On 14 March 2014 16:24, Eric H. Christensen <sparks@xxxxxxxxxxxxxxxxx> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Fri, Mar 14, 2014 at 08:01:53PM +0000, Matthew Garrett wrote:No, that's not exactly it. I've pointed out reasons why defaults usually suck (security-wise). I've yet to see a hardened system make software fail. I'd love some examples of your concerns. I also don't understand why FIPS compliance will make a user have a bad time since I've been on systems that were fully FIPS compliant and didn't have any problems.
> On Fri, Mar 14, 2014 at 03:56:47PM -0400, Eric H. Christensen wrote:
> > On Fri, Mar 14, 2014 at 07:45:53PM +0000, Matthew Garrett wrote:
> > > The failure mode of making the wrong choice regarding an encrypted
> > > partition or the default user being an administrator involves the system
> > > *continuing to work*. The failure mode of making the wrong choice
> > > regarding security policy is that things you expect to work mysteriously
> > > don't.
> >
> > What exactly do you think would be done with one of these policies? You seem to think that an incorrect choice will brick a system.
>
> If an incorrect choice means that the software the user wants to run
> won't run, that's going to be a problem for the user. And we presumably
> expect that some software won't run, because otherwise we'd be enabling
> that security feature by default? A user who accidentally installs a
> profile that enables FIPS compliance is going to have a bad time, for
> instance.
You need to do more technical support :).
FIPS compliance can break all kinds of software because it limits what algorithms you can use and various software will be configured to use MD5 or some other algorithm which isn't FIPS allowed. This shows up a lot in certain environments where they are mandated to run a program from 2001 and also be FIPS compliant. [Or the http certificate is signed with a cert that uses MD5 or some other key.]
I have also had enough users who have run BASTILLE and turned everything on and then have very unusable systems because the box has now no network, no approved logins, no X and is only listening on a serial port which does not exist on the hardware. [This is not a dig at Bastille and other scripts. They can be used to set up for specific security plans if you know what you are doing.. if not you are using an atomic bomb to hunt voles in your garden.]
I have to help people who have to run government mandated scanners on their networks but do things that make selinux even in permissive mode stop stuff. [Symantec back in 2008 from my email.]
Let us just say a lot can be broken depending on what the security policy is you are setting things to. Most of the time it is going to be stuff we don't ship or control..
Stephen J Smoogen.
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
