I've asked RedHat to respond through our support channel, but I'd like
to raise this issue here too, for discussion, and to see if others see
a need for a response by RedHat.
There are third-party 'benchmarks' or configuration guides for RHEL5
that are becoming standards, or mandates, at least for some government
sites. E.g.:
http://www.cisecurity.org/tools2/linux/CIS_RHEL5_Benchmark_v1.0.pdf
(requires registration to download)
or:
http://www.nsa.gov/snac/os/redhat/rhel5-guide-i731.pdf
Each is over a hundred pages of configuration recommendations, from
the common sense (turn off services you don't need) to the
micro-managed and essentially arbitrary (chmod /etc/sysctl.conf from
0644 to 0600). Whether or not these documents induce a gag reflex,
compliance with some such configuration standard is becoming de rigeur
for some sites, how else to prove your system is securely set up?
So these are my questions:
- Are RedHat's "enterprise" operating systems insecure as shipped?
Is third-party expertise on how to secure RHEL systems necessary?
- Why isn't RedHat providing a certified secure OS installation?
Why aren't they working with CIS or other third-party 'authorities' to
either implement these security must-haves, or to educate the security
'experts' on what is appropriate? Or are they?
- To what degree are the so-called benchmarks arbitrary and unnecessary?
- What possibilities exist for breaking functionality, or voiding
RedHat support, if the benchmarks are implemented? What are the risks?
Anybody else similarly concerned, or have other perspectives?
-Ed
_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list
