On 09/30/2015 09:38 AM, Jakub Hrozek wrote:
Hi,to help the OpenSCAP integration, I prepared a wiki page that contains options which have a security impact -- either positive (drop root) or negative (ignore certificate validation issues). I also tried to explain the effect of the options along with the description. There are some more items that can be included, but I wasn't sure about them myself, like: * should obfuscated passwords be mentioned? I wasn't sure because on one hand it really doesn't provide any benefit, on the other hand, the option can be used to check a compliance box that requires no passwords be stored in files.. * should the page warn against the auth-option-that-shall-not-be-mentioned or politely deny its existence? :-) * What about fd_limit ? Should resource consumption be considered a security property, especially if we already honor system default? I think here the default is enough, so I didn't document that option. Please provide your comments or edit the wiki directly. Thanks! _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Should not we also mention dreadful option ldap_auth_disable_tls_never_use_in_production ? I know it's undocumented, but I suppose OpenSCAP should report its presence anyway. _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
