----- Original Message ----- > From: "Shawn Wells" <[email protected]> > To: [email protected] > Sent: Saturday, October 4, 2014 1:08:55 AM > Subject: Re: RHEL 7 Direction > > On 10/3/14, 3:31 PM, Crawford, Nicholas P CTR USARMY CERDEC (US) wrote: > > > > Greetings, > > > > > > > > I had a couple of questions about the direction the RHEL 7 SSG will be > > going; > > > > > > > > Particularly with the below new subsystems in 7; > > > > gconf vs dconf (GNOME 2 vs GNOME 3) > > > > Has there been a decision on how to check and remediate with dconf? > > iptables vs firewalld > > > > Has there been a decision on which method will go forward for > > check / remediation? > > chrony vs ntpd > > > > Has there been a decision on which to use and which will go > > forward for check / remediation? > > > > > > Actually, there hasn't been much conversation on this. Thanks for > starting the conversation! > > IMO, we should start with system defaults as first/primary goal, then > enable secondary configs in future passes. aka, address firewalld first > then iptables. > > If we're able to get both done at the same time, then great -- but focus > should be on system default first. > > What does everyone think of such an approach?
+1 on this approach (on preferring the default packages / services in new RHEL-7 release than staying on the recommendations for the old[er] version). Three aspects behind this reasoning: * SSG users accustomed to use SSG guidance for old(er) RHEL versions might be actually more familiar how to (securely) use packages / services, that were default in the old(er) RHEL versions. But where they are actually searching guidance from us is how to securely configure these new defaults, * it should be kept in mind that RHEL-7 content evolved from RHEL-6 content (as a copy), while RHEL-7 as a product evolved from the engineering / developer effort from Fedora releases released into production between RHEL-6 & RHEL-7 products. Therefore as such there's a natural gap / discrepancy (current RHEL-7 content missing that evolution, reflections & corresponding discussion that actually led Fedora / upstream developers to change these defaults), * due to maintenance reasons it's not good to stay / continue to rely on old(er) RHEL product defaults. While it might be possible to overcome the maintenance burden related with this in short time, it's not definitely a viable longterm support solution. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team > -- > SCAP Security Guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > https://github.com/OpenSCAP/scap-security-guide/ -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
