On Mon, 2009-11-23 at 18:10 -0800, Adam Williamson wrote: > On Mon, 2009-11-23 at 19:38 -0500, Matthias Clasen wrote: > > > How that translates in packages and defaults is not really the most > > important part, but the plan is to have strict package defaults + a > > policy package that makes things work. > > > > The important part is that we QA the combination, not just the strict > > defaults. > > Right. If the Grand Plan is to go down this path, then what I've been > referring to as 'the security policy' would include the policies defined > for each spin, and hence any testing QA did for any given spin would > involve the policy defined for that spin. > > Having said that - is everyone agreeing that it's fine for each spin SIG > to be entirely in charge of defining and implementing security policy > for each spin? At the very least, that would possibly be problematic > given the known border issues between 'the desktop spin' and 'Fedora'. > Just another issue contributing to why we would need to settle that. > Honestly, leaving PackageKit wide open would only make sense. All operating systems that I'm aware of generally install open and require the end user to shore up their own installation because from the engineer's point of view they want the operating system to work on everyone's computer so they do things like leave the firewall wide open and allow you to login to ssh as root. Of course being able to flip a couple of switches to shut that down is more than appropriate. I'm not saying that I agree with this open policy, however. Many people don't know that they should do anything to secure their computers from install. It's also a pain to harden these systems after each install. I've often thought about doing a spin for those of us that use Fedora within the U.S. Government or U.S. Military that would be pre-hardened and ready to go. Just install and go. It would pass NIST and DISA controls from the get go. While that would also be great for home users it might be a bit overkill (or maybe not). If Fedora (and every other operating system) wants to make a change in security posture the hardening script similar to the one that comes with MySQL would be a great place to start. The user would install the software and go through the standard installation stuff and then would be presented by a little icon on their desktop that when selected would ask them simple questions that would automagically harden their system depending on the answers. Would be a heck of a lot better than going through the NSA's RHEL Hardening Guide (which is an awesome text, by the way). Just my 2 cents worth. --Eric
Attachment:
signature.asc
Description: This is a digitally signed message part
-- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
