On (30/09/15 09:38), Jakub Hrozek wrote:
>Hi,
>
>to help the OpenSCAP integration, I prepared a wiki page that contains
>options which have a security impact -- either positive (drop root) or
>negative (ignore certificate validation issues).
>
>I also tried to explain the effect of the options along with the
>description. There are some more items that can be included, but I
>wasn't sure about them myself, like:
> * should obfuscated passwords be mentioned? I wasn't sure because on
> one hand it really doesn't provide any benefit, on the other hand,
> the option can be used to check a compliance box that requires no
> passwords be stored in files..
> * should the page warn against the
> auth-option-that-shall-not-be-mentioned or politely deny its
> existence? :-)
> * What about fd_limit ? Should resource consumption be considered
> a security property, especially if we already honor system default? I
> think here the default is enough, so I didn't document that option.
>
>Please provide your comments or edit the wiki directly. Thanks!
What about:
simple_deny_users (string)
Comma separated list of users who are explicitly denied access.
simple_deny_groups (string)
Comma separated list of groups that are explicitly denied access.
This applies only to
groups within this SSSD domain. Local groups are not evaluated.
Whitelisting is much secure than blacklisting.
LS
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
