Jan Lieskovsky (jlieskov@xxxxxxxxxx) said: > > Is any Fedora 21 product targeted > > mainly for enterprise deployment? > > The vice versa view. Rather effort to use security configuration, vulnerability and patch > management also in Fedora product(s) (provide necessary tools to allow it). The > content itself will differ depending on the fact if it's used in enterprise-level > or academic / personal-level (enterprise-level companies required their systems > to meet the federal agencies standards for example etc.), but security hardening guides / tips > are applicable to Fedora OS instances too (IOW you don't need to be an enterprise-level company > to require / prefer system to be secured and have ways how to tune in various aspects > of system's security). So this proposal is to provide such tools. > > > Is OpenSCAP being retargeted for general > > purpose level infrastructure. > > Not sure it was ever dedicated / restricted to be enterprise-level only. From [3]: > > "The Security Content Automation Protocol (SCAP), pronounced “ess-cap”, combines > a number of open standards that are used to enumerate software flaws and configuration > issues related to security ... It is a method for using those open standards for > automated vulnerability management, measurement, and policy compliance evaluation." > > There's nothing about it being exclusive just to enterprise-level infrastructure > (actually in contrast the open standards are highlighted couple of times above). Of course > writing the content requires time & resources. So it's more likely enterprise-companies > will have dedicated funds to support content creation of their needs. But the standard > itself (AFAICT) doesn't enforce / allows it to be used in enterprise-level infrastructure only. > > > If so, will (or should) at least a significant > > minority, say 33%, of GUI installer using end-users make use of this > > feature? > > The answer depends how many Fedora users care about security of their Fedora systems and would > be interested / willing to spend some time to harden it via the possibilities provided > by this proposal. I'm looking at this from a different angle. Do we, out of the box in anaconda, have a spoke for configuring SELinux policy specifics (or downloading new policies)? Do we, out of the box in anaconda, have a spoke for setting the F21 crypto policy feature, or password encryption algorithms, or the firewall? I think a similar level works here - I see no issues with support of this in anaconda that's exposed in kickstart, or post-install support for easily applying a policy that an organization might have. But for the interactive install case, I think we're probably better served by just choosing secure defaults rather than having a specific screen in the installer for every user. Bill -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
