On Wed, Sep 30, 2015 at 10:37:30AM +0200, Lukas Slebodnik wrote: > On (30/09/15 09:38), Jakub Hrozek wrote: > >Hi, > > > >to help the OpenSCAP integration, I prepared a wiki page that contains > >options which have a security impact -- either positive (drop root) or > >negative (ignore certificate validation issues). > > > >I also tried to explain the effect of the options along with the > >description. There are some more items that can be included, but I > >wasn't sure about them myself, like: > > * should obfuscated passwords be mentioned? I wasn't sure because on > > one hand it really doesn't provide any benefit, on the other hand, > > the option can be used to check a compliance box that requires no > > passwords be stored in files.. > > * should the page warn against the > > auth-option-that-shall-not-be-mentioned or politely deny its > > existence? :-) > > * What about fd_limit ? Should resource consumption be considered > > a security property, especially if we already honor system default? I > > think here the default is enough, so I didn't document that option. > > > >Please provide your comments or edit the wiki directly. Thanks! > > What about: > > simple_deny_users (string) > Comma separated list of users who are explicitly denied access. > > simple_deny_groups (string) > Comma separated list of groups that are explicitly denied access. > This applies only to > groups within this SSSD domain. Local groups are not evaluated. > > Whitelisting is much secure than blacklisting.
Good idea, added: https://fedorahosted.org/sssd/wiki/SecuritySensitiveOptions?action=diff&version=6&old_version=5 _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel