Re: F21 Self Contained Change: Security Policy In The Installer

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2014-03-13 at 15:27 +0100, Vratislav Podzimek wrote:
> On Thu, 2014-03-13 at 09:00 -0400, Jan Lieskovsky wrote:
> > > > There are many known tips and tricks how to make a system more secure,
> > > > often
> > > > depending on the use case for the system. With the OSCAP Anaconda Addon [1]
> > > > and the SCAP Security Guide [2] projects, we may allow users choosing a
> > > > security policy for their newly installed system.
> > > > 
> > > > What is the proposed default configuration/policy?
> > > 
> > > FWIW WRT to scap-security-guide content there's only one (common) profile
> > > at the moment. But it depends on the target group / volume / spin we would
> > > like
> > > this to be by default part of -- once this is clear in that case the profile
> > > can
> > > be adjusted / modified to prefer / select by default just rules intended for
> > > the
> > > target group of that system
> > > 
> > > So, let me be more specific: If I install using the most default setup
> > > possible (not touching the policy spoke), will the installed system be
> > > affected by the policy / different from what is packaged in the RPMs?
> > 
> > No (by default AFAICT). But since there will be oscap-anaconda-addon present
> > in the compose / distro (if this proposal got approved), the user *before* /
> > *in the moment* of the install will have chance to select which profile the
> > installed system should be compliant to / in conformance with once installed.
> > 
> > But should their preference be not to change / configure anything, they will
> > still have chance to "ignore" the proposed "Security Profile" anaconda field,
> > and use vanilla Fedora installation (as there wouldn't be the proposed enhancement
> > present at all).
> > 
> > Vrata, pls correct me if / where appropriate.
> The current behaviour of the addon is to *not* select any profile by
> default. So unless the user visits the spoke and chooses some profile
> (and doesn't toggle the "Apply security policy" switch), no changes will
> be done to the installed system. So it's "opt in" solution, not an "opt
> out" one.

Will the spoke's label have some text like "No security profile
selected" or somesuch when that's the case?

Presumably the "Begin Installation" is insensitive until the "Security
Profile" spoke is happy, like how other spokes work?

I like the overall idea, but I'm slightly nervous about the UI.  How, if
at all, do security policies affect the UI in the *other* spokes?
(sorry, I wasn't able to view your videos on this box, just the
screenshots).

For example, if you have a security profile which mandates that /tmp be
on a separate partition or logical volume, does this affect the UI in
the partitioning spoke?

Similarly, if the profile forbids package "telnet" from being installed,
does this show up somehow in the "Software Selection" spoke?  (e.g. what
if the user tries to manually select "telnet" within that spoke?).

Likewise, does the Profile's password complexity requirements affect the
password UI?

Or is it a case of: review the issues listed in the "Security Profile"
spoke, and figure out "how do I fix this?", switch to the appropriate
spoke, try to fix it, see if the Security Profile spoke is now happy,
else repeat.  That seems suboptimal, though what you've got may well be
good enough for a first iteration (and I'm not volunteering to hack on
it, so feel free to ignore me ;) ).

Hope this is constructive; as I said, I like the proposal.

Dave	

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux