Security testing: need for a security policy, and a security-critical package process

Gene Czarcinski gene at
Tue Dec 1 17:47:26 UTC 2009

On Monday 30 November 2009 18:16:50 Adam Williamson wrote:
> On Mon, 2009-11-30 at 15:17 -0500, Eric Christensen wrote:
> > Gene,
> > (Ahh... someone with a similar background...)
> >
> > So the biggest question, to me, is to what standard do we start?
> > There are plenty to choose from from DISA to NIST.  I, personally,
> > find the NSA's "Guide to the Secure Configuration of Red Hat
> > Enterprise Linux 5" very good and might be a good place to start.  I'm
> > not saying that we do everything that is in the guide but maybe take
> > the guide and strike things out that don't make sense and add stuff to
> > it that does make sense.
> Thanks for the thoughts, Gene and Eric. You seem to be running a long
> way ahead here :). I should probably say that I think I mistitled the
> thread: what I was really thinking about here is not 'security', but the
> more limited area of 'privilege escalation'. I'm not sure we're ready to
> bite off a comprehensive distro-wide security policy yet, to the extent
> you two are discussing.

But, you did say the right words for what is needed to do security QA and not 
just privilege escalation.

> Where I'm currently at is that I'm going to talk to some Red Hat /
> Fedora security folks about the issues raised in all the discussions
> about this, including this thread, and then file a ticket to ask FESco
> to look at the matter, possibly including a proposed policy if the
> security folks help come up with one. And for the moment, only really
> concerned with the question of privileges.
Start small with just privilege escalation and it can be grown to be something 
more comprehensive.  FESco is the right place to go and see what the project 
wants to do.

I suspect that most commercial and government customers will be interested in 
Red Hat Enterprise Linux rather than Fedora.  But, Fedora is the technology 
base on which future Red Hat Enterprise Linux releases are built.  The better 
Fedora is, the more confidence customers will have the the Red Hat product.


More information about the fedora-devel-list mailing list