Community ComplianceMasonry Content?

[shawndwells]

At Red Hat we've quietly been using ComplianceMasonry to generate SSP packages for FISMA baselines. We're going to open source our work, and I'm trying to find a home for upstream collaboration.

Is there an intent for OpenControl to host technology-specific content? For example, github.com/opencontrol/{rhel7 ubuntu-lts}?

(bump to @gregelin, as we spoke on this at RSA)

[openprivacy]

Very interested in this. Been looking at using OpenControl to reproduce an existing SSP built on RHEL/7 for a while, finally getting close to making it happen.

Once a standard baseline exists in a github repo, an enclave could fork and tailor for their base requirements, and then use branches for each of the instances. Greg and I have been pushing these ideas around for a while now

• can we get a sneak peak at what you've put together?

Next steps may include:

• integrating testing/verification/evidence gathering
• integrating the system baseline with access control and application level controls

The future is bright! Thanks, Shawn and Red Hat! =Fen

On Fri, Apr 7, 2017 at 5:51 PM, Shawn Wells notifications@github.com wrote:

At Red Hat we've quietly been using ComplianceMasonry to generate SSP packages for FISMA baselines. We're going to open source our work, and I'm trying to find a home for upstream collaboration.

Is there an intent for OpenControl to host technology-specific content? For example, github.com/opencontrol/{rhel7 http://github.com/opencontrol/%7Brhel7 ubuntu-lts}?

(bump to @gregelin https://github.com/gregelin, as we spoke on this at RSA)

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/opencontrol/discuss/issues/20, or mute the thread https://github.com/notifications/unsubscribe-auth/AAJlpy-DfYZbEGRnEtZsit5pyX8TvaJaks5rtq_ogaJpZM4M3bh3 .

[gregelin]

Shawn,

I think the Open Control community would be interested in hosting the content.

I’ll double check on the Open Control Slack Channel.

Greg Elin

On Apr 8, 2017, at 12:05 AM, Fen Labalme notifications@github.com wrote:

Very interested in this. Been looking at using OpenControl to reproduce an existing SSP built on RHEL/7 for a while, finally getting close to making it happen.

Once a standard baseline exists in a github repo, an enclave could fork and tailor for their base requirements, and then use branches for each of the instances. Greg and I have been pushing these ideas around for a while now

• can we get a sneak peak at what you've put together?

Next steps may include:

• integrating testing/verification/evidence gathering
• integrating the system baseline with access control and application level controls

The future is bright! Thanks, Shawn and Red Hat! =Fen

On Fri, Apr 7, 2017 at 5:51 PM, Shawn Wells notifications@github.com wrote:

At Red Hat we've quietly been using ComplianceMasonry to generate SSP packages for FISMA baselines. We're going to open source our work, and I'm trying to find a home for upstream collaboration.

Is there an intent for OpenControl to host technology-specific content? For example, github.com/opencontrol/{rhel7 http://github.com/opencontrol/%7Brhel7 ubuntu-lts}?

(bump to @gregelin https://github.com/gregelin, as we spoke on this at RSA)

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/opencontrol/discuss/issues/20, or mute the thread https://github.com/notifications/unsubscribe-auth/AAJlpy-DfYZbEGRnEtZsit5pyX8TvaJaks5rtq_ogaJpZM4M3bh3 .

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/opencontrol/discuss/issues/20#issuecomment-292693175, or mute the thread https://github.com/notifications/unsubscribe-auth/AABhk3pc5BH7XU06IdVr5DgnhDEXFVWaks5rtweJgaJpZM4M3bh3.

[afeld]

Yep, happy to have the content under the @opencontrol org, or folks can keep the repositories under their own orgs. Creator's choice! @shawndwells Just added you as a member, so you should be all set if you want to create a repo here.

[anweiss]

Would repo mirroring be too redundant?

[gregelin]

@shawndwells can correct me if I am wrong, but I think the pattern RedHat likes is to publish RedHat Enterprise Linux as a kind of compendium of upstream, community-run open source projects.

For example, Fedora Linux is the upstream community-managed project from which RedHat Enterprise Linux is a downstream packaging. Likewise, Python.org is the upstream community-managed project from which RHEL gets its Python libraries. Of course, RedHat has a process to review and certify the source code of upstream in order to provide long term support and RedHat uses subscriptions revenue to pay RedHat staff to contribute to upstream projects.

I believe @shawndwells is proposing OpenControl becomes the community that wrangles and coordinates the open source project that would be OpenControl content for Fedora, RHEL, and CentOS -- and any other flavor of Linux we might want to support. I believe Shawn and his team would also continue to contribute to the project, just like they contribute to OpenSCAP, etc.

RedHat could host the OpenControl repo, but then as a community we'd be beholden to RedHat's agenda. If we are the upstream project, then we can organize the project so it's structure is more advantageous to the larger Linux community.

[shawndwells]

RedHat follows upstream first mentality. e.g.:

• Kubernetes - https://github.com/kubernetes/kubernetes
• KVM - https://git.kernel.org/pub/scm/virt/kvm/kvm.git
• OpenSCAP- https://github.com/OpenSCAP

Each technology forms its own community. While Red Hat may be a leading contributor to those projects the very last thing we want is to 'brand' them as RedHat, e.g. github.com/redhat/$thing, as it eludes to authoritarian ownership over the project. In the OpenSCAP space, the largest contributor to the RHEL7 STIG was actually Northrup Grumman. Debian-based devs represent a portion of the community and package for inclusion in Ubuntu.

OpenControl content for RedHat-based components (docker, linux, middleware, etc) would inherently be specific to the Red Hat distribution (vs, say, Pivotal or Ubuntu). Thought about using the existing github.com/redhatgov area to serve as upstream, but really want to steer away from implying total ownership of the content. Also didn't want to fracture the community, forcing community members to look at dozens of vendors upstream to find the various components they need.

Talked through GitHub mirroring, but we kept circling back to "if a place should be a mirror, why not just make it upstream?"

IMHO, having various OpenControl-formatted component content posted directly to github.com/opencontrol helps make a focal point for a larger development community. Closest analogy I have would be building the SCAP content community.... if people had to look at github.com/redhat, github.com/ubuntu, github.com/oracle, github.com/centos.... it would have been overwhelmingly frustrating to find what you need. Would also lead to potential differences between each distributions content formatting, build systems, and packaging.

[shawndwells]

The end-game is to build dynamically composed C&A packages that include the following pieces:

• Human-readable prose, serving as security configuration guide for a tech component
• Machine-readable compliance automation, giving pass/fail scans
• Configuration management content, e.g. Ansible and Chef

And need some peripheral things:

• Security Requirements Traceability Matrix (big spreadsheet of how you meet policy controls)
• Integrations into technology installers, "easy-button STIG" mentality

In the Red Hat realm the OpenSCAP community develops guides, security automation content, bash scripts, and recently took on ansible content. The build process works, there is a community, but it's been a Frankenstein process of bolting on functionality into a project that was intended only to write SCAP content.

Current thinking is to break apart the roles (prose guidance vs SCAP vs remediation) into their own communities; using OpenControls as the gateway into the composable C&A packages.

Extended attributes of the OpenControl format, e.g. covered_by[] can be used to link to other build systems.

Or at least that's the current idea.

[anweiss]

I'm actually with @afeld on this ... I think we should provide vendors with flexibility as to the source of their content; especially given constraints around licensing, trademarks, etc.

[anweiss]

What if we were to update the open-control.org site with a dedicated listing on supported Vendors and links to their repos? Very similarly to what we already have today with the "Members" page -> http://open-control.org/members/.

[shawndwells]

Hey Guys, wanted to say thanks for the help over the past few months. We did an official release with Microsoft 👍

https://blogs.msdn.microsoft.com/azuregov/2017/06/05/red-hat-releases-partner-azure-blueprint-for-openshift-on-azure-government/

And a nerdier tech blog:

https://shawnwells.io/2017/05/13/tackling-compliance-with-opencontrol/

We've started to work with different CCSPs (Amazon, Microsoft) and hoping others to get content built. Will also be starting to add content for other RHT tech in the coming month.

Customer demand has really surged when we started sharing the link between OpenControl + OpenSCAP + Ansible. Expecting to spend a lot of time in the OpenControl community this summer :)