ACK to these minor changes.
I don't see the value in noexec on /var/log and /var/log/audit, and there had better be clear value in anything that is added.
On 08/27/2012 08:05 PM, Shawn Wells wrote:
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
On 8/28/12 10:29 AM, Jeffrey Blank wrote:
ACK to these minor changes.
Pushed
I don't see the value in noexec on /var/log and /var/log/audit, and there had better be clear value in anything that is added.
Some places mount it with noexec as there should be no executables on those partitions, while others don't. Wanted to bring it up for discussion.
Yes indeed. But you've got bigger problems if somebody was able to start writing there to begin with. I was unable to conjure a security argument strong enough to justify typing this, much less requiring it.
While terribly tempting and very much in the C&A mindset, I would generally prefer that we avoid erecting gates like this: http://www.jokeroo.com/pictures/car/security-gate-fail.html
On 08/30/2012 09:43 PM, Shawn Wells wrote:
On 8/28/12 10:29 AM, Jeffrey Blank wrote:
ACK to these minor changes.
Pushed
I don't see the value in noexec on /var/log and /var/log/audit, and there had better be clear value in anything that is added.
Some places mount it with noexec as there should be no executables on those partitions, while others don't. Wanted to bring it up for discussion.
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Allow me to describe the reasoning here a little bit more, also as a touchstone for future discussions.
For these queries, we must ask ourselves: 1) does this protect against some kind of threat? 2) does this satisfy (and not merely vaguely associate) with some kind of policy requirement?
No? Then flush it.
All the partitions for which we currently provide Rules to enforce the noexec option are those which could be used (by any user, or an unprivileged attacker) to trivially write executable content and run it. The other partitions you've mentioned do not have this issue as they do not permit unprivileged processes to write to them, and thus this threat does not exist. (And if this suddenly becomes possible, then root privileges have already been compromised.) Admittedly even requiring this noexec is not a strong defense, due to the plentiful presence of interpreters on the system, but we had judged it to have some value in disruption.
I will in the future try to engage in more informational discourse instead of just expressing aggravation. Yet the major point remains: current C&A processes thwart effective security behavior, because they consume time by requiring intricate focus on elements of relatively little importance. All pales in comparison to running the latest OS and applying all security updates. This project is intended to help make that possible.
On 08/31/2012 05:25 PM, Jeffrey Blank wrote:
Yes indeed. But you've got bigger problems if somebody was able to start writing there to begin with. I was unable to conjure a security argument strong enough to justify typing this, much less requiring it.
While terribly tempting and very much in the C&A mindset, I would generally prefer that we avoid erecting gates like this: http://www.jokeroo.com/pictures/car/security-gate-fail.html
On 08/30/2012 09:43 PM, Shawn Wells wrote:
On 8/28/12 10:29 AM, Jeffrey Blank wrote:
ACK to these minor changes.
Pushed
I don't see the value in noexec on /var/log and /var/log/audit, and there had better be clear value in anything that is added.
Some places mount it with noexec as there should be no executables on those partitions, while others don't. Wanted to bring it up for discussion.
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org
-
Jeffrey Blank -
Shawn Wells -
Shawn Wells