On Sun, 2008-12-07 at 14:29 -0900, Jeff Spaleta wrote: > On Sun, Dec 7, 2008 at 5:54 AM, Steve Grubb <sgrubb redhat com> wrote: > > Hope you find this informtion useful. > > Well it's certainly going to make for a more rational discussion. > > I still come back to one thing. Could the file permissions be > implemented differently so that CAPP compliance could be a system > install time choice, instead of being expressed in the configuration > of all installs? > > Sort of how we make it possible for people who care about LSB > compliance to be able to install the necessary bits without enforcing > compliance on everyone else. Just sort of, I'm not suggesting security > compliance and LSB compliance are anywhere close to the same thing in > scope. > > But what I am saying is that I'm not sure the restrictions and > assumptions behind the logic of CAPP makes a lot of sense for our > default target usecases. We don't currently have a server target for > example, and I'm not sure CAPP can be applied to something like a > laptop desktop case without warping spacetime. > > So taking a look at how CAPP compliance is handled now, could some of > the restrictions like the permissions be handled in a more modular > way? Could for example, things be changed so I could install a > specialized fedora-CAPP package at install time which tightens up > aspects of the system to bring it into CAPP compliance, instead of > expressing those restrictions in the defualt settings of all installs? Perhaps a bit like the 'bastille' hardening script? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc.
Description: This is a digitally signed message part