On 02/12/14 14:20, Eric H. Christensen wrote: > On Mon, Dec 01, 2014 at 11:26:30PM +0100, Reindl Harald wrote: > > many people are using Linux because they hope to know to some degree > what > > their computer is doing instead "something magically does something" > > > not that i personally don't have the knowledge to keep control but > that's > > not the point - to keep a difference between Linux and MS/Apple a Linux > > distribution sometimes should follow "better safe than sorry" or in > other > > words "better ask instead get complaints why not asked" > > This makes a lot of sense. I still agree with sane defaults that > don't allow dumb things to happen out of the box but we should also be > looking at ways for people to determine whether or not their systems > are setup in an insecure manner. Some of this already exists in the > SCAP world but is mostly focused on compliance testing and not 'how to > make sure I'm not going to get pwned'. > > Perhaps we need to make SCAP rules that check for obvious deficiencies > and then make that increadibly easy for an admin to run. Then issues > like allowing root access via ssh (directly) would come up on the > admin's radar and the admin could fix it. There are many things I'm > running on my server that I *hope* are configured appropriately. It > would be great if there was a way for my system to be scanned to see > if there are things I could be doing better. > > -- Eric > I would just like to make sure, that new users are aware of what we are doing. We already have password quality controls and warnings in anaconda. If we go along the path of root user+password and then the need for a user login first to then sudo or su to root, I think we should dump a warning or notification in anaconda. Further, this does not appear to address the issue of remote installs via vnc/spice. I am not sure about the latest VNC and Spice, but do they now encrypt traffic ? I never looked into VNC changes in Tigervnc again, but I am aware it supports extensions to that effect. Are these default though in anaconda's VNC implementation, does it throw people out if they do not use encryption or does it allow non-secure fallback ? Just a few thoughts on my part. Regards, Tristan -- Tristan Santore BSc MBCS TS4523-RIPE Network and Infrastructure Operations InterNexusConnect Mobile +44-78-55069812 Tristan.Santore@xxxxxxxxxxxxxxxxxxxxx Former Thawte Notary (Please note: Thawte has closed its WoT programme down, and I am therefore no longer able to accredit trust) For Fedora related issues, please email me at: TSantore@xxxxxxxxxxxxxxxxx -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
