On Thu, 2014-03-13 at 09:00 -0400, Jan Lieskovsky wrote: > > > There are many known tips and tricks how to make a system more secure, > > > often > > > depending on the use case for the system. With the OSCAP Anaconda Addon [1] > > > and the SCAP Security Guide [2] projects, we may allow users choosing a > > > security policy for their newly installed system. > > > > > > What is the proposed default configuration/policy? > > > > FWIW WRT to scap-security-guide content there's only one (common) profile > > at the moment. But it depends on the target group / volume / spin we would > > like > > this to be by default part of -- once this is clear in that case the profile > > can > > be adjusted / modified to prefer / select by default just rules intended for > > the > > target group of that system > > > > So, let me be more specific: If I install using the most default setup > > possible (not touching the policy spoke), will the installed system be > > affected by the policy / different from what is packaged in the RPMs? > > No (by default AFAICT). But since there will be oscap-anaconda-addon present > in the compose / distro (if this proposal got approved), the user *before* / > *in the moment* of the install will have chance to select which profile the > installed system should be compliant to / in conformance with once installed. > > But should their preference be not to change / configure anything, they will > still have chance to "ignore" the proposed "Security Profile" anaconda field, > and use vanilla Fedora installation (as there wouldn't be the proposed enhancement > present at all). > > Vrata, pls correct me if / where appropriate. The current behaviour of the addon is to *not* select any profile by default. So unless the user visits the spoke and chooses some profile (and doesn't toggle the "Apply security policy" switch), no changes will be done to the installed system. So it's "opt in" solution, not an "opt out" one. -- Vratislav Podzimek Anaconda Rider | Red Hat, Inc. | Brno - Czech Republic -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct