On Wednesday, August 14, 2024 7:59:49 PM EDT pgnd wrote: > > ... > > Changing one setting isn't a lockdown. But if you're wondering about the > > nature of the apparent difference, it's really just one is a strategy to > > mitigate a comprehensive threat model vs defaults settings that are > > easily changeable. > > sure. thx for the 'analysis'. but wrong choir ;-) It not an analysis; it's a confession. I'm probably the person most closely connected to this. > @ desktop, > > install ubuntu + 1pass, all good > install debian + 1pass, all good > install redhat + 1pass, problems -> fixed by changing ptrace_scope > default to = 1 install fedora + 1pass, problems -> fixed by changing > ptrace_scope default to = 1 > > yes, it's an easy fix. > and seems to work mostly without issue. And millions of system run in this config due to the DISA STIG. I don't remember if this was driven into other profiles like PCI DSS or CIS, but I wouldn't be surprised if it were. > but it IS a fix, that's counter to the docs/default, that needs > implementation -- and explaining. for a client adding 1pass to their > RH/Fedora desktop mix, that results unfortunately in support calls. Propose it as a system wide change. I'd give it a +1. (Its what I made RHEL do for security lockdowns.) -Steve > >> It'd be much cleaner if RH/Fedora & 1password hashed it out, and came to > >> some reasonable outcome, or at least clear guidance / documentation. > >> > >> Particularly as Ubuntu/Debian already appear (?) to have made the switch > >> to =1. -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
