Security testing: need for a security policy, and a security-critical package process
Adam Williamson
awilliam at redhat.com
Mon Nov 30 23:16:50 UTC 2009
On Mon, 2009-11-30 at 15:17 -0500, Eric Christensen wrote:
> Gene,
> (Ahh... someone with a similar background...)
>
> So the biggest question, to me, is to what standard do we start?
> There are plenty to choose from from DISA to NIST. I, personally,
> find the NSA's "Guide to the Secure Configuration of Red Hat
> Enterprise Linux 5" very good and might be a good place to start. I'm
> not saying that we do everything that is in the guide but maybe take
> the guide and strike things out that don't make sense and add stuff to
> it that does make sense.
Thanks for the thoughts, Gene and Eric. You seem to be running a long
way ahead here :). I should probably say that I think I mistitled the
thread: what I was really thinking about here is not 'security', but the
more limited area of 'privilege escalation'. I'm not sure we're ready to
bite off a comprehensive distro-wide security policy yet, to the extent
you two are discussing.
Where I'm currently at is that I'm going to talk to some Red Hat /
Fedora security folks about the issues raised in all the discussions
about this, including this thread, and then file a ticket to ask FESco
to look at the matter, possibly including a proposed policy if the
security folks help come up with one. And for the moment, only really
concerned with the question of privileges.
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net
More information about the devel
mailing list