Skip to content
This repository has been archived by the owner on Nov 23, 2019. It is now read-only.

RHEL 7 and CentOS 7 benchmarks #27

Open
blakeblackshear opened this issue Aug 19, 2015 · 38 comments
Open

RHEL 7 and CentOS 7 benchmarks #27

blakeblackshear opened this issue Aug 19, 2015 · 38 comments

Comments

@blakeblackshear
Copy link

Any idea when these might be ready? My team and I would be happy to help.

@major
Copy link
Owner

major commented Aug 19, 2015

It's something I am working on as time allows. A little bit of work done so
far. Feel free to submit PR's!

Major Hayden
On Aug 19, 2015 1:09 PM, "Blake Blackshear" [email protected]
wrote:

Any idea when these might be ready? My team and I would be happy to help.


Reply to this email directly or view it on GitHub
#27.

@blakeblackshear
Copy link
Author

So the plan is to expand the scope of this repo to support CentOS 7? Is it
incorporated into the test process yet?
On Aug 19, 2015 5:42 PM, "Major Hayden" [email protected] wrote:

It's something I am working on as time allows. A little bit of work done so
far. Feel free to submit PR's!

Major Hayden
On Aug 19, 2015 1:09 PM, "Blake Blackshear" [email protected]
wrote:

Any idea when these might be ready? My team and I would be happy to help.


Reply to this email directly or view it on GitHub
#27.


Reply to this email directly or view it on GitHub
#27 (comment)
.

@major
Copy link
Owner

major commented Aug 20, 2015

Correct. There are enough similarities between CentOS 6 and 7 that we should be able to use the same repository. However, I could see the need to make an entirely separate repository for 7 so that the experience is cleaner.

What's your take on that?

@blakeblackshear
Copy link
Author

I think you can probably structure the role tasks to keep the separation
clean in the same place. We are happy to contribute.
On Aug 20, 2015 9:47 AM, "Major Hayden" [email protected] wrote:

Correct. There are enough similarities between CentOS 6 and 7 that we
should be able to use the same repository. However, I could see the need to
make an entirely separate repository for 7 so that the experience is
cleaner.

What's your take on that?


Reply to this email directly or view it on GitHub
#27 (comment)
.

@major
Copy link
Owner

major commented Aug 20, 2015

Hmm, I'll go back through the changes in the CentOS 7 benchmarks list and see just how much they differ.

@gamename
Copy link

Hi,
I'm one of blakeblackshear's Minions. We have a CentOS 7 image to experiment on. We've forked the repo and will let you know what happens.

@shawnsi
Copy link

shawnsi commented Aug 20, 2015

@major Its been a while since I've been down in the weeds but I think one repository is ideal and workable.

@blakeblackshear @gamename I'm not currently running EL7 but should be in the near future. Thank you (preemptively) for any contribution in that space.

@major
Copy link
Owner

major commented Aug 20, 2015

@gamename Awesome!

@shawnsi Glad we're on the same page. ;)

@shawnsi
Copy link

shawnsi commented Aug 20, 2015

I haven't read the EL 7 benchmarks yet but I suspect they vary enough to support task files per major version. It may make sense to use includes based on ansible_lsb.major_version.

If that variable is used in the task file path passed to an include task it should produce dynamic loading of the proper benchmark logic.

@major
Copy link
Owner

major commented Aug 20, 2015

I thought dynamic imports weren't possible in Ansible 1.9?

https://groups.google.com/forum/#!topic/ansible-project/PzA4Vb9SEmk

@blakeblackshear
Copy link
Author

We can just use a when statement for now. There are only 2 versions we need
to support. Dynamic imports are of limited use anyways. The files have to
be there to import.
On Aug 20, 2015 10:23 AM, "Major Hayden" [email protected] wrote:

I thought dynamic imports weren't possible in Ansible 1.9?

https://groups.google.com/forum/#!topic/ansible-project/PzA4Vb9SEmk


Reply to this email directly or view it on GitHub
#27 (comment)
.

@shawnsi
Copy link

shawnsi commented Aug 20, 2015

@major Good catch. I've started to believe ansible just does everything I think it should but apparently I've found an edge case here.

@blakeblackshear Take a look at http://docs.ansible.com/ansible/playbooks_best_practices.html#operating-system-and-distribution-variance linked in the link @major sent. You could also group on ansible_lsb.major_version if the benchmark differences warrant that approach.

@gamename
Copy link

@major Ok, I have the playbook running as an ansible provisioner on a CentOS 7.1 vagrant box. The code is committed to our fork of your repo. The playbook runs to the end error-free, but I haven't looked line-by-line to verify behavior is what it should be. Have a look at the fork if you're curious - or want to tell me what I'm doing wrong. :)

@blakeblackshear fyi

@focusaurus
Copy link

@gamename nice work. I think when: statements should be sufficient to handle most of the 6/7 differences.

@major
Copy link
Owner

major commented Aug 27, 2015

Testing out the fork for 7 support. For 4.1.1, I'm getting:

sysctl: cannot stat /proc/sys/kernel/exec-shield: No such file or directory

@Trikke76
Copy link

that line is not available anymore in cis for rhel 7
my fork works in my vagrant box but i suppose i have to check every line of the cis folder to see if things are added or removed.
Becarefull my fork is heavy modified compared to your original work.
https://github.com/Trikke76/cis-rhel-ansible

@major
Copy link
Owner

major commented Aug 27, 2015

@gamename Would you want to slap together a PR and I can try to get your code into a testing branch?

Or, I could fetch your code and put it into a branch. Either way.

@gamename
Copy link

@major Ok. Will work on it.

@shunopoli
Copy link

Has there been any progress on a rhel7?

@major
Copy link
Owner

major commented Oct 29, 2015

Not yet. I've received word that the repo might violate CIS' terms of use. Waiting to see if I can do anything else with this or if it will need to be taken down. :/

@Trikke76
Copy link

@major could you explain more about the violation ?
is it because of the name being used ?

@shawnsi
Copy link

shawnsi commented Oct 29, 2015

I suppose #3, 8, and 9 in the restrictions at
http://benchmarks.cisecurity.org/downloads/terms-of-use/ would be in
question. If this holds true then I will reevaluate use of CIS benchmarks
in my systems. Closed benchmarks and tools work against healthy secure
practices in my opinion.
On Oct 29, 2015 9:41 AM, "Patrik Uytterhoeven" [email protected]
wrote:

@major https://github.com/major could you explain more about the
violation ?
is it because of the name being used ?


Reply to this email directly or view it on GitHub
#27 (comment)
.

@major
Copy link
Owner

major commented Oct 29, 2015

@Trikke76 It's a 'derivative work', which doesn't fit the terms of use. Currently waiting on legal clarification.

@Trikke76
Copy link

@major thx for the clarification

@haisamido
Copy link
Contributor

@major I think a different branch would be good, one for CentOS6 and one for 7, etc.

@haisamido
Copy link
Contributor

@major any updates on the 'derivative work' issue?

@haisamido
Copy link
Contributor

@major any updates wrt to 'repo might violate CIS' terms of use' ?

@Trikke76
Copy link

As i have converted the complete CIS role for internal use working for rhel/centos 6/7 i asked the question myself to see if it can be made public. This is the response i got today:

Thank you for your email. We have just recently updated our licensing for our PDF versions of the publically available benchmarks to be under creative commons licensing. We are working to update our benchmarks accordingly to reflect the new licensing. I will be in touch shortly with copies of the RHEL/CentOS 6 & 7 benchmarks for your use. If you were to use the current versions available today it would not allow for use in github and would require you not reference CIS.

I appreciate your patience and plan to have you versions with new licensing in the next couple of days.

Thanks,

@shawnsi
Copy link

shawnsi commented Mar 28, 2016

@Trikke76 Thanks for the information!

I'm curious to see if the benchmark content is changing as well. If not, do we merely need to update references to the new benchmark documents with appropriate license (when available)?

@Trikke76
Copy link

No clue thats the only info i have so far
i suppose that the new pdf with benchmarks is different from the once they have now
will update once i have more info

@1davidmichael
Copy link

The new versions have been released using the creative commons licensing. Here is the blurb that talks about how it can be used in derivative works:

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike
4.0 International Public License. The link to the license terms can be found at
https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode
To further clarify the Creative Commons license related to CIS Benchmark content, you are
authorized to copy and redistribute the content for use by you, within your organization
and outside your organization for non-commercial purposes only, provided that (i)
appropriate credit is given to CIS, (ii) a link to the license is provided. Additionally, if you
remix, transform or build upon the CIS Benchmark(s), you may only distribute the modified
materials if they are subject to the same license terms as the original Benchmark license
and your derivative will no longer be a CIS Benchmark. Commercial use of CIS Benchmarks
is subject to the prior approval of the Center for Internet Security

@major
Copy link
Owner

major commented May 25, 2016

Thanks for letting me know, @r0b0ticus. I'm no lawyer -- is that CC license compatible with Apache 2?

@1davidmichael
Copy link

@major I am no lawyer either I was hoping someone else would weigh in on the compatibility :)

@shawnsi
Copy link

shawnsi commented May 25, 2016

Its not explicitly compatible according to https://creativecommons.org/compatiblelicenses/. Then the question becomes whether this repository falls under this clause:

Additionally, if you remix, transform or build upon the CIS Benchmark(s), you may only distribute the modified materials if they are subject to the same license terms...

The only clear way to move forward (read: without that lawyer) is to relicense this repository. I believe this would require introducing a contributor agreement and applying it retroactively to all work under the current license. @major Is that at all palatable to you?

@major
Copy link
Owner

major commented May 25, 2016

As an aside, I've started using the STIG to secure Ubuntu 14.04, 16.04 and CentOS 7 here: http://docs.openstack.org/developer/openstack-ansible-security/

CentOS 6 isn't planned for inclusion there, but CentOS 7 and RHEL 7 work fine!

@major
Copy link
Owner

major commented May 25, 2016

@shawnsi That could be possible, but I might need to ask for some professional legal help on this one.

@dbilling
Copy link

Not much activity here since May. Can you summarize where things are now and plans going forward for this repo regarding CentOS 7 and Ubuntu 14/16 upgrades? I can't tell from the above discussion if 1) licensing issues with CIS have caused all work to cease here permanently or 2) everything is OK and there's just been a lack of bandwidth to work on it?

@major
Copy link
Owner

major commented Nov 12, 2016

@dbilling It's gone quiet for now. I've put all of my effort behind this role:

https://github.com/openstack/openstack-ansible-security

It's more complete, better organized, and more thoroughly tested than this role.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

10 participants