On Monday 30 November 2009 18:16:50 Adam Williamson wrote:
On Mon, 2009-11-30 at 15:17 -0500, Eric Christensen wrote:
> Gene,
> (Ahh... someone with a similar background...)
>
> So the biggest question, to me, is to what standard do we start?
> There are plenty to choose from from DISA to NIST. I, personally,
> find the NSA's "Guide to the Secure Configuration of Red Hat
> Enterprise Linux 5" very good and might be a good place to start. I'm
> not saying that we do everything that is in the guide but maybe take
> the guide and strike things out that don't make sense and add stuff to
> it that does make sense.
Thanks for the thoughts, Gene and Eric. You seem to be running a long
way ahead here :). I should probably say that I think I mistitled the
thread: what I was really thinking about here is not 'security', but the
more limited area of 'privilege escalation'. I'm not sure we're ready to
bite off a comprehensive distro-wide security policy yet, to the extent
you two are discussing.
But, you did say the right words for what is needed to do security QA and not
just privilege escalation.
Where I'm currently at is that I'm going to talk to some Red Hat /
Fedora security folks about the issues raised in all the discussions
about this, including this thread, and then file a ticket to ask FESco
to look at the matter, possibly including a proposed policy if the
security folks help come up with one. And for the moment, only really
concerned with the question of privileges.
Start small with just privilege escalation and it can be grown to be something
more comprehensive. FESco is the right place to go and see what the project
wants to do.
I suspect that most commercial and government customers will be interested in
Red Hat Enterprise Linux rather than Fedora. But, Fedora is the technology
base on which future Red Hat Enterprise Linux releases are built. The better
Fedora is, the more confidence customers will have the the Red Hat product.
Gene