Re: Bastille on F10?
On Mon, 15 Dec 2008 09:19:57 -0500 Todd Denniston wrote: > Certain paranoid (they are out to get us :) organizations have rules > that indicate that: if certain capabilities of a computer system are > not needed to accomplish the job assigned for that computer, then > remove|block|disable|destroy that capability. Sure. What sort of things does Bastille do that for these days? > i.e., if the job does not need USB capability, remove USB capability > from the OS or put hotglue in the ports. > > Bastille has been getting upgrades lately to check and set things in > the Linux based OSs to the standards of some of those organizations, > leaving the hardware available for use if the machine gets repurposed. How does it do so? blacklisting modules? Removing them? And how does it know which things you don't need/intend to use? Asking the user? kevin signature.asc Description: PGP signature -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Bastille on F10?
Kevin Fenzi wrote, On 12/13/2008 07:56 PM:
On Thu, 11 Dec 2008 11:06:54 -0500
david.c.mcguf...@saic.com ("McGuffey, David C.") wrote:
Anyone tested the Bastille hardening process on F10? In a few days
I'll be building an F10 box and plan to lock it down. Would be nice
to start with Bastille rather than having keep tweaking old scripts.
I have never been too clear about the reason for the existance of
Bastille. If there are improvements to be made in Fedora's security out
of the box, perhaps we could just make them?
In any case if you have selinux enabled, apply updates in a timely
manner and use a firewall you should be in pretty good shape.
Certain paranoid (they are out to get us :) organizations have rules that
indicate that: if certain capabilities of a computer system are not needed to
accomplish the job assigned for that computer, then
remove|block|disable|destroy that capability.
i.e., if the job does not need USB capability, remove USB capability from the
OS or put hotglue in the ports.
Bastille has been getting upgrades lately to check and set things in the Linux
based OSs to the standards of some of those organizations, leaving the
hardware available for use if the machine gets repurposed.
Dave McGuffey
Principal Information System Security Engineer // NSA-IEM, NSA-IAM
SAIC, IISBU, Columbia, MD
kevin
--
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Bastille on F10?
On Thu, 11 Dec 2008 11:06:54 -0500
david.c.mcguf...@saic.com ("McGuffey, David C.") wrote:
> Anyone tested the Bastille hardening process on F10? In a few days
> I'll be building an F10 box and plan to lock it down. Would be nice
> to start with Bastille rather than having keep tweaking old scripts.
I have never been too clear about the reason for the existance of
Bastille. If there are improvements to be made in Fedora's security out
of the box, perhaps we could just make them?
In any case if you have selinux enabled, apply updates in a timely
manner and use a firewall you should be in pretty good shape.
> Dave McGuffey
> Principal Information System Security Engineer // NSA-IEM, NSA-IAM
> SAIC, IISBU, Columbia, MD
kevin
signature.asc
Description: PGP signature
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Bastille on F10?
Anyone tested the Bastille hardening process on F10? In a few days I'll be building an F10 box and plan to lock it down. Would be nice to start with Bastille rather than having keep tweaking old scripts. Dave McGuffey Principal Information System Security Engineer // NSA-IEM, NSA-IAM SAIC, IISBU, Columbia, MD -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
