F21 Self Contained Change: Security Policy In The Installer
Jan Lieskovsky
jlieskov at redhat.com
Fri Mar 14 10:25:03 UTC 2014
> On Thu, Mar 13, 2014 at 02:45:58PM -0400, Jan Lieskovsky wrote:
> > > The demos seem to cover the case where there's already data provided
> > > from the Kickstart file. What options are presented to the user if
> > > there's no oscap entry in Kickstart? Is the user expected to provide a
> > > path to download a policy?
> >
> > Yes, there are two ways how to provide the policy - either via kickstart
> > or via GUI by entering the HTTP / FTP URI [*] of the policy (in RPM
> > package format) and clicking the "Fetch data" button.
>
> Ok. I'm kind of struggling to imagine the scenario where a user actually
> wants to do that. What's the use-case for providing UI rather than
> limiting deployment to Kickstart?
One hypothetical [*] scenario coming to my mind being the users might be
willing to provide customized policy content to Fedora installation. Let's
suppose the case there is a SCAP content for vulnerability checking (and ensuring
some restrictions) for Fedora systems. Something like is done for Red Hat Enterprise Linux case:
https://www.redhat.com/security/data/metrics/
So once such content is there, the user's might want to download those definitions,
create format accepted by OSCAP Anaconda Addon (tarball / RPM), and provide that
content to the new instance to be installed without the need to use / understand
kickstart format at all.
Since SCAP protocol doesn't support just security configuration information, but
also for example patch management, the users might create their custom content
(ensuring some configuration / patch would be applied) in form of tarball / RPM
to OSCAP Anaconda Addon which would satisfy that patch is present on the installed
system (under assumption provided content has had proper format).
The possibilities of SCAP protocol:
http://scap.nist.gov/
are not limited just to security configuration management (our security policy related
proposal is just one use case what can be done with this technology).
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
[*] hypothetical because there does not exist such a content (AFAICT) yet.
>
> --
> Matthew Garrett | mjg59 at srcf.ucam.org
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
More information about the devel
mailing list