F21 Self Contained Change: Security Policy In The Installer
jreznik at redhat.com
Thu Mar 13 10:29:42 UTC 2014
= Proposed Self Contained Change: Security Policy In The Installer =
Change owner(s): Vratislav Podzimek <vpodzime at redhat.com>
There are many known tips and tricks how to make a system more secure, often
depending on the use case for the system. With the OSCAP Anaconda Addon 
and the SCAP Security Guide  projects, we may allow users choosing a
security policy for their newly installed system.
== Detailed Description ==
The OSCAP Anaconda Addon is a project implementing an Anaconda installer addon
integrating the installer with the OpenSCAP toolkit to provide nice UX when it
comes to security policy application. Its kickstart and GUI support allows
users choosing a security policy for the newly installed system in an easy and
nicely scaling way. The SCAP Security Guide project on the other hand focuses
on development of so-called SCAP content for Fedora, RHEL and other projects.
A SCAP content is a set of XML files defining rules that should be followed by
the system together with checks and fixes used to check and fix system's state.
It also defines profiles selecting some of the rules (or groups of rules)
targetting various use cases.
== Scope ==
We are basically all set. Both OSCAP Anaconda Addon (OAA) and SCAP Security
Guide (SSG) are packages that can be installed by lorax to the installation
compose (distributed images). The addon is then detected and loaded by the
installer and the SCAP content provided by the SSG is automatically detected
and loaded by the addon.
Of course a lot of future development is expected in both of the projects to
provide additional features, but even the current state provides nice features
and good UX.
* Proposal owners: Bug fixing of both the OAA and SSG is expected to be
required, but there are no known major bugs. Further development especially on
the SSG side may be requried to provide more security policies for various
* Release engineering: Few simple changes in the lorax templates will be
needed to make the OAA and SSG included in the installer images. Patches are
already available and will be submitted to the lorax maintainer (Brian Lane)
who has agreed to review and help with them.
More information about the devel-announce