Hello Bruno, thank you for reaching out and checking with us!
----- Original Message ----- > From: "Bruno Wolff III" <[email protected]> > To: [email protected] > Sent: Wednesday, September 16, 2015 10:28:18 PM > Subject: Why is Fedora xccdf missing so much compared to RHEL? > > I was looking at what is available for checks in Fedora compared to RHEL > by using scap-workbench customization and found tha Fedora was missing a > lot, even when the test commands were available (e.g yum check-update) in > Fedora. The SCAP content provided by SSG is split among multiple products (therefore it's partly question of resources we can in each release dedicate in order to improve the set of existing checks already provided for that product). Another point is prioritization. Due to lack of feedback from Fedora users community [1] we prioritize which checks should be added for Fedora in the next release after the following scheme: * system security settings first (e.g. password strength settings, SELinux policy settings, auditd settings, network configuration & firewalls settings), * then most commonly used network services (checks for ntpd, sshd, httpd, sendmail / exim, snmpd, nfsd, nscd, named, or smbd would be here), * then the checks for the rest of available services or system settings (not that frequently used services or rare system settings would fall into this category). Above scheme is based on assumption we first need to harden the underlying OS, then focus on services (sshd being an exception in this case). Another point being we want the content to be universal (applicable regardless of the area of use of the target Fedora system). Therefore instead of taking one concrete section (e.g. dedicated to database services) and finishing that one out first, we tend to add less rules, but rather into multiple sections. This is where further feedback from the Fedora users community (via downstream bugs or via upstream tickets would be appreciated). For example would we know there are a lot of tickets requesting support for httpd service scans, we could prioritize that service before others in that release, etc. > > I can believe that doing CVE checks for Fedora would be a significant > amount of ongoing work that no one might want to do, but most stuff that > works in RHEL is probably available in Fedora. Doing CVE checks (vulnerability assessment) and security hardening are two different things. In order to perform reliable "CVE checks" we would need to have authorized and updates source of CVE OVAL definitions for Fedora. This topic (producing CVE content for Fedora) has been couple of times discussed on various mailing lists already, without a substantial movement / progress done so far. It's partly because it's difficult to manage correctly (a lot of security updates for Fedora are available yet before the official CVE id has been assigned to that security issue) on one hand, and partly because it's requires substantial amount of work to be done on regular basis (all the new security updates issued would need to be converted into OVAL form). Another point is doing CVE scan of Fedora system with incomplete data might lead to "false sense of security" (the tool using incomplete data might claim the system is secure, when it actually wouldn't be). IMHO to claim this type of false statements about security state of particular system, it's better not to even try to scan that rule, and let Fedora community users to keep their systems updated on regular basis (IOW follow the recommendations from the Fedora Security Guide). > And new stuff in Fedora > that requires changes is likely to eventually show up in future RHEL > versions and not be completely extra work. We realize the importance of Fedora product (it's not a "second-class citizen"). Vice versa approach is actually valid -- some time ago there hasn't been security hardening content available for Fedora. We started its development based on the content being available for Red Hat Enterprise Linux 6 system in that moment. Gradually (in each release) are improving it. It's taking time just due the differences between RHEL-6 and Fedora systems (SystemV init scripts vs systemd at the very least / to mention some). We also need to modify the tools used for checks in order they to be able to overcome / properly deal with those differences (IOW it's not just a question of porting some rule from RHEL-6 to Fedora). What can be improved right away: * if you are missing some rule / group of them for some system part (e.g. rules for httpd service, rules for databases, etc.), let us know about it by filing a bug (downstream or upstream), so we can adjust the prioritization. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team [1] P.S.: We are aware that lack of feedback from the Fedora users community might be partly caused by insufficient SSG upstream presentation of the tool to these users, and already are working on improving the status quo. > -- > SCAP Security Guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > https://github.com/OpenSCAP/scap-security-guide/ -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
