Re: Security testing: need for a security policy, and a security-critical package process

[Eric Christensen <eric@xxxxxxxxxxxxxxxxxxx>]

On Tue, Dec 1, 2009 at 12:47, Gene Czarcinski <gene@xxxxxxxxx> wrote:

On Monday 30 November 2009 18:16:50 Adam Williamson wrote:

> Where I'm currently at is that I'm going to talk to some Red Hat /
> Fedora security folks about the issues raised in all the discussions
> about this, including this thread, and then file a ticket to ask FESco
> to look at the matter, possibly including a proposed policy if the
> security folks help come up with one. And for the moment, only really
> concerned with the question of privileges.
>

Start small with just privilege escalation and it can be grown to be something
more comprehensive.  FESco is the right place to go and see what the project
wants to do.

There is already a security policy in place.  It's not formalized nor is it written down but it's there.  It's the current posture of Fedora.  We set a root passphrase at the beginning of install and we give people the option of securing GRUB with a passphrase and encrypting the hard drive.  We also have the unwritten rule of user privileges.

It may be time to document our current posture to at least show where we are and the standard we expect all developers to live up to.   In the process of documenting you may find that we are lacking somewhere.

--Eric

--
Fedora-security-list mailing list
Fedora-security-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-security-list