On Mon, 2014-03-17 at 14:52 -0700, Adam Williamson wrote:
On Mon, 2014-03-17 at 13:10 +0100, Vratislav Podzimek wrote:
And to sum it up a bit -- I think this feature doesn't complicate things
for users who want to ignore it or who don't understand it. If you think
it does, please tell me
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Mon, Mar 17, 2014 at 02:52:43PM -0700, Adam Williamson wrote:
Well, I guess I'd better go read the docs.
reads docs
That was a clear, short and cogent explanation! I learned something, an
now I can continue!
I clearly didn't write that
On Tue, 2014-03-18 at 10:57 -0400, Eric H. Christensen wrote:
On Mon, Mar 17, 2014 at 02:52:43PM -0700, Adam Williamson wrote:
Well, I guess I'd better go read the docs.
reads docs
That was a clear, short and cogent explanation! I learned something, an
now I can continue!
I clearly
On Sun, 2014-03-16 at 22:05 -0400, Bill Nottingham wrote:
Vratislav Podzimek (vpodz...@redhat.com) said:
Thanks for your feedback, it definitely is constructive! I've recorded a
video preview demostrating the feature's functionality. Hope that
answers at least some of your and others'
Thank you for the proposal, Bill.
- Original Message -
From: Bill Nottingham nott...@splat.cc
Vratislav Podzimek (vpodz...@redhat.com) said:
Thanks for your feedback, it definitely is constructive! I've recorded a
video preview demostrating the feature's functionality. Hope that
Can you be more concrete which term(s) you don't understand? Maybe you are
right and the concept needs to be better explained / presented differently
prior wider adoption [**].
What is a Data stream? What is a Checklist? How do I know which ones
to pick?
Datastream is one of the format
- Original Message -
From: Chris Murphy li...@colorremedies.com
On Mar 14, 2014, at 1:06 PM, Eric H. Christensen spa...@fedoraproject.org
wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Fri, Mar 14, 2014 at 06:59:18PM +, Matthew Garrett wrote:
On Fri, Mar 14,
On Mon, 2014-03-17 at 13:10 +0100, Vratislav Podzimek wrote:
And to sum it up a bit -- I think this feature doesn't complicate things
for users who want to ignore it or who don't understand it. If you think
it does, please tell me about it and I'll do my best to fix it. On the
other hand, if
On Thu, 2014-03-13 at 13:38 -0400, David Malcolm wrote:
On Thu, 2014-03-13 at 15:27 +0100, Vratislav Podzimek wrote:
On Thu, 2014-03-13 at 09:00 -0400, Jan Lieskovsky wrote:
There are many known tips and tricks how to make a system more secure,
often
depending on the use case for
Vratislav Podzimek (vpodz...@redhat.com) said:
Thanks for your feedback, it definitely is constructive! I've recorded a
video preview demostrating the feature's functionality. Hope that
answers at least some of your and others' questions.
https://vimeo.com/89243587
So, having watched the
- Original Message -
Existing NIST and Red Hat documentation on OpenSCAP says that it's for
enterprise-level Linux infrastructure. Is any Fedora 21 product targeted
mainly for enterprise deployment? Is OpenSCAP being retargeted for general
purpose level infrastructure. If so, will
Existing NIST and Red Hat documentation on OpenSCAP says that it's for
enterprise-level Linux infrastructure.
The possibilities of SCAP protocol:
[1] http://scap.nist.gov/
[2] http://csrc.nist.gov/publications/nistpubs/800-126-rev2/SP800-126r2.pdf
[3]
- Original Message -
Existing NIST and Red Hat documentation on OpenSCAP says that it's for
enterprise-level Linux infrastructure. Is any Fedora 21 product targeted
mainly for enterprise deployment? Is OpenSCAP being retargeted for general
purpose level infrastructure. If
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Fri, Mar 14, 2014 at 05:05:28AM -0400, Jaroslav Reznik wrote:
- Original Message -
Existing NIST and Red Hat documentation on OpenSCAP says that it's for
enterprise-level Linux infrastructure. Is any Fedora 21 product targeted
On Fri, Mar 14, 2014 at 06:25:03AM -0400, Jan Lieskovsky wrote:
One hypothetical [*] scenario coming to my mind being the users might be
willing to provide customized policy content to Fedora installation. Let's
suppose the case there is a SCAP content for vulnerability checking (and
On Fri, Mar 14, 2014 at 09:25:16AM -0400, Eric H. Christensen wrote:
I disagree with this assessment. The workstation is exactly where much of
these hardening needs to take place. I can't see an installation that
wouldn't benefit from this feature.
If there's a default policy that would
Jan Lieskovsky (jlies...@redhat.com) said:
Is any Fedora 21 product targeted
mainly for enterprise deployment?
The vice versa view. Rather effort to use security configuration,
vulnerability and patch
management also in Fedora product(s) (provide necessary tools to allow it).
The
On Fri, Mar 14, 2014 at 06:25:03AM -0400, Jan Lieskovsky wrote:
One hypothetical [*] scenario coming to my mind being the users might be
willing to provide customized policy content to Fedora installation. Let's
suppose the case there is a SCAP content for vulnerability checking (and
Jan Lieskovsky (jlies...@redhat.com) said:
Is any Fedora 21 product targeted
mainly for enterprise deployment?
The vice versa view. Rather effort to use security configuration,
vulnerability and patch
management also in Fedora product(s) (provide necessary tools to allow it).
The
On Fri, 2014-03-14 at 11:22 -0400, Jan Lieskovsky wrote:
On Fri, Mar 14, 2014 at 06:25:03AM -0400, Jan Lieskovsky wrote:
One hypothetical [*] scenario coming to my mind being the users might be
willing to provide customized policy content to Fedora installation. Let's
suppose the
On Fri, Mar 14, 2014 at 09:25:16AM -0400, Eric H. Christensen wrote:
I disagree with this assessment. The workstation is exactly where much of
these hardening needs to take place. I can't see an installation that
wouldn't benefit from this feature.
If there's a default policy that
2014-03-14 16:03 GMT+01:00 Bill Nottingham nott...@splat.cc:
I'm looking at this from a different angle. Do we, out of the box in
anaconda, have a spoke for configuring SELinux policy specifics (or
downloading new policies)? Do we, out of the box in anaconda, have a spoke
for setting the F21
2014-03-14 17:01 GMT+01:00 Jan Lieskovsky jlies...@redhat.com:
Jan Lieskovsky (jlies...@redhat.com) said:
I'm looking at this from a different angle. Do we, out of the box in
anaconda, have a spoke for configuring SELinux policy specifics (or
downloading new policies)? Do we, out of
On Fri, Mar 14, 2014 at 12:38:59PM -0400, Jan Lieskovsky wrote:
I am afraid there isn't a default policy that would suit every possible
use case Fedora OS can be used at. Yes, there's something like common
understanding / agreement which technologies can be considered safe at
current level of
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Fri, Mar 14, 2014 at 03:00:20PM +, Matthew Garrett wrote:
On Fri, Mar 14, 2014 at 09:25:16AM -0400, Eric H. Christensen wrote:
I disagree with this assessment. The workstation is exactly where much of
these hardening needs to take
On Friday, March 14, 2014 03:00:20 PM Matthew Garrett wrote:
I disagree with this assessment. The workstation is exactly where much of
these hardening needs to take place. I can't see an installation that
wouldn't benefit from this feature.
If there's a default policy that would make
On Fri, Mar 14, 2014 at 02:51:10PM -0400, Steve Grubb wrote:
On Friday, March 14, 2014 03:00:20 PM Matthew Garrett wrote:
If there's a default policy that would make sense for most workstation
users, we should just make that the default.
Right now there is just one policy. In there future
On Friday, March 14, 2014 06:53:42 PM Matthew Garrett wrote:
On Fri, Mar 14, 2014 at 02:51:10PM -0400, Steve Grubb wrote:
On Friday, March 14, 2014 03:00:20 PM Matthew Garrett wrote:
If there's a default policy that would make sense for most workstation
users, we should just make that the
On Fri, Mar 14, 2014 at 02:57:33PM -0400, Steve Grubb wrote:
On Friday, March 14, 2014 06:53:42 PM Matthew Garrett wrote:
Having separate server, workstation and cloud products means we can
apply separate defaults without requiring user interaction. Beyond that,
why would an end user want
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Fri, Mar 14, 2014 at 12:38:59PM -0400, Jan Lieskovsky wrote:
On Fri, Mar 14, 2014 at 09:25:16AM -0400, Eric H. Christensen wrote:
I disagree with this assessment. The workstation is exactly where much of
these hardening needs to take
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Fri, Mar 14, 2014 at 06:59:18PM +, Matthew Garrett wrote:
On Fri, Mar 14, 2014 at 02:57:33PM -0400, Steve Grubb wrote:
On Friday, March 14, 2014 06:53:42 PM Matthew Garrett wrote:
Having separate server, workstation and cloud products
On Fri, Mar 14, 2014 at 02:39:51PM -0400, Eric H. Christensen wrote:
On Fri, Mar 14, 2014 at 03:00:20PM +, Matthew Garrett wrote:
If there's a default policy that would make sense for most workstation
users, we should just make that the default. If there isn't, how are we
going to
On Fri, Mar 14, 2014 at 03:06:06PM -0400, Eric H. Christensen wrote:
You're making an assumption that I wouldn't want my personal box to be
hardened at install or that the enterprise has an automated way of
doing a deployments. Why make it harder to use the operating system
when a simpler
Miloslav Trmač (m...@volny.cz) said:
There are two ways to avoid this limitation and get better security: either
be a security expert or paranoid yourself (and in that case you don't need
anaconda's handholding), or have an expert (that you trust or have to
listen to) make an informed choice
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Fri, Mar 14, 2014 at 07:31:55PM +, Matthew Garrett wrote:
On Fri, Mar 14, 2014 at 02:39:51PM -0400, Eric H. Christensen wrote:
On Fri, Mar 14, 2014 at 03:00:20PM +, Matthew Garrett wrote:
If there's a default policy that would make
On Fri, Mar 14, 2014 at 03:41:30PM -0400, Eric H. Christensen wrote:
On Fri, Mar 14, 2014 at 07:31:55PM +, Matthew Garrett wrote:
How does the average user make an informed decision about whether an
available security policy is appropriate for them?
I guess we'll have to describe the
Am 14.03.2014 20:31, schrieb Matthew Garrett:
On Fri, Mar 14, 2014 at 02:39:51PM -0400, Eric H. Christensen wrote:
On Fri, Mar 14, 2014 at 03:00:20PM +, Matthew Garrett wrote:
If there's a default policy that would make sense for most workstation
users, we should just make that the
2014-03-14 20:41 GMT+01:00 Bill Nottingham nott...@splat.cc:
Now take the general case of all interactive installs. If we accept that
the
end user, in general, does not have the expertise to decide on the details
of the security policy, how does exposing it in the installer in this way
help?
2014-03-14 20:47 GMT+01:00 Reindl Harald h.rei...@thelounge.net:
why is only the average user relevant?
how do usesers get advanced?
by notice things which sounds interesting, ignore them the
first time, use Google and doing the same again no longer
skip things
Offering the user to use
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Fri, Mar 14, 2014 at 08:51:08PM +0100, Miloslav Trmač wrote:
2014-03-14 20:47 GMT+01:00 Reindl Harald h.rei...@thelounge.net:
why is only the average user relevant?
how do usesers get advanced?
by notice things which sounds
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Fri, Mar 14, 2014 at 07:45:53PM +, Matthew Garrett wrote:
On Fri, Mar 14, 2014 at 03:41:30PM -0400, Eric H. Christensen wrote:
On Fri, Mar 14, 2014 at 07:31:55PM +, Matthew Garrett wrote:
How does the average user make an informed
Am 14.03.2014 20:51, schrieb Miloslav Trmač:
2014-03-14 20:47 GMT+01:00 Reindl Harald h.rei...@thelounge.net
mailto:h.rei...@thelounge.net:
why is only the average user relevant?
how do usesers get advanced?
by notice things which sounds interesting, ignore them the
On Fri, Mar 14, 2014 at 03:56:47PM -0400, Eric H. Christensen wrote:
On Fri, Mar 14, 2014 at 07:45:53PM +, Matthew Garrett wrote:
The failure mode of making the wrong choice regarding an encrypted
partition or the default user being an administrator involves the system
*continuing to
On 14 March 2014 13:45, Matthew Garrett mj...@srcf.ucam.org wrote:
On Fri, Mar 14, 2014 at 03:41:30PM -0400, Eric H. Christensen wrote:
On Fri, Mar 14, 2014 at 07:31:55PM +, Matthew Garrett wrote:
How does the average user make an informed decision about whether an
available security
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Fri, Mar 14, 2014 at 08:01:53PM +, Matthew Garrett wrote:
On Fri, Mar 14, 2014 at 03:56:47PM -0400, Eric H. Christensen wrote:
On Fri, Mar 14, 2014 at 07:45:53PM +, Matthew Garrett wrote:
The failure mode of making the wrong choice
On Mar 14, 2014, at 1:06 PM, Eric H. Christensen spa...@fedoraproject.org
wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Fri, Mar 14, 2014 at 06:59:18PM +, Matthew Garrett wrote:
On Fri, Mar 14, 2014 at 02:57:33PM -0400, Steve Grubb wrote:
On Friday, March 14, 2014
On 14 March 2014 16:24, Eric H. Christensen spa...@fedoraproject.orgwrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Fri, Mar 14, 2014 at 08:01:53PM +, Matthew Garrett wrote:
On Fri, Mar 14, 2014 at 03:56:47PM -0400, Eric H. Christensen wrote:
On Fri, Mar 14, 2014 at
On Fri, Mar 14, 2014 at 06:24:36PM -0400, Eric H. Christensen wrote:
On Fri, Mar 14, 2014 at 08:01:53PM +, Matthew Garrett wrote:
If an incorrect choice means that the software the user wants to run
won't run, that's going to be a problem for the user. And we presumably
expect that
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Fri, Mar 14, 2014 at 04:25:48PM -0600, Chris Murphy wrote:
On Mar 14, 2014, at 1:06 PM, Eric H. Christensen spa...@fedoraproject.org
wrote:
On Fri, Mar 14, 2014 at 06:59:18PM +, Matthew Garrett wrote:
On Fri, Mar 14, 2014 at 02:57:33PM
= Proposed Self Contained Change: Security Policy In The Installer =
https://fedoraproject.org/wiki/Changes/SecurityPolicyInTheInstaller
Change owner(s): Vratislav Podzimek vpodz...@redhat.com
There are many known tips and tricks how to make a system more secure, often
depending on the use case
2014-03-13 11:29 GMT+01:00 Jaroslav Reznik jrez...@redhat.com:
There are many known tips and tricks how to make a system more secure,
often
depending on the use case for the system. With the OSCAP Anaconda Addon [1]
and the SCAP Security Guide [2] projects, we may allow users choosing a
There are many known tips and tricks how to make a system more secure, often
depending on the use case for the system. With the OSCAP Anaconda Addon [1]
and the SCAP Security Guide [2] projects, we may allow users choosing a
security policy for their newly installed system.
What is the
2014-03-13 12:47 GMT+01:00 Jan Lieskovsky jlies...@redhat.com:
There are many known tips and tricks how to make a system more secure,
often
depending on the use case for the system. With the OSCAP Anaconda Addon
[1]
and the SCAP Security Guide [2] projects, we may allow users choosing a
There are many known tips and tricks how to make a system more secure,
often
depending on the use case for the system. With the OSCAP Anaconda Addon [1]
and the SCAP Security Guide [2] projects, we may allow users choosing a
security policy for their newly installed system.
What is
On Thu, 2014-03-13 at 09:00 -0400, Jan Lieskovsky wrote:
There are many known tips and tricks how to make a system more secure,
often
depending on the use case for the system. With the OSCAP Anaconda Addon
[1]
and the SCAP Security Guide [2] projects, we may allow users choosing a
How would this alter the default user installation experience?
--
Matthew Garrett | mj...@srcf.ucam.org
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
On Thu, 2014-03-13 at 15:27 +0100, Vratislav Podzimek wrote:
On Thu, 2014-03-13 at 09:00 -0400, Jan Lieskovsky wrote:
There are many known tips and tricks how to make a system more secure,
often
depending on the use case for the system. With the OSCAP Anaconda Addon
[1]
and
How would this alter the default user installation experience?
Please have a look at the demo images / videos available at:
https://fedorahosted.org/oscap-anaconda-addon/wiki/Demos
Basically there would be one SECURITY section added (with
SECURITY PROFILE subsection) into the Anaconda's
On Thu, Mar 13, 2014 at 01:40:53PM -0400, Jan Lieskovsky wrote:
Of course, in the case they wouldn't like to configure any security
policy and use just vanilla Fedora installation, the can ignore
the security section, configure just those sections as configured
(required to be configured) now
On Thu, Mar 13, 2014 at 01:40:53PM -0400, Jan Lieskovsky wrote:
Of course, in the case they wouldn't like to configure any security
policy and use just vanilla Fedora installation, the can ignore
the security section, configure just those sections as configured
(required to be
On Thu, Mar 13, 2014 at 02:45:58PM -0400, Jan Lieskovsky wrote:
The demos seem to cover the case where there's already data provided
from the Kickstart file. What options are presented to the user if
there's no oscap entry in Kickstart? Is the user expected to provide a
path to download a
On Thu, 2014-03-13 at 14:45 -0400, Jan Lieskovsky wrote:
On Thu, Mar 13, 2014 at 01:40:53PM -0400, Jan Lieskovsky wrote:
Of course, in the case they wouldn't like to configure any security
policy and use just vanilla Fedora installation, the can ignore
the security section, configure
Existing NIST and Red Hat documentation on OpenSCAP says that it's for
enterprise-level Linux infrastructure. Is any Fedora 21 product targeted mainly
for enterprise deployment? Is OpenSCAP being retargeted for general purpose
level infrastructure. If so, will (or should) at least a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Thu, Mar 13, 2014 at 04:40:01PM -0600, Chris Murphy wrote:
Existing NIST and Red Hat documentation on OpenSCAP says that it's for
enterprise-level Linux infrastructure. Is any Fedora 21 product targeted
mainly for enterprise deployment? Is
64 matches
Mail list logo