Security testing: need for a security policy, and a security-critical package process

Tue Nov 24 03:36:58 UTC 2009

On Mon, 2009-11-23 at 18:10 -0800, Adam Williamson wrote:
> On Mon, 2009-11-23 at 19:38 -0500, Matthias Clasen wrote:
> 
> > How that translates in packages and defaults is not really the most
> > important part, but the plan is to have strict package defaults + a
> > policy package that makes things work. 
> > 
> > The important part is that we QA the combination, not just the strict
> > defaults. 
> 
> Right. If the Grand Plan is to go down this path, then what I've been
> referring to as 'the security policy' would include the policies defined
> for each spin, and hence any testing QA did for any given spin would
> involve the policy defined for that spin.
> 
> Having said that - is everyone agreeing that it's fine for each spin SIG
> to be entirely in charge of defining and implementing security policy
> for each spin? At the very least, that would possibly be problematic
> given the known border issues between 'the desktop spin' and 'Fedora'.
> Just another issue contributing to why we would need to settle that.
> 

Honestly, leaving PackageKit wide open would only make sense.  All
operating systems that I'm aware of generally install open and require
the end user to shore up their own installation because from the
engineer's point of view they want the operating system to work on
everyone's computer so they do things like leave the firewall wide open
and allow you to login to ssh as root.  Of course being able to flip a
couple of switches to shut that down is more than appropriate.  

I'm not saying that I agree with this open policy, however.  Many people
don't know that they should do anything to secure their computers from
install.  It's also a pain to harden these systems after each install.
I've often thought about doing a spin for those of us that use Fedora
within the U.S. Government or U.S. Military that would be pre-hardened
and ready to go.  Just install and go.  It would pass NIST and DISA
controls from the get go.

While that would also be great for home users it might be a bit overkill
(or maybe not).  If Fedora (and every other operating system) wants to
make a change in security posture the hardening script similar to the
one that comes with MySQL would be a great place to start.  The user
would install the software and go through the standard installation
stuff and then would be presented by a little icon on their desktop that
when selected would ask them simple questions that would automagically
harden their system depending on the answers.  Would be a heck of a lot
better than going through the NSA's RHEL Hardening Guide (which is an
awesome text, by the way).

Just my 2 cents worth.

--Eric
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20091123/9c31f91d/attachment.sig>