Nick
@nick@shore.me.uk
156 following, 241 followers
@nick Yep, I have egress rules (and ingress rules), and everything is VLAN'd according to what it does. But that doesn't solve the problem here.
@neil @nick I can't speak entirely accurately here as I didn't do the arguing with the assessors, but at work we had the argument accepted that FOSS packages which had active maintenance and were actively updated in response to reported security issues had a "vendor". This covered both the OS (at the time CentOS before RH/IBM blew it up as an Enterprise option, now Oracle Linux) and external packages or locally compiled FOSS packages like Exim.
We also have a CE+ network but that's separate.
@neil @nick For updates, we apply package updates every two weeks or immediately (after assessment of risk) for critical/security updates. That also satisfied the assessors.
I understand that the people doing the assessments can have different opinions but pragmatism seemed to be very much the order of the day for us.
![[?]](https://shore.me.uk/social/nick/s/cf6308305561d13738fb690e63e1c169.png)
![[?]](https://mastodon.neilzone.co.uk/system/accounts/avatars/000/000/003/original/1686a2608fa9766e.jpg)
![[?]](https://cyberplace.social/system/accounts/avatars/113/431/345/677/238/539/original/23b4e257d54a32a2.png)
![[?]](https://media.mas.to/accounts/avatars/115/012/022/939/128/676/original/95ccd06b722719d5.jpeg)