Bill Nottingham wrote:
We're all for sensible security by default.
...
It would be nice, but my experience has been that people who spend their time 'consulting' about things get upset when you tell them that their snake oil is filled with crack.
Sorry, but 'sensible security' sounds too much like politico or salesman speak for "everything works out of the box!" While I share your contempt for some of the nonsense coming from industry security "experts", your reply seems to disregard a VERY common refrain on this list, and is out of touch with the realities facing at least some of your customers. Your own security guru, and only liaison, as far as I know, with the NSA and CIS guideline authors, praised the NSA guide for it's quality and sheer volume (as if that were necessarily a good thing), at his Summit presentation on Securing RHEL. He went on to preface many of his suggestions with comments like "Almost everyone can safely remove ...", "You should disable ___ unless you have a specific need.", "This default configuration is only needed <in some unlikely edge case>"
Unless RedHat gets more involved in the preparation of the secure configuration guides, and/or publicly documenting their disagreements with specific recommendations, and implementing (or offering optional implementation, or extra tools to help implement) a more secure installation, then this burden will continue to be on your customers who care about these issues.
-Ed _______________________________________________ rhelv5-list mailing list rhelv5-list@redhat.com https://www.redhat.com/mailman/listinfo/rhelv5-list
