The US Federal government, Dept of Homeland Security, operates a program called CDM (Continuous Diagnostics and Monitoring). CDM mandates the use of some kind of statistics gathering tool to run on all Linux systems, and primarily this focus on patch management. While individual Federal agencies can pick their own preferred tools for CDM compliance, many such agencies choose to use BigFix. Formerly an IBM product, BigFix is now operated by a company called HCL (HCL Software).
Now to the point of my email…with the demise of stable CentOS 8, the inherent instability of CentOS 8 Stream, and the high cost of RHEL 8…many Federal agencies want to shift to using Rocky Linux 8…especially as support for CentOS 7.9 is phased out. To make this a reality, we need for BigFix to have support for reporting patch management status for Rocky Linux.
I’m opening this thread so we can have a discussion about what it will take to make this a reality. I am not claiming that it is the full responsibility of Rocky Linux to enable this…but perhaps there is something Rocky Linux can do to grease the wheels? How do we get a conversation going between maintainers of Rocky Linux and the people who maintain BigFix?
NASA NCCS Cloud Computing Lead
Goddard Space Flight Center
I think it’s more a case of the other way around. For BigFix to support RHEL or Rocky Linux rather than the other way around. Rocky in reality doesn’t need to do anything. HCL or BigFix need to adapt their product so that it supports whatever distritbutions it needs to. So in reality, users of HCL/BigFix should be contacting them and making requests for them to support Rocky. The more people that do that, the more chance they will actually do something about it.
HCL/BigFix are more likely to listen to the companies and users that pay them to use their software because if they don’t then people would stop buying it if they didn’t act on their requests.
We’ve tried that approach.
BigFix Idea | Support for Rocky Linux - Platform - BigFix Forum, among others.
Unfortunately, it presents a chicken and egg problem for environments requiring CDM – where we can’t exactly run Rocky without support from the security tools, and if we can’t run it, why would we need the tools to support it?
We’re hoping the Rocky Linux Foundation reaching out to HCL Tech and asking about support will break the logjam. This, and FIPS 140-3 certification will allow the deployment of Rocky in many more federal installations.
Jonathan, you have not clarified which part doesn’t work with Rocky. Browsing to the HCL website, would put me off anyway, as it’s just marketing nonsense. Trying to find the exact technical details of the system requirements and how it could/would work are buried too deep to waste time on, but it appears to support some versions of RHEL, so it should work with Rocky.
Be careful, because some “security” software actually makes things worse; for a start, you’d be giving the HCL installer root access to your servers, and their software might not be 100% open source, so you can’t audit it.
As soon as you install any kind of closed source software (as root) you may as well give up on security.
Bigfix provides vulnerable package feeds and various baseline assessment/enforcement feeds (such as CIS and DISA) for various operating systems.
These include the now-defunct CentOS, as well as RHEL and Oracle.
We’re required to run this as part of existing on a federal network.
We need those feeds for free alternatives to RHEL. You’ll have to take my word for it, trying to munge it on our (consumer) side would be a full time job and an atrocious career choice.
What we need, and would be easier by far, is for HCL to publish data feeds for Rocky (and other CentOS replacements). Honestly, they could get really far by a $pick-your-tool search and replace on the incoming streams. before “Bigfixing” it.
(I work with Jonathan – I’m the security guy he likes so much. )
This same problem existed or maybe still exists with Tenable/Nessus as they also need the CIS/DISA stuff. I will need to check once I am on my computer to see if Tenable resolved this or if they are still waiting on CIS/DISA.
It seems Tenable did what they needed to do, to support Rocky Linux: Tenable Community
Therefore since they also rely on CIS/DISA to add support to their product, there should be zero problems for BigFix to do this.
They (users of Tenable/Nessus) also requested for them to add it which can be seen here: Tenable Community
As for FIPS, there are threads on this forum about it already, it is coming, but it takes time.