F21 Self Contained Change: Security Policy In The Installer

Fri Mar 14 15:03:29 UTC 2014

Jan Lieskovsky (jlieskov at redhat.com) said: 
> > Is any Fedora 21 product targeted
> > mainly for enterprise deployment?
> 
> The vice versa view. Rather effort to use security configuration, vulnerability and patch
> management also in Fedora product(s) (provide necessary tools to allow it). The
> content itself will differ depending on the fact if it's used in enterprise-level
> or academic / personal-level (enterprise-level companies required their systems
> to meet the federal agencies standards for example etc.), but security hardening guides / tips
> are applicable to Fedora OS instances too (IOW you don't need to be an enterprise-level company
> to require / prefer system to be secured and have ways how to tune in various aspects
> of system's security). So this proposal is to provide such tools.
> 
> > Is OpenSCAP being retargeted for general
> > purpose level infrastructure.
> 
> Not sure it was ever dedicated / restricted to be enterprise-level only. From [3]:
> 
> "The Security Content Automation Protocol (SCAP), pronounced “ess-cap”, combines
> a number of open standards that are used to enumerate software flaws and configuration
> issues related to security ...  It is a method for using those open standards for
> automated vulnerability management, measurement, and policy compliance evaluation."
> 
> There's nothing about it being exclusive just to enterprise-level infrastructure
> (actually in contrast the open standards are highlighted couple of times above). Of course
> writing the content requires time & resources. So it's more likely enterprise-companies
> will have dedicated funds to support content creation of their needs. But the standard
> itself (AFAICT) doesn't enforce / allows it to be used in enterprise-level infrastructure only.
> 
> > If so, will (or should) at least a significant
> > minority, say 33%, of GUI installer using end-users make use of this
> > feature?
> 
> The answer depends how many Fedora users care about security of their Fedora systems and would
> be interested / willing to spend some time to harden it via the possibilities provided
> by this proposal.

I'm looking at this from a different angle. Do we, out of the box in
anaconda, have a spoke for configuring SELinux policy specifics (or
downloading new policies)?  Do we, out of the box in anaconda, have a spoke
for setting the F21 crypto policy feature, or password encryption
algorithms, or the firewall?

I think a similar level works here - I see no issues with support of this in
anaconda that's exposed in kickstart, or post-install support for easily
applying a policy that an organization might have.

But for the interactive install case, I think we're probably better served by
just choosing secure defaults rather than having a specific screen in the
installer for every user.

Bill