[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Security testing: need for a security policy, and a security-critical package process

On Mon, 2009-11-30 at 15:17 -0500, Eric Christensen wrote:

> Gene,
> (Ahh... someone with a similar background...)
> So the biggest question, to me, is to what standard do we start?
> There are plenty to choose from from DISA to NIST.  I, personally,
> find the NSA's "Guide to the Secure Configuration of Red Hat
> Enterprise Linux 5" very good and might be a good place to start.  I'm
> not saying that we do everything that is in the guide but maybe take
> the guide and strike things out that don't make sense and add stuff to
> it that does make sense.

Thanks for the thoughts, Gene and Eric. You seem to be running a long
way ahead here :). I should probably say that I think I mistitled the
thread: what I was really thinking about here is not 'security', but the
more limited area of 'privilege escalation'. I'm not sure we're ready to
bite off a comprehensive distro-wide security policy yet, to the extent
you two are discussing.

Where I'm currently at is that I'm going to talk to some Red Hat /
Fedora security folks about the issues raised in all the discussions
about this, including this thread, and then file a ticket to ask FESco
to look at the matter, possibly including a proposed policy if the
security folks help come up with one. And for the moment, only really
concerned with the question of privileges.

Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]