[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Security testing: need for a security policy, and a security-critical package process

On Tue, Dec 1, 2009 at 12:47, Gene Czarcinski <gene czarc net> wrote:
On Monday 30 November 2009 18:16:50 Adam Williamson wrote:
> Where I'm currently at is that I'm going to talk to some Red Hat /
> Fedora security folks about the issues raised in all the discussions
> about this, including this thread, and then file a ticket to ask FESco
> to look at the matter, possibly including a proposed policy if the
> security folks help come up with one. And for the moment, only really
> concerned with the question of privileges.
Start small with just privilege escalation and it can be grown to be something
more comprehensive.  FESco is the right place to go and see what the project
wants to do.

There is already a security policy in place.  It's not formalized nor is it written down but it's there.  It's the current posture of Fedora.  We set a root passphrase at the beginning of install and we give people the option of securing GRUB with a passphrase and encrypting the hard drive.  We also have the unwritten rule of user privileges.

It may be time to document our current posture to at least show where we are and the standard we expect all developers to live up to.   In the process of documenting you may find that we are lacking somewhere.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]