On Wed, Jul 9, 2008 at 12:28 PM, Ed Brown <[EMAIL PROTECTED]> wrote: > Jay Turner wrote: >> >> What do people need/want in RHEL6? > > I know that 'it just works' is a measure for some of product maturity, > especially in a desktop OS. But security is a high priority for many of > your server enterprise OS customers, and the 'make-everything-easy' approach > ends up making things hard, when your customers are having to individually > 'reinvent the wheel' as it were, of securing RHEL. > > I suspect many of us would love to see a minimal, hardened installation > option, or version, or channel or however it might be implemented, but > out-of-the-gate it would substantially meet configuration 'guidelines' such > as <http://www.nsa.gov/snac/os/redhat/rhel5-guide-i731.pdf>. (or those from > CIS, NIST, etc) "Guidelines" is in quotes, because these publications are > becoming definitive about secure operation, and failing to implement some of > the recommendations is right NOW being cited in security audit findings. > Let your customers add and enable and configure just the functionality they > need. >
The big issue I found in dealing with these is that such guidelines are very site specific. DOD requirements are different from DOE requirements which are different from DHS. And then inside each area you have more changes required. Then you get to site level where the auditors will find that you didn't meet CIS at LANL but quote a conflicting NSA guideline at SNL. There is no way to satisfy both, and the 'default' is good enough for 80% of the market. -- Stephen J Smoogen. -- BSD/GNU/Linux How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
