On 14 March 2014 16:24, Eric H. Christensen <spa...@fedoraproject.org>wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On Fri, Mar 14, 2014 at 08:01:53PM +0000, Matthew Garrett wrote: > > On Fri, Mar 14, 2014 at 03:56:47PM -0400, Eric H. Christensen wrote: > > > On Fri, Mar 14, 2014 at 07:45:53PM +0000, Matthew Garrett wrote: > > > > The failure mode of making the wrong choice regarding an encrypted > > > > partition or the default user being an administrator involves the > system > > > > *continuing to work*. The failure mode of making the wrong choice > > > > regarding security policy is that things you expect to work > mysteriously > > > > don't. > > > > > > What exactly do you think would be done with one of these policies? > You seem to think that an incorrect choice will brick a system. > > > > If an incorrect choice means that the software the user wants to run > > won't run, that's going to be a problem for the user. And we presumably > > expect that some software won't run, because otherwise we'd be enabling > > that security feature by default? A user who accidentally installs a > > profile that enables FIPS compliance is going to have a bad time, for > > instance. > > No, that's not exactly it. I've pointed out reasons why defaults usually > suck (security-wise). I've yet to see a hardened system make software > fail. I'd love some examples of your concerns. I also don't understand > why FIPS compliance will make a user have a bad time since I've been on > systems that were fully FIPS compliant and didn't have any problems. > > You need to do more technical support :). FIPS compliance can break all kinds of software because it limits what algorithms you can use and various software will be configured to use MD5 or some other algorithm which isn't FIPS allowed. This shows up a lot in certain environments where they are mandated to run a program from 2001 and also be FIPS compliant. [Or the http certificate is signed with a cert that uses MD5 or some other key.] I have also had enough users who have run BASTILLE and turned everything on and then have very unusable systems because the box has now no network, no approved logins, no X and is only listening on a serial port which does not exist on the hardware. [This is not a dig at Bastille and other scripts. They can be used to set up for specific security plans if you know what you are doing.. if not you are using an atomic bomb to hunt voles in your garden.] I have to help people who have to run government mandated scanners on their networks but do things that make selinux even in permissive mode stop stuff. [Symantec back in 2008 from my email.] Let us just say a lot can be broken depending on what the security policy is you are setting things to. Most of the time it is going to be stuff we don't ship or control.. -- Stephen J Smoogen.
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
