On 09/30/2015 09:38 AM, Jakub Hrozek wrote:
Hi,
to help the OpenSCAP integration, I prepared a wiki page that contains
options which have a security impact -- either positive (drop root) or
negative (ignore certificate validation issues).
I also tried to explain the effect of the options along with the
description. There are some more items that can be included, but I
wasn't sure about them myself, like:
* should obfuscated passwords be mentioned? I wasn't sure because on
one hand it really doesn't provide any benefit, on the other hand,
the option can be used to check a compliance box that requires no
passwords be stored in files..
* should the page warn against the
auth-option-that-shall-not-be-mentioned or politely deny its
existence? :-)
* What about fd_limit ? Should resource consumption be considered
a security property, especially if we already honor system default? I
think here the default is enough, so I didn't document that option.
Please provide your comments or edit the wiki directly. Thanks!
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
I was thinking about 'cached_auth_timeout' timeout. If misconfigured and set
for really long time changes of passwords on server would be ignored. I know
that same effect could be achieved by maintaining SSSD in offline mode...
What do you think?
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
