F21 Self Contained Change: Security Policy In The Installer

Jaroslav Reznik jreznik at redhat.com
Thu Mar 13 10:29:42 UTC 2014

= Proposed Self Contained Change: Security Policy In The Installer =

Change owner(s): Vratislav Podzimek <vpodzime at redhat.com>

There are many known tips and tricks how to make a system more secure, often 
depending on the use case for the system. With the OSCAP Anaconda Addon [1] 
and the SCAP Security Guide [2] projects, we may allow users choosing a 
security policy for their newly installed system. 

== Detailed Description ==
The OSCAP Anaconda Addon is a project implementing an Anaconda installer addon 
integrating the installer with the OpenSCAP toolkit to provide nice UX when it 
comes to security policy application. Its kickstart and GUI support allows 
users choosing a security policy for the newly installed system in an easy and 
nicely scaling way. The SCAP Security Guide project on the other hand focuses 
on development of so-called SCAP content for Fedora, RHEL and other projects. 
A SCAP content is a set of XML files defining rules that should be followed by 
the system together with checks and fixes used to check and fix system's state. 
It also defines profiles selecting some of the rules (or groups of rules) 
targetting various use cases. 

== Scope ==
We are basically all set. Both OSCAP Anaconda Addon (OAA) and SCAP Security 
Guide (SSG) are packages that can be installed by lorax to the installation 
compose (distributed images). The addon is then detected and loaded by the 
installer and the SCAP content provided by the SSG is automatically detected 
and loaded by the addon.

Of course a lot of future development is expected in both of the projects to 
provide additional features, but even the current state provides nice features 
and good UX.

* Proposal owners: Bug fixing of both the OAA and SSG is expected to be 
required, but there are no known major bugs. Further development especially on 
the SSG side may be requried to provide more security policies for various 
products/spins/use cases.

* Release engineering: Few simple changes in the lorax templates will be 
needed to make the OAA and SSG included in the installer images. Patches are 
already available and will be submitted to the lorax maintainer (Brian Lane) 
who has agreed to review and help with them. 

[1] https://fedorahosted.org/oscap-anaconda-addon/
[2] https://fedorahosted.org/scap-security-guide/
devel-announce mailing list
devel-announce at lists.fedoraproject.org

More information about the devel mailing list