F21 Self Contained Change: Security Policy In The Installer

[Jan Lieskovsky]

> > There are many known tips and tricks how to make a system more secure,
> > often
> > depending on the use case for the system. With the OSCAP Anaconda Addon [1]
> > and the SCAP Security Guide [2] projects, we may allow users choosing a
> > security policy for their newly installed system.
> > 
> > What is the proposed default configuration/policy?
> 
> FWIW WRT to scap-security-guide content there's only one (common) profile
> at the moment. But it depends on the target group / volume / spin we would
> like
> this to be by default part of -- once this is clear in that case the profile
> can
> be adjusted / modified to prefer / select by default just rules intended for
> the
> target group of that system
> 
> So, let me be more specific: If I install using the most default setup
> possible (not touching the policy spoke), will the installed system be
> affected by the policy / different from what is packaged in the RPMs?

No (by default AFAICT). But since there will be oscap-anaconda-addon present
in the compose / distro (if this proposal got approved), the user *before* /
*in the moment* of the install will have chance to select which profile the
installed system should be compliant to / in conformance with once installed.

But should their preference be not to change / configure anything, they will
still have chance to "ignore" the proposed "Security Profile" anaconda field,
and use vanilla Fedora installation (as there wouldn't be the proposed enhancement
present at all).

Vrata, pls correct me if / where appropriate.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team

> Mirek
> 
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct