Date: Tue, 26 Mar 2019 17:42:43 +0000 (UTC) From: Paul Pathiakis <pathiaki2@yahoo.com> To: Shawn Webb <shawn.webb@hardenedbsd.org> Cc: "ports@freebsd.org" <ports@freebsd.org> Subject: Re: Port Request: OpenSCAP Message-ID: <1639606763.11770976.1553622163518@mail.yahoo.com> In-Reply-To: <20190326170539.lk7y23qrnvkfj7x7@mutt-hbsd> References: <1184691884.11773818.1553619768857.ref@mail.yahoo.com> <1184691884.11773818.1553619768857@mail.yahoo.com> <20190326170539.lk7y23qrnvkfj7x7@mutt-hbsd>
next in thread | previous in thread | raw e-mail | index | archive | help
Sorry for the top-post. Shawn, It seems that NIST, FIPS 140-2, and things along those lines are quickly be= coming a complete reality for all people dealing with the US Gov't no matte= r what the size company. So, encryption modules must be FIPs approved for compliance and NIST 800-17= 1 is the other compliance that is needed. I've been tasked with creating an entire, new infrastructure that meets/com= plies with those specs.=C2=A0 So, I dug in a little bit and found SCAP whic= h lead to OpenSCAP.=C2=A0 So, I get to put the whole thing behind pfSense f= irewalls and show that everything I'm running is compliant with both standa= rds. Does HardenedBSD meet the requirements? :D=C2=A0 (crosses fingers) Paul =20 On Tuesday, March 26, 2019, 1:06:25 PM EDT, Shawn Webb <shawn.webb@hardened= bsd.org> wrote: =20 =20 On Tue, Mar 26, 2019 at 05:02:48PM +0000, Paul Pathiakis via freebsd-ports= wrote: > https://www.open-scap.org/ >=20 > Hi all, >=20 > It's the US NIST scanner for operating system compliance. >=20 > I'd like to use FreeBSD and FreeNAS in various places but it has to pass = compliance. I just asked my coworkers about it. They created OpenSCAP. :) What compliance requirements are you looking to pass? Thanks, --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD Tor-ified Signal:=C2=A0 =C2=A0 +1 443-546-8752 Tor+XMPP+OTR:=C2=A0 =C2=A0 =C2=A0 =C2=A0 lattera@is.a.hacker.sx GPG Key ID:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89=C2=A0 3D9E 6A84 658F 5245 6EE= E =20 From owner-freebsd-ports@freebsd.org Tue Mar 26 17:50:35 2019 Return-Path: <owner-freebsd-ports@freebsd.org> Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4D6F6155A04A for <freebsd-ports@mailman.ysv.freebsd.org>; Tue, 26 Mar 2019 17:50:35 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 9316876777 for <freebsd-ports@freebsd.org>; Tue, 26 Mar 2019 17:50:34 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id 498BC1559F25; Tue, 26 Mar 2019 17:50:34 +0000 (UTC) Delivered-To: ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 221C71559F24 for <ports@mailman.ysv.freebsd.org>; Tue, 26 Mar 2019 17:50:34 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-qt1-x82b.google.com (mail-qt1-x82b.google.com [IPv6:2607:f8b0:4864:20::82b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AD2FA76770 for <ports@freebsd.org>; Tue, 26 Mar 2019 17:50:33 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-qt1-x82b.google.com with SMTP id v20so15598060qtv.12 for <ports@freebsd.org>; Tue, 26 Mar 2019 10:50:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=98V+ex8hLSX0ZowWttPLx/lv2jp2WWVs4lAto2ORSCc=; b=YnZJtb0QO6iFxp8NiofwFdOARBcVrykKaq+3mG0o20gOdVbP+v9YJp0InWdlGsX1T3 hT1q5LvA4ropmCoyb64GgbNE2ZCBcogYx5dXVvCnkvCCClk9YPZ8ENXZMEZiz24q2mb2 TXoibP8oEFSU743TPJ7BiO97M1zLm6vC+srZtzeb9gj7XUqhCHy5qQpnSlEsYO59WcYL /T8td4p7Eq4JO+iKRhIf6f5t4lgIG8BPTRXNEa1A3usFuNtVZ6xPgNw2Gg/8Nn1ok3Pj R+tINMiTzneEiYi+X3v2fa6xH2s8QvTaBhzIWuM384TPT5s59/+ptkZdLKIFYUxaGrnQ pUvQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=98V+ex8hLSX0ZowWttPLx/lv2jp2WWVs4lAto2ORSCc=; b=OuCoJvYuwflyoa4iCvIeRwm2GdCLXvHPNJrExGVVQUi9IsHOBl6APQqKjlFTdMiDZ9 5gVYoBScTlg+SzeYp520Y6pDYRSxAo+WhC5fqP3/VXsPbOgUDhEQ83gq8+uX15Fqtrc+ EjTlTpGlQbzcmI8EI0maqzj77cirhJqnhqyeXXeicqiRHuCkR8hBQYGFwEzxC/PfQ2jT E+0+RhjT1NfW/Srv+6P8bY7bGRzUpHInmeVraSLYngw8VuTJTJtAtaqQmqysmztiMKGG EJ1EgvkgkISLD+HuUBOEeqqUCztEB68tQPY7t5SUStXD9afe61uhINhNrCi5ku8SU8tH rnCQ== X-Gm-Message-State: APjAAAVG6h0ugZU0KvHcwMx+oDi1Tq+e6Y3aK1ObsWWTp8gY/OmO1eLt DusDYuSk1gDIfVu8nF1Ed37UUa4yKdF/mA== X-Google-Smtp-Source: APXvYqzr+D6ACOc1DlWvd2YfiEmDZ1PV98Y3To5DJgaWg0pe6VWhCB/oTwa+HnPdyvVjHrp3v9Bchg== X-Received: by 2002:a0c:d28c:: with SMTP id q12mr26422306qvh.88.1553622632992; Tue, 26 Mar 2019 10:50:32 -0700 (PDT) Received: from mutt-hbsd ([63.88.83.108]) by smtp.gmail.com with ESMTPSA id s17sm12775088qtc.15.2019.03.26.10.50.32 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 26 Mar 2019 10:50:32 -0700 (PDT) Date: Tue, 26 Mar 2019 13:49:48 -0400 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Paul Pathiakis <pathiaki2@yahoo.com> Cc: "ports@freebsd.org" <ports@freebsd.org> Subject: Re: Port Request: OpenSCAP Message-ID: <20190326174948.5szc5y5sax6pohxj@mutt-hbsd> References: <1184691884.11773818.1553619768857.ref@mail.yahoo.com> <1184691884.11773818.1553619768857@mail.yahoo.com> <20190326170539.lk7y23qrnvkfj7x7@mutt-hbsd> <1639606763.11770976.1553622163518@mail.yahoo.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="aje3ct4zq5gkmftm" Content-Disposition: inline In-Reply-To: <1639606763.11770976.1553622163518@mail.yahoo.com> X-Operating-System: FreeBSD mutt-hbsd 13.0-CURRENT-HBSD FreeBSD 13.0-CURRENT-HBSD X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: NeoMutt/20180716 X-Rspamd-Queue-Id: AD2FA76770 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.99 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.99)[-0.990,0]; REPLY(-4.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org> List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ports>, <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>; List-Post: <mailto:freebsd-ports@freebsd.org> List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help> List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ports>, <mailto:freebsd-ports-request@freebsd.org?subject=subscribe> X-List-Received-Date: Tue, 26 Mar 2019 17:50:35 -0000 --aje3ct4zq5gkmftm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I'm not really a compliance guru, so I can't say whether HardenedBSD comes closer to <insert compliance spec here>. I have looked into Common Criteria/NIAP briefly for US Federal Government deployments in certain high-security enclaves. HardenedBSD does come closer with CC/NIAP, though there are still gaps to fill. Have you looked at OPNsense? It's a fork of pfSense built on top of HardenedBSD. Thanks, --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD Tor-ified Signal: +1 443-546-8752 Tor+XMPP+OTR: lattera@is.a.hacker.sx GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE On Tue, Mar 26, 2019 at 05:42:43PM +0000, Paul Pathiakis wrote: > Sorry for the top-post. > Shawn, > It seems that NIST, FIPS 140-2, and things along those lines are quickly = becoming a complete reality for all people dealing with the US Gov't no mat= ter what the size company. > So, encryption modules must be FIPs approved for compliance and NIST 800-= 171 is the other compliance that is needed. >=20 > I've been tasked with creating an entire, new infrastructure that meets/c= omplies with those specs.?? So, I dug in a little bit and found SCAP which = lead to OpenSCAP.?? So, I get to put the whole thing behind pfSense firewal= ls and show that everything I'm running is compliant with both standards. >=20 >=20 > Does HardenedBSD meet the requirements? :D?? (crosses fingers) > Paul > =20 >=20 > On Tuesday, March 26, 2019, 1:06:25 PM EDT, Shawn Webb <shawn.webb@harden= edbsd.org> wrote: =20 > =20 > On Tue, Mar 26, 2019 at 05:02:48PM +0000, Paul Pathiakis via freebsd-por= ts wrote: > > https://www.open-scap.org/ > >=20 > > Hi all, > >=20 > > It's the US NIST scanner for operating system compliance. > >=20 > > I'd like to use FreeBSD and FreeNAS in various places but it has to pas= s compliance. >=20 > I just asked my coworkers about it. They created OpenSCAP. :) >=20 > What compliance requirements are you looking to pass? >=20 > Thanks, >=20 > --=20 > Shawn Webb > Cofounder and Security Engineer > HardenedBSD >=20 > Tor-ified Signal:?? ?? +1 443-546-8752 > Tor+XMPP+OTR:?? ?? ?? ?? lattera@is.a.hacker.sx > GPG Key ID:?? ?? ?? ?? ?? 0x6A84658F52456EEE > GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89?? 3D9E 6A84 658F 5245 6EEE = =20 --aje3ct4zq5gkmftm Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAlyaZjcACgkQaoRlj1JF bu4vdg//RJMUpDlhHL5YjadA0OqYZorA1HJUMQgu2+d1MJ7rlWPTXkWhSK8d+vfY IgCl/Z9cAQIE1Bc1tGjpwT7zGHAOvMCIP58ShJBgaImzgJzynRcwpZtegz4yNBOi a2b1X/IqgcbGbZUj01KSiD1MqU5xsYa0eKztDHFhRygpSnub3reeop171adUNpM8 KXSk0g1yG5rFsHNfdmOcTmoOT69hA2O1THMhizwgfxuQpoi4LMJAeML9imE3+7ZR 28BxbY+0SDRfcwhd/QJBNN7MyFx0RAtVP+iR/VKcFeMmcp1ZD/IVvoy8PO/V9fj/ VpkYPGGtbLgIoMzXErQdLspQSaznbEoNOFYV6i/Mh+acePa1CUwGhRoxBzCnCAI+ 2ivOBU4PjYPqYYV7cY3zqrRnnePd3D9fE9q+e9D8i/Ly+9WEO8nHT1ISoZP1Aukf AiYAgFD+lEkEJrMNWp+1PM5I67wyohxKaDphzsPfcencrOmzi2XBs8ptZR0UpqRG bpGZYo0lcwvuTLZig7+e7UF7ZAiRt/Yz57EyzmJhuB4AjrqQh6j19N+hRLtkuje1 xD3IJOQG0o+QaWdrryf57e9xz0cJ9TLKFmldJbY4HjDFzDaFeO3ZYxYPkjPKh1Rc Ouo13ma4G88vaiGmhF9UeRLGRaoT3WnxWgc96KqKJ6/U4c2enmg= =Hc8J -----END PGP SIGNATURE----- --aje3ct4zq5gkmftm--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1639606763.11770976.1553622163518>