>> - Are RedHat's "enterprise" operating systems insecure as shipped? > No. For example, the sysctl.conf file doesn't really divulge any secret information. If you want to set the permissions to 0600, go right ahead. It > won't hurt anything.
Steve, The problem is that these publications aren't just helpful 'guides', they are becoming authoritative reference standards for securely configuring RHEL5, a mandate for some of your enterprise customers. Those lucky, autonomous sysadmins without oversight out there can pick and choose, but those of us with auditors and security plans to answer to are going to have to be able to say yeah, we've implemented XYZ-1.0. So it's not a question of whether I "want to" change permissions of sysctl.conf (or the daemon umask to 027 instead of 022, or the password policies in /etc/login.defs, or the default mount options if /etc/fstab, etc, etc, etc.) The CIS document is 138 pages, the NSA one is 170: there are many hundreds of such recommendations, none of them prefaced with "personal choice - you pick", (though a very few do say something like "if appropriate or possible") You say you "didn't argue too much" when they wanted to recommend tighter permissions, but this is exactly my point: if RedHat doesn't argue the recommendations, or implement them, then it's up to your customers. Frankly, I think RedHat is giving away authority, it's like, "get your OS here, but CIS or the NSA will tell how to securely configure it." These publications can be, and are, seen as ample evidence of, well, apparent incompetence or inability to adequately configure a secure OS by RedHat. Your point about getting involved is well-taken, and actually this is an attempt at that. But what I'm asking is for RedHat to take primary responsibility here, relieve some of the burden (and it's considerable, even for sites with a configuration management infrastructure) from it's customers. Ideally, this would involve having your own recognized, approved (and most importantly: appropriate for RHEL) secure configuration guide (and tools to implement?), or alternatively to have a published response to the others. If you believe it's of minimal value to change sysctl.conf to 0600, say so in writing. And on and on. So that I can say I've done this and that, and trust my enterprise OS vendor on all of these, go read this document to see why. So I don't have to change literally hundreds of things after installing RedHat, or be on my own to defend a decision to go with RedHat's default setting. Is this unreasonable or unrealistic? -Ed _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
