> Existing NIST and Red Hat documentation on OpenSCAP says that it's for > enterprise-level Linux infrastructure. The possibilities of SCAP protocol: [1] http://scap.nist.gov/ [2] http://csrc.nist.gov/publications/nistpubs/800-126-rev2/SP800-126r2.pdf [3] http://en.wikipedia.org/wiki/Security_Content_Automation_Protocol are not limited to enterprise-level Linux infrastructure. More from [2]: SCAP is a multi - purpose framework of specifications that support automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement. > Is any Fedora 21 product targeted > mainly for enterprise deployment? The vice versa view. Rather effort to use security configuration, vulnerability and patch management also in Fedora product(s) (provide necessary tools to allow it). The content itself will differ depending on the fact if it's used in enterprise-level or academic / personal-level (enterprise-level companies required their systems to meet the federal agencies standards for example etc.), but security hardening guides / tips are applicable to Fedora OS instances too (IOW you don't need to be an enterprise-level company to require / prefer system to be secured and have ways how to tune in various aspects of system's security). So this proposal is to provide such tools. > Is OpenSCAP being retargeted for general > purpose level infrastructure. Not sure it was ever dedicated / restricted to be enterprise-level only. From [3]: "The Security Content Automation Protocol (SCAP), pronounced “ess-cap”, combines a number of open standards that are used to enumerate software flaws and configuration issues related to security ... It is a method for using those open standards for automated vulnerability management, measurement, and policy compliance evaluation." There's nothing about it being exclusive just to enterprise-level infrastructure (actually in contrast the open standards are highlighted couple of times above). Of course writing the content requires time & resources. So it's more likely enterprise-companies will have dedicated funds to support content creation of their needs. But the standard itself (AFAICT) doesn't enforce / allows it to be used in enterprise-level infrastructure only. > If so, will (or should) at least a significant > minority, say 33%, of GUI installer using end-users make use of this > feature? The answer depends how many Fedora users care about security of their Fedora systems and would be interested / willing to spend some time to harden it via the possibilities provided by this proposal. > > What does setting a security profile in Anaconda achieve that can't be done, > or done as effectively, post-install? Of course there exists other ways how to achieve the same. The motivation why the proposal should get into wider user knowledge / awareness being it's flexibility when trying to manage security configuration, vulnerability checks, and also patches. There exists means how the provided security policy can be adjusted to reflect the particular targeted purpose (profiles modified to contain just subset of provided rules, apply various subsets to various systems etc.) -- for example via the scap-workbench tool: https://fedorahosted.org/scap-workbench/ Naturally it can be done via post-install for example too. The question is how that implementation would be adaptable to new requirements / security policy change requirements during the time / based on targeted system's application though. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team > > > Chris Murphy > -- > devel mailing list > devel@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/devel > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
