Re: F21 Self Contained Change: Security Policy In The Installer

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> On Thu, Mar 13, 2014 at 02:45:58PM -0400, Jan Lieskovsky wrote:
> > > The demos seem to cover the case where there's already data provided
> > > from the Kickstart file. What options are presented to the user if
> > > there's no oscap entry in Kickstart? Is the user expected to provide a
> > > path to download a policy?
> > 
> > Yes, there are two ways how to provide the policy - either via kickstart
> > or via GUI by entering the HTTP / FTP URI [*] of the policy (in RPM
> > package format) and clicking the "Fetch data" button.
> 
> Ok. I'm kind of struggling to imagine the scenario where a user actually
> wants to do that. What's the use-case for providing UI rather than
> limiting deployment to Kickstart?

One hypothetical [*] scenario coming to my mind being the users might be
willing to provide customized policy content to Fedora installation. Let's
suppose the case there is a SCAP content for vulnerability checking (and ensuring
some restrictions) for Fedora systems. Something like is done for Red Hat Enterprise Linux case:
   https://www.redhat.com/security/data/metrics/

So once such content is there, the user's might want to download those definitions,
create format accepted by OSCAP Anaconda Addon (tarball / RPM), and provide that
content to the new instance to be installed without the need to use / understand
kickstart format at all.

Since SCAP protocol doesn't support just security configuration information, but
also for example patch management, the users might create their custom content
(ensuring some configuration / patch would be applied) in form of tarball / RPM
to OSCAP Anaconda Addon which would satisfy that patch is present on the installed
system (under assumption provided content has had proper format).

The possibilities of SCAP protocol:
  http://scap.nist.gov/

are not limited just to security configuration management (our security policy related
proposal is just one use case what can be done with this technology).

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team

[*] hypothetical because there does not exist such a content (AFAICT) yet.

> 
> --
> Matthew Garrett | mjg59@xxxxxxxxxxxxx
> --
> devel mailing list
> devel@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux