based hosts and another for el8 based hosts. > At the moment, the contents for RHV and RHEL are very similar, but as > content for RHV improves there may be the need for RHV specific content. > This approach would allow freedom for RHV content to grow and become > specific as needed, while sharing content with their respective base > enterprise linuxes. > > Thoughts? > > > Thanks for starting this conversation. > > Why not draw a line in the sand and say the content is for a specific > version of RHV and newer? For example RHV 4.3+. > Actually, that is an interesting idea. As far as I know versions up to RHV-4.3 have been using content from ssg-rhel7-ds.xml, as it contains RHV related profiles. A specific RHV4 "product" for el7 may not be needed at all. > Alternatively, many the rules are operating system aware. If a > RHEL7-focused check is enabled in the RHV profile, and the underlying host > is RHEL 8-based, will the evaluation results showup as "notapplicable" with > proper CPE usage? > Well, yes. But we don't label the rules with CPE for product specific versions. There is 'prodtype' used to label the rules, but it is used to decide whether to include the rule in the DS. It is not used in any way for Rule applicability with CPE. _______________________________________________ > scap-security-guide mailing list -- > [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > -- Watson Sato Security Technologies | Red Hat, Inc
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
