Date: Tue, 26 Mar 2019 17:57:02 +0000 (UTC) From: Paul Pathiakis <pathiaki2@yahoo.com> To: Shawn Webb <shawn.webb@hardenedbsd.org> Cc: "ports@freebsd.org" <ports@freebsd.org> Subject: Re: Port Request: OpenSCAP Message-ID: <2101587517.11783325.1553623022141@mail.yahoo.com> In-Reply-To: <20190326174948.5szc5y5sax6pohxj@mutt-hbsd> References: <1184691884.11773818.1553619768857.ref@mail.yahoo.com> <1184691884.11773818.1553619768857@mail.yahoo.com> <20190326170539.lk7y23qrnvkfj7x7@mutt-hbsd> <1639606763.11770976.1553622163518@mail.yahoo.com> <20190326174948.5szc5y5sax6pohxj@mutt-hbsd>
next in thread | previous in thread | raw e-mail | index | archive | help
Just came across that about 4 mos ago.=C2=A0 :)=C2=A0 Seemed like the next=
generation of tighter security for pfSense.=C2=A0=20
So, HardenedBSD is fork of FreeBSD that is pushing in more defense (passive=
/active) into all the FreeBSD derivatives?=C2=A0 Very cool.=C2=A0 Nicer to =
have something that only has 20 or so CVEs every year versus 200 or more. ;=
)=C2=A0=20
I just followed a large number of links and found G2 as well.=C2=A0 Nice!
OpenSCAP, if it could at least give me some sense and peace of mind that I =
can run it, get a result on paper and show the 'certifiers' that we have co=
mplied, I'd be very happy.=C2=A0=20
Thank you for responding so quickly!
P
On Tuesday, March 26, 2019, 1:50:34 PM EDT, Shawn Webb <shawn.webb@hard=
enedbsd.org> wrote: =20
=20
I'm not really a compliance guru, so I can't say whether HardenedBSD
comes closer to <insert compliance spec here>. I have looked into
Common Criteria/NIAP briefly for US Federal Government deployments in
certain high-security enclaves. HardenedBSD does come closer with
CC/NIAP, though there are still gaps to fill.
Have you looked at OPNsense? It's a fork of pfSense built on top of
HardenedBSD.
Thanks,
--=20
Shawn Webb
Cofounder and Security Engineer
HardenedBSD
Tor-ified Signal:=C2=A0 =C2=A0 +1 443-546-8752
Tor+XMPP+OTR:=C2=A0 =C2=A0 =C2=A0 =C2=A0 lattera@is.a.hacker.sx
GPG Key ID:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89=C2=A0 3D9E 6A84 658F 5245 6EE=
E
On Tue, Mar 26, 2019 at 05:42:43PM +0000, Paul Pathiakis wrote:
>=C2=A0 Sorry for the top-post.
> Shawn,
> It seems that NIST, FIPS 140-2, and things along those lines are quickly =
becoming a complete reality for all people dealing with the US Gov't no mat=
ter what the size company.
> So, encryption modules must be FIPs approved for compliance and NIST 800-=
171 is the other compliance that is needed.
>=20
> I've been tasked with creating an entire, new infrastructure that meets/c=
omplies with those specs.?? So, I dug in a little bit and found SCAP which =
lead to OpenSCAP.?? So, I get to put the whole thing behind pfSense firewal=
ls and show that everything I'm running is compliant with both standards.
>=20
>=20
> Does HardenedBSD meet the requirements? :D?? (crosses fingers)
> Paul
>=C2=A0=20
>=20
> On Tuesday, March 26, 2019, 1:06:25 PM EDT, Shawn Webb <shawn.webb@harden=
edbsd.org> wrote:=C2=A0=20
>=C2=A0=20
>=C2=A0 On Tue, Mar 26, 2019 at 05:02:48PM +0000, Paul Pathiakis via freebs=
d-ports wrote:
> > https://www.open-scap.org/
> >=20
> > Hi all,
> >=20
> > It's the US NIST scanner for operating system compliance.
> >=20
> > I'd like to use FreeBSD and FreeNAS in various places but it has to pas=
s compliance.
>=20
> I just asked my coworkers about it. They created OpenSCAP. :)
>=20
> What compliance requirements are you looking to pass?
>=20
> Thanks,
>=20
> --=20
> Shawn Webb
> Cofounder and Security Engineer
> HardenedBSD
>=20
> Tor-ified Signal:?? ?? +1 443-546-8752
> Tor+XMPP+OTR:?? ?? ?? ?? lattera@is.a.hacker.sx
> GPG Key ID:?? ?? ?? ?? ?? 0x6A84658F52456EEE
> GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89?? 3D9E 6A84 658F 5245 6EEE=
=C2=A0 =20
From owner-freebsd-ports@freebsd.org Tue Mar 26 18:07:44 2019
Return-Path: <owner-freebsd-ports@freebsd.org>
Delivered-To: freebsd-ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mailman.ysv.freebsd.org (Postfix) with ESMTP id CB29F155A7EF
for <freebsd-ports@mailman.ysv.freebsd.org>;
Tue, 26 Mar 2019 18:07:43 +0000 (UTC)
(envelope-from jonc@chen.org.nz)
Received: from mail-vs1-xe41.google.com (mail-vs1-xe41.google.com
[IPv6:2607:f8b0:4864:20::e41])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
by mx1.freebsd.org (Postfix) with ESMTPS id CAA4877563
for <freebsd-ports@freebsd.org>; Tue, 26 Mar 2019 18:07:41 +0000 (UTC)
(envelope-from jonc@chen.org.nz)
Received: by mail-vs1-xe41.google.com with SMTP id s2so6901327vsi.5
for <freebsd-ports@freebsd.org>; Tue, 26 Mar 2019 11:07:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=chen-org-nz.20150623.gappssmtp.com; s=20150623;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=cZv1uwFgPcqJ/usoMJEnOyZ1fRLv6haH3GNttxg43VE=;
b=ZhFUKjmTUprbxjdFmTIwQi5eaWyE9sWVGVVHo+0eAz7p7Gulv4E3q/0cawrvVg3wMG
13coEZarL6EZxj+4cQRxNmD1SRwMlK7bl7vupOa5vJkgK7f9Ni4xyLPhoaX0HcBCpRIy
ktWlLNoC9LUs7cGnh44MBOxeCIv4Z8oFoW62sPY674haNM4iFbixSjRhA/fON+89cebN
hX5wtRYMXijdk6xQSJCnPUpUy0ztfI5DNfBBJVlDEEmPUr9ydz+V1/ZdultJm3RK4muP
Xx/AIWJNK+tkZ23aVEmbA7TXcdhKBC+ypFGg4OFNkRz6/MrxGeF6AGxJ/Y9HfGiDYERJ
kXuA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=cZv1uwFgPcqJ/usoMJEnOyZ1fRLv6haH3GNttxg43VE=;
b=avpHiNfMlyQCLcAc3A6iUfieDjLn8JstR8SDhBcWh8TCTGuvUJl6WJ1MWPaK68RjyA
ekzfZVFpBynwvdB1zfqFUf2oPfVjKflcySpbNcYVqtpWicerdLwivGF/uBjBYxElkQZB
f9TK5uWdWZp1mOkdMXKM3SQYvbj4F065XygF+N+30PNmmK17VnRoMJ0zPybqCwlwHiOt
UE+r95N6z1EIDnp3iRAmGj+RDU60RQRDLfEDI6EBwHykNQn/mTB8QrAACRwXKGtN/bFQ
q84bLTggqwTQYDL+cVb+mSTg9VmlDMf/5xuFH7FHdVtm6jZS/TO9W32eF1RGkeagu5dQ
oD8Q==
X-Gm-Message-State: APjAAAV2pdZnPylPaGT9+OJcbXJhvN8WylSqIEq5uuEJgVrF1BHi4EJd
fGaZVnDsf+qkdSCzFIx74cLo4FrTUKEsR9FDQVEuAw==
X-Google-Smtp-Source: APXvYqyphAMcPRJaMTVLfXZ58BYSWk9recSII0zOM0Fw27LX+DOJyioUo3kBX1rFzhVVQmgiQwWgROBvLc7kFyk76iA=
X-Received: by 2002:a05:6102:147:: with SMTP id
a7mr17969254vsr.210.1553623660307;
Tue, 26 Mar 2019 11:07:40 -0700 (PDT)
MIME-Version: 1.0
References: <20190323213940.GA74509@www.zefox.net>
<c2fd7325-ad2e-afbb-4f5b-3223e530d6d3@freebsd.org>
<20190326021459.GA87373@www.zefox.net>
<b8fcb348-6dd6-38b0-f1a3-fa84214bc7b3@freebsd.org>
In-Reply-To: <b8fcb348-6dd6-38b0-f1a3-fa84214bc7b3@freebsd.org>
From: Jonathan Chen <jonc@chen.org.nz>
Date: Wed, 27 Mar 2019 07:07:24 +1300
Message-ID: <CAJuc1zP+q6bTndL9ShCH=0wfdS5TrbWOqaAwEJNa97dM+40wUw@mail.gmail.com>
Subject: Re: Can't compile www/node on rpi2
To: "Bradley T. Hughes" <bhughes@freebsd.org>
Cc: bob prohaska <fbsd@www.zefox.net>, freebsd-ports@freebsd.org
Content-Type: text/plain; charset="UTF-8"
X-Rspamd-Queue-Id: CAA4877563
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org;
dkim=pass header.d=chen-org-nz.20150623.gappssmtp.com header.s=20150623
header.b=ZhFUKjmT
X-Spamd-Result: default: False [-2.17 / 15.00]; ARC_NA(0.00)[];
NEURAL_HAM_MEDIUM(-0.85)[-0.846,0];
R_DKIM_ALLOW(-0.20)[chen-org-nz.20150623.gappssmtp.com:s=20150623];
FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3];
TO_DN_SOME(0.00)[]; NEURAL_HAM_LONG(-0.99)[-0.993,0];
MIME_GOOD(-0.10)[text/plain];
PREVIOUSLY_DELIVERED(0.00)[freebsd-ports@freebsd.org];
DMARC_NA(0.00)[chen.org.nz]; NEURAL_SPAM_SHORT(0.23)[0.234,0];
TO_MATCH_ENVRCPT_SOME(0.00)[];
DKIM_TRACE(0.00)[chen-org-nz.20150623.gappssmtp.com:+];
MX_GOOD(-0.01)[alt1.aspmx.l.google.com];
RCVD_IN_DNSWL_NONE(0.00)[1.4.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org
: 127.0.5.0]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[];
MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[];
ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
RCVD_COUNT_TWO(0.00)[2];
IP_SCORE(-0.26)[ip: (3.83), ipnet: 2607:f8b0::/32(-2.89), asn: 15169(-2.15),
country: US(-0.07)]
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ports>,
<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>;
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2019 18:07:44 -0000
On Wed, 27 Mar 2019 at 00:24, Bradley T. Hughes <bhughes@freebsd.org> wrote:
> On 2019-03-26 03:14, bob prohaska wrote:
> > On Mon, Mar 25, 2019 at 10:23:26PM +0100, Bradley T. Hughes wrote:
^~~~~~~~~~~~~~~~~~~~
> [snip]
>
> Looks like you need to upgrade www/libnghttp2 as well. :)
>
> > Thanks for reading, I'd be pleased to try any experiments suggested.
>
> In general, www/node requires that all dependencies are up-to-date. The
> port doesn't explicitly list minimum versions of its dependencies, but I
> am beginning to think that it should (this is not the first time I have
> seen this kind of problem).
You shouldn't have to list the minimum version for dependencies. If
someone is following the tip of the ports tree, it is expected that
all the port dependencies are up to date when building a port. All the
port-management tools in ports-mgmt assume this, and build
port-dependancies as required. When building ports, it is always best
to use one of the build-tools (ie: poudriere, synth , portmaster)
instead of by hand.
Cheers.
--
Jonathan Chen <jonc@chen.org.nz>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2101587517.11783325.1553623022141>