Re: F21 Self Contained Change: Security Policy In The Installer

On Tue, 2014-03-18 at 10:57 -0400, Eric H. Christensen wrote: > On Mon, Mar 17, 2014 at 02:52:43PM -0700, Adam Williamson wrote: > > "Well, I guess I'd better go read the docs." > > > > "That was a clear, short and cogent explanation! I learned something, an > > now I can continue!" > > I clearly

Re: F21 Self Contained Change: Security Policy In The Installer

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Mon, Mar 17, 2014 at 02:52:43PM -0700, Adam Williamson wrote: > "Well, I guess I'd better go read the docs." > > "That was a clear, short and cogent explanation! I learned something, an > now I can continue!" I clearly didn't write that explaina

Re: F21 Self Contained Change: Security Policy In The Installer

On Mon, 2014-03-17 at 14:52 -0700, Adam Williamson wrote: > On Mon, 2014-03-17 at 13:10 +0100, Vratislav Podzimek wrote: > > > And to sum it up a bit -- I think this feature doesn't complicate things > > for users who want to ignore it or who don't understand it. If you think > > it does, please t

Re: F21 Self Contained Change: Security Policy In The Installer

On Mon, 2014-03-17 at 13:10 +0100, Vratislav Podzimek wrote: > And to sum it up a bit -- I think this feature doesn't complicate things > for users who want to ignore it or who don't understand it. If you think > it does, please tell me about it and I'll do my best to fix it. On the > other hand,

Re: F21 Self Contained Change: Security Policy In The Installer

- Original Message - > From: "Chris Murphy" > On Mar 14, 2014, at 1:06 PM, "Eric H. Christensen" > wrote: > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA512 > > > > On Fri, Mar 14, 2014 at 06:59:18PM +, Matthew Garrett wrote: > >> On Fri, Mar 14, 2014 at 02:57:33PM -0400, Ste

Re: F21 Self Contained Change: Security Policy In The Installer

> > Can you be more concrete which term(s) you don't understand? Maybe you are > > right and the concept needs to be better explained / presented differently > > prior wider adoption [**]. > > What is a "Data stream"? What is a "Checklist"? How do I know which ones > to pick? Datastream is one of

Re: F21 Self Contained Change: Security Policy In The Installer

Thank you for the proposal, Bill. - Original Message - > From: "Bill Nottingham" > Vratislav Podzimek (vpodz...@redhat.com) said: > > Thanks for your feedback, it definitely is constructive! I've recorded a > > video preview demostrating the feature's functionality. Hope that > > answers

Re: F21 Self Contained Change: Security Policy In The Installer

On Sun, 2014-03-16 at 22:05 -0400, Bill Nottingham wrote: > Vratislav Podzimek (vpodz...@redhat.com) said: > > Thanks for your feedback, it definitely is constructive! I've recorded a > > video preview demostrating the feature's functionality. Hope that > > answers at least some of your and others

Re: F21 Self Contained Change: Security Policy In The Installer

Vratislav Podzimek (vpodz...@redhat.com) said: > Thanks for your feedback, it definitely is constructive! I've recorded a > video preview demostrating the feature's functionality. Hope that > answers at least some of your and others' questions. > > https://vimeo.com/89243587 So, having watched t

Re: F21 Self Contained Change: Security Policy In The Installer

On Thu, 2014-03-13 at 13:38 -0400, David Malcolm wrote: > On Thu, 2014-03-13 at 15:27 +0100, Vratislav Podzimek wrote: > > On Thu, 2014-03-13 at 09:00 -0400, Jan Lieskovsky wrote: > > > > > There are many known tips and tricks how to make a system more secure, > > > > > often > > > > > depending on

Re: F21 Self Contained Change: Security Policy In The Installer

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Fri, Mar 14, 2014 at 04:25:48PM -0600, Chris Murphy wrote: > On Mar 14, 2014, at 1:06 PM, "Eric H. Christensen" > wrote: > > On Fri, Mar 14, 2014 at 06:59:18PM +, Matthew Garrett wrote: > >> On Fri, Mar 14, 2014 at 02:57:33PM -0400, Steve Gr

Re: F21 Self Contained Change: Security Policy In The Installer

On Fri, Mar 14, 2014 at 06:24:36PM -0400, Eric H. Christensen wrote: > On Fri, Mar 14, 2014 at 08:01:53PM +, Matthew Garrett wrote: > > If an incorrect choice means that the software the user wants to run > > won't run, that's going to be a problem for the user. And we presumably > > expect t

Re: F21 Self Contained Change: Security Policy In The Installer

On 14 March 2014 16:24, Eric H. Christensen wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On Fri, Mar 14, 2014 at 08:01:53PM +, Matthew Garrett wrote: > > On Fri, Mar 14, 2014 at 03:56:47PM -0400, Eric H. Christensen wrote: > > > On Fri, Mar 14, 2014 at 07:45:53PM +, Matth

Re: F21 Self Contained Change: Security Policy In The Installer

On Mar 14, 2014, at 1:06 PM, "Eric H. Christensen" wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On Fri, Mar 14, 2014 at 06:59:18PM +, Matthew Garrett wrote: >> On Fri, Mar 14, 2014 at 02:57:33PM -0400, Steve Grubb wrote: >>> On Friday, March 14, 2014 06:53:42 PM Matthew G

Re: F21 Self Contained Change: Security Policy In The Installer

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Fri, Mar 14, 2014 at 08:01:53PM +, Matthew Garrett wrote: > On Fri, Mar 14, 2014 at 03:56:47PM -0400, Eric H. Christensen wrote: > > On Fri, Mar 14, 2014 at 07:45:53PM +, Matthew Garrett wrote: > > > The failure mode of making the wrong ch

Re: F21 Self Contained Change: Security Policy In The Installer

On 14 March 2014 13:45, Matthew Garrett wrote: > On Fri, Mar 14, 2014 at 03:41:30PM -0400, Eric H. Christensen wrote: > > On Fri, Mar 14, 2014 at 07:31:55PM +, Matthew Garrett wrote: > > > How does the average user make an informed decision about whether an > > > available security policy is

Re: F21 Self Contained Change: Security Policy In The Installer

On Fri, Mar 14, 2014 at 03:56:47PM -0400, Eric H. Christensen wrote: > On Fri, Mar 14, 2014 at 07:45:53PM +, Matthew Garrett wrote: > > The failure mode of making the wrong choice regarding an encrypted > > partition or the default user being an administrator involves the system > > *continui

Re: F21 Self Contained Change: Security Policy In The Installer

Am 14.03.2014 20:51, schrieb Miloslav Trmač: > 2014-03-14 20:47 GMT+01:00 Reindl Harald >: > > why is only the average user relevant? > > how do usesers get "advanced"? > by notice things which sounds interesting, ignore them the > first time, use

Re: F21 Self Contained Change: Security Policy In The Installer

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Fri, Mar 14, 2014 at 07:45:53PM +, Matthew Garrett wrote: > On Fri, Mar 14, 2014 at 03:41:30PM -0400, Eric H. Christensen wrote: > > On Fri, Mar 14, 2014 at 07:31:55PM +, Matthew Garrett wrote: > > > How does the average user make an infor

Re: F21 Self Contained Change: Security Policy In The Installer

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Fri, Mar 14, 2014 at 08:51:08PM +0100, Miloslav Trmač wrote: > 2014-03-14 20:47 GMT+01:00 Reindl Harald : > > > why is only the average user relevant? > > > > how do usesers get "advanced"? > > by notice things which sounds interesting, ignore th

Re: F21 Self Contained Change: Security Policy In The Installer

2014-03-14 20:47 GMT+01:00 Reindl Harald : > why is only the average user relevant? > > how do usesers get "advanced"? > by notice things which sounds interesting, ignore them the > first time, use Google and doing the same again no longer > skip things > Offering the user to use one of the pre-d

Re: F21 Self Contained Change: Security Policy In The Installer

2014-03-14 20:41 GMT+01:00 Bill Nottingham : > Now take the general case of all interactive installs. If we accept that > the > end user, in general, does not have the expertise to decide on the details > of the security policy, how does exposing it in the installer in this way > help? You'd need

Re: F21 Self Contained Change: Security Policy In The Installer

Am 14.03.2014 20:31, schrieb Matthew Garrett: > On Fri, Mar 14, 2014 at 02:39:51PM -0400, Eric H. Christensen wrote: >> On Fri, Mar 14, 2014 at 03:00:20PM +, Matthew Garrett wrote: >>> If there's a default policy that would make sense for most workstation >>> users, we should just make that t

Re: F21 Self Contained Change: Security Policy In The Installer

On Fri, Mar 14, 2014 at 03:41:30PM -0400, Eric H. Christensen wrote: > On Fri, Mar 14, 2014 at 07:31:55PM +, Matthew Garrett wrote: > > How does the average user make an informed decision about whether an > > available security policy is appropriate for them? > > I guess we'll have to describ

Re: F21 Self Contained Change: Security Policy In The Installer

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Fri, Mar 14, 2014 at 07:31:55PM +, Matthew Garrett wrote: > On Fri, Mar 14, 2014 at 02:39:51PM -0400, Eric H. Christensen wrote: > > On Fri, Mar 14, 2014 at 03:00:20PM +, Matthew Garrett wrote: > > > If there's a default policy that would

Re: F21 Self Contained Change: Security Policy In The Installer

Miloslav Trmač (m...@volny.cz) said: > There are two ways to avoid this limitation and get better security: either > be a security expert or paranoid yourself (and in that case you don't need > anaconda's handholding), or have an expert (that you trust or have to > listen to) make an informed choi

Re: F21 Self Contained Change: Security Policy In The Installer

On Fri, Mar 14, 2014 at 03:06:06PM -0400, Eric H. Christensen wrote: > You're making an assumption that I wouldn't want my personal box to be > hardened at install or that the enterprise has an automated way of > doing a deployments. Why make it harder to use the operating system > when a simp

Re: F21 Self Contained Change: Security Policy In The Installer

On Fri, Mar 14, 2014 at 02:39:51PM -0400, Eric H. Christensen wrote: > On Fri, Mar 14, 2014 at 03:00:20PM +, Matthew Garrett wrote: > > If there's a default policy that would make sense for most workstation > > users, we should just make that the default. If there isn't, how are we > > going

Re: F21 Self Contained Change: Security Policy In The Installer

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Fri, Mar 14, 2014 at 06:59:18PM +, Matthew Garrett wrote: > On Fri, Mar 14, 2014 at 02:57:33PM -0400, Steve Grubb wrote: > > On Friday, March 14, 2014 06:53:42 PM Matthew Garrett wrote: > > > Having separate server, workstation and cloud produ

Re: F21 Self Contained Change: Security Policy In The Installer

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Fri, Mar 14, 2014 at 12:38:59PM -0400, Jan Lieskovsky wrote: > > On Fri, Mar 14, 2014 at 09:25:16AM -0400, Eric H. Christensen wrote: > > > > > I disagree with this assessment. The workstation is exactly where much of > > > these hardening needs

Re: F21 Self Contained Change: Security Policy In The Installer

On Fri, Mar 14, 2014 at 02:57:33PM -0400, Steve Grubb wrote: > On Friday, March 14, 2014 06:53:42 PM Matthew Garrett wrote: > > Having separate server, workstation and cloud products means we can > > apply separate defaults without requiring user interaction. Beyond that, > > why would an end user

Re: F21 Self Contained Change: Security Policy In The Installer

On Friday, March 14, 2014 06:53:42 PM Matthew Garrett wrote: > On Fri, Mar 14, 2014 at 02:51:10PM -0400, Steve Grubb wrote: > > On Friday, March 14, 2014 03:00:20 PM Matthew Garrett wrote: > > > If there's a default policy that would make sense for most workstation > > > users, we should just make

Re: F21 Self Contained Change: Security Policy In The Installer

On Fri, Mar 14, 2014 at 02:51:10PM -0400, Steve Grubb wrote: > On Friday, March 14, 2014 03:00:20 PM Matthew Garrett wrote: > > If there's a default policy that would make sense for most workstation > > users, we should just make that the default. > > Right now there is just one policy. In there

Re: F21 Self Contained Change: Security Policy In The Installer

On Friday, March 14, 2014 03:00:20 PM Matthew Garrett wrote: > > I disagree with this assessment. The workstation is exactly where much of > > these hardening needs to take place. I can't see an installation that > > wouldn't benefit from this feature. > > If there's a default policy that would m

Re: F21 Self Contained Change: Security Policy In The Installer

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Fri, Mar 14, 2014 at 03:00:20PM +, Matthew Garrett wrote: > On Fri, Mar 14, 2014 at 09:25:16AM -0400, Eric H. Christensen wrote: > > > I disagree with this assessment. The workstation is exactly where much of > > these hardening needs to ta

Re: F21 Self Contained Change: Security Policy In The Installer

On Fri, Mar 14, 2014 at 12:38:59PM -0400, Jan Lieskovsky wrote: > I am afraid there isn't a default policy that would suit every possible > use case Fedora OS can be used at. Yes, there's something like "common > understanding / agreement" which technologies can be considered safe at > current lev

Re: F21 Self Contained Change: Security Policy In The Installer

2014-03-14 17:01 GMT+01:00 Jan Lieskovsky : > > Jan Lieskovsky (jlies...@redhat.com) said: > > > > I'm looking at this from a different angle. Do we, out of the box in > > anaconda, have a spoke for configuring SELinux policy specifics (or > > downloading new policies)? Do we, out of the box in a

Re: F21 Self Contained Change: Security Policy In The Installer

2014-03-14 16:03 GMT+01:00 Bill Nottingham : > I'm looking at this from a different angle. Do we, out of the box in > anaconda, have a spoke for configuring SELinux policy specifics (or > downloading new policies)? Do we, out of the box in anaconda, have a spoke > for setting the F21 crypto polic

Re: F21 Self Contained Change: Security Policy In The Installer

> On Fri, Mar 14, 2014 at 09:25:16AM -0400, Eric H. Christensen wrote: > > > I disagree with this assessment. The workstation is exactly where much of > > these hardening needs to take place. I can't see an installation that > > wouldn't benefit from this feature. > > If there's a default polic

Re: F21 Self Contained Change: Security Policy In The Installer

On Fri, 2014-03-14 at 11:22 -0400, Jan Lieskovsky wrote: > > On Fri, Mar 14, 2014 at 06:25:03AM -0400, Jan Lieskovsky wrote: > > > > > One hypothetical [*] scenario coming to my mind being the users might be > > > willing to provide customized policy content to Fedora installation. Let's > > > sup

Re: F21 Self Contained Change: Security Policy In The Installer

> Jan Lieskovsky (jlies...@redhat.com) said: > > > Is any Fedora 21 product targeted > > > mainly for enterprise deployment? > > > > The vice versa view. Rather effort to use security configuration, > > vulnerability and patch > > management also in Fedora product(s) (provide necessary tools to al

Re: F21 Self Contained Change: Security Policy In The Installer

> On Fri, Mar 14, 2014 at 06:25:03AM -0400, Jan Lieskovsky wrote: > > > One hypothetical [*] scenario coming to my mind being the users might be > > willing to provide customized policy content to Fedora installation. Let's > > suppose the case there is a SCAP content for vulnerability checking (a

Re: F21 Self Contained Change: Security Policy In The Installer

Jan Lieskovsky (jlies...@redhat.com) said: > > Is any Fedora 21 product targeted > > mainly for enterprise deployment? > > The vice versa view. Rather effort to use security configuration, > vulnerability and patch > management also in Fedora product(s) (provide necessary tools to allow it). >

Re: F21 Self Contained Change: Security Policy In The Installer

On Fri, Mar 14, 2014 at 09:25:16AM -0400, Eric H. Christensen wrote: > I disagree with this assessment. The workstation is exactly where much of > these hardening needs to take place. I can't see an installation that > wouldn't benefit from this feature. If there's a default policy that would

Re: F21 Self Contained Change: Security Policy In The Installer

On Fri, Mar 14, 2014 at 06:25:03AM -0400, Jan Lieskovsky wrote: > One hypothetical [*] scenario coming to my mind being the users might be > willing to provide customized policy content to Fedora installation. Let's > suppose the case there is a SCAP content for vulnerability checking (and > ensu

Re: F21 Self Contained Change: Security Policy In The Installer

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Fri, Mar 14, 2014 at 05:05:28AM -0400, Jaroslav Reznik wrote: > - Original Message - > > > > > > Existing NIST and Red Hat documentation on OpenSCAP says that it's for > > enterprise-level Linux infrastructure. Is any Fedora 21 product t

Re: F21 Self Contained Change: Security Policy In The Installer

> - Original Message - > > > > > > Existing NIST and Red Hat documentation on OpenSCAP says that it's for > > enterprise-level Linux infrastructure. Is any Fedora 21 product targeted > > mainly for enterprise deployment? Is OpenSCAP being retargeted for general > > purpose level infrastru

Re: F21 Self Contained Change: Security Policy In The Installer

> Existing NIST and Red Hat documentation on OpenSCAP says that it's for > enterprise-level Linux infrastructure. The possibilities of SCAP protocol: [1] http://scap.nist.gov/ [2] http://csrc.nist.gov/publications/nistpubs/800-126-rev2/SP800-126r2.pdf [3] http://en.wikipedia.org/wiki/Securit

Re: F21 Self Contained Change: Security Policy In The Installer

> On Thu, Mar 13, 2014 at 02:45:58PM -0400, Jan Lieskovsky wrote: > > > The demos seem to cover the case where there's already data provided > > > from the Kickstart file. What options are presented to the user if > > > there's no oscap entry in Kickstart? Is the user expected to provide a > > > pa

Re: F21 Self Contained Change: Security Policy In The Installer

- Original Message - > > > Existing NIST and Red Hat documentation on OpenSCAP says that it's for > enterprise-level Linux infrastructure. Is any Fedora 21 product targeted > mainly for enterprise deployment? Is OpenSCAP being retargeted for general > purpose level infrastructure. If so,

Re: F21 Self Contained Change: Security Policy In The Installer

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Thu, Mar 13, 2014 at 04:40:01PM -0600, Chris Murphy wrote: > Existing NIST and Red Hat documentation on OpenSCAP says that it's for > enterprise-level Linux infrastructure. Is any Fedora 21 product targeted > mainly for enterprise deployment? Is

Re: F21 Self Contained Change: Security Policy In The Installer

Existing NIST and Red Hat documentation on OpenSCAP says that it's for enterprise-level Linux infrastructure. Is any Fedora 21 product targeted mainly for enterprise deployment? Is OpenSCAP being retargeted for general purpose level infrastructure. If so, will (or should) at least a significan

Re: F21 Self Contained Change: Security Policy In The Installer

On Thu, 2014-03-13 at 14:45 -0400, Jan Lieskovsky wrote: > > On Thu, Mar 13, 2014 at 01:40:53PM -0400, Jan Lieskovsky wrote: > > > > > Of course, in the case they wouldn't like to configure any security > > > policy and use just vanilla Fedora installation, the can "ignore" > > > the security sect

Re: F21 Self Contained Change: Security Policy In The Installer

On Thu, Mar 13, 2014 at 02:45:58PM -0400, Jan Lieskovsky wrote: > > The demos seem to cover the case where there's already data provided > > from the Kickstart file. What options are presented to the user if > > there's no oscap entry in Kickstart? Is the user expected to provide a > > path to down

Re: F21 Self Contained Change: Security Policy In The Installer

> On Thu, Mar 13, 2014 at 01:40:53PM -0400, Jan Lieskovsky wrote: > > > Of course, in the case they wouldn't like to configure any security > > policy and use just vanilla Fedora installation, the can "ignore" > > the security section, configure just those sections as configured > > (required to b

Re: F21 Self Contained Change: Security Policy In The Installer

On Thu, Mar 13, 2014 at 01:40:53PM -0400, Jan Lieskovsky wrote: > Of course, in the case they wouldn't like to configure any security > policy and use just vanilla Fedora installation, the can "ignore" > the security section, configure just those sections as configured > (required to be configured

Re: F21 Self Contained Change: Security Policy In The Installer

> > How would this alter the default user installation experience? Please have a look at the demo images / videos available at: https://fedorahosted.org/oscap-anaconda-addon/wiki/Demos Basically there would be one "SECURITY" section added (with "SECURITY PROFILE" subsection) into the Anaconda'

Re: F21 Self Contained Change: Security Policy In The Installer

On Thu, 2014-03-13 at 15:27 +0100, Vratislav Podzimek wrote: > On Thu, 2014-03-13 at 09:00 -0400, Jan Lieskovsky wrote: > > > > There are many known tips and tricks how to make a system more secure, > > > > often > > > > depending on the use case for the system. With the OSCAP Anaconda Addon > > >

Re: F21 Self Contained Change: Security Policy In The Installer

How would this alter the default user installation experience? -- Matthew Garrett | mj...@srcf.ucam.org -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: F21 Self Contained Change: Security Policy In The Installer

On Thu, 2014-03-13 at 09:00 -0400, Jan Lieskovsky wrote: > > > There are many known tips and tricks how to make a system more secure, > > > often > > > depending on the use case for the system. With the OSCAP Anaconda Addon > > > [1] > > > and the SCAP Security Guide [2] projects, we may allow use

Re: F21 Self Contained Change: Security Policy In The Installer

> > There are many known tips and tricks how to make a system more secure, > > often > > depending on the use case for the system. With the OSCAP Anaconda Addon [1] > > and the SCAP Security Guide [2] projects, we may allow users choosing a > > security policy for their newly installed system. > >

Re: F21 Self Contained Change: Security Policy In The Installer

2014-03-13 12:47 GMT+01:00 Jan Lieskovsky : > > There are many known tips and tricks how to make a system more secure, > often > > depending on the use case for the system. With the OSCAP Anaconda Addon > [1] > > and the SCAP Security Guide [2] projects, we may allow users choosing a > > security

Re: F21 Self Contained Change: Security Policy In The Installer

> There are many known tips and tricks how to make a system more secure, often > depending on the use case for the system. With the OSCAP Anaconda Addon [1] > and the SCAP Security Guide [2] projects, we may allow users choosing a > security policy for their newly installed system. > > What is the

Re: F21 Self Contained Change: Security Policy In The Installer

2014-03-13 11:29 GMT+01:00 Jaroslav Reznik : > There are many known tips and tricks how to make a system more secure, > often > depending on the use case for the system. With the OSCAP Anaconda Addon [1] > and the SCAP Security Guide [2] projects, we may allow users choosing a > security policy fo

F21 Self Contained Change: Security Policy In The Installer

= Proposed Self Contained Change: Security Policy In The Installer = https://fedoraproject.org/wiki/Changes/SecurityPolicyInTheInstaller Change owner(s): Vratislav Podzimek There are many known tips and tricks how to make a system more secure, often depending on the use case for the system. Wit