From Fedora Project Wiki
(add spaces around the pipe char to prevent interpreting it as part of the URL)
(Rejected by FESCo - please consider re-proposing as a kickstart-only feature)
 
(6 intermediate revisions by 2 users not shown)
Line 1: Line 1:
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->


= Changes/SecurityPolicyInTheInstaller <!-- The name of your change proposal --> =
= Security Policy In The Installer <!-- The name of your change proposal --> =


== Summary ==
== Summary ==
Line 38: Line 38:
== Detailed Description ==
== Detailed Description ==
The [https://fedorahosted.org/oscap-anaconda-addon/ OSCAP Anaconda Addon] is a project implementing an Anaconda installer addon integrating the installer with the OpenSCAP toolkit to provide nice UX when it comes to security policy application. Its kickstart and GUI support allows users choosing a security policy for the newly installed system in an easy and nicely scaling way. The [https://fedorahosted.org/scap-security-guide/ SCAP Security Guide] project on the other hand focuses on development of so-called SCAP content for Fedora, RHEL and other projects. A SCAP content is a set of XML files defining rules that should be followed by the system together with checks and fixes used to check and fix system's state. It also defines profiles selecting some of the rules (or groups of rules) targetting various use cases.
The [https://fedorahosted.org/oscap-anaconda-addon/ OSCAP Anaconda Addon] is a project implementing an Anaconda installer addon integrating the installer with the OpenSCAP toolkit to provide nice UX when it comes to security policy application. Its kickstart and GUI support allows users choosing a security policy for the newly installed system in an easy and nicely scaling way. The [https://fedorahosted.org/scap-security-guide/ SCAP Security Guide] project on the other hand focuses on development of so-called SCAP content for Fedora, RHEL and other projects. A SCAP content is a set of XML files defining rules that should be followed by the system together with checks and fixes used to check and fix system's state. It also defines profiles selecting some of the rules (or groups of rules) targetting various use cases.
The following video preview demonstrates the feature:
http://vimeo.com/89243587


== Benefit to Fedora ==
== Benefit to Fedora ==
Line 55: Line 58:
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
* Release engineering:
* Release engineering:
Few simple changes in the ''lorax'' templates will be needed to make the OAA and SSG included in the installer images. Patches are already available and will be submitted to the lorax maintainers once this feature gets approved.
Few simple changes in the ''lorax'' templates will be needed to make the OAA and SSG included in the installer images. Patches are already available and will be submitted to the lorax maintainer ([[User:Bcl|Brian Lane]]) who has agreed to review and help with them.


<!--* Policies and guidelines: N/A (not a System Wide Change) REQUIRED FOR SYSTEM WIDE CHANGES -->
<!--* Policies and guidelines: N/A (not a System Wide Change) REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- Do the packaging guidelines or other documents need to be updated for this feature?  If so, does it need to happen before or after the implementation is done?  If a FPC ticket exists, add a link here. -->
<!-- Do the packaging guidelines or other documents need to be updated for this feature?  If so, does it need to happen before or after the implementation is done?  If a FPC ticket exists, add a link here. -->
== Upgrade/compatibility impact ==
== Upgrade/compatibility impact ==
<!-- What happens to systems that have had a previous versions of Fedora installed and are updated to the version containing this change? Will anything require manual configuration or data migration? Will any existing functionality be no longer supported? -->
<!-- What happens to systems that have had a previous versions of Fedora installed and are updated to the version containing this change? Will anything require manual configuration or data migration? Will any existing functionality be no longer supported? -->
Line 91: Line 93:
== Dependencies ==
== Dependencies ==
<!-- What other packages (RPMs) depend on this package?  Are there changes outside the developers' control on which completion of this change depends?  In other words, completion of another change owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate?  Other upstream projects like the kernel (if this is not a kernel change)? -->
<!-- What other packages (RPMs) depend on this package?  Are there changes outside the developers' control on which completion of this change depends?  In other words, completion of another change owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate?  Other upstream projects like the kernel (if this is not a kernel change)? -->
Only the few simple changes to ''lorax'' templates mentioned above will be needed.
Only the few simple changes to ''lorax'' templates mentioned above will be needed ([[User:Bcl|Brian Lane]] has agreed to review and help with them).


== Contingency Plan ==
== Contingency Plan ==
Line 115: Line 117:
The new functionality should be promoted in the release notes.
The new functionality should be promoted in the release notes.


[[Category:ChangeReadyForWrangler]]
[[Category:ChangePageIncomplete]]
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->

Latest revision as of 09:40, 27 March 2014


Security Policy In The Installer

Summary

There are many known tips and tricks how to make a system more secure, often depending on the use case for the system. With the OSCAP Anaconda Addon and the SCAP Security Guide projects, we may allow users choosing a security policy for their newly installed system.

Owner

Current status

  • Targeted release: Fedora 21
  • Last updated: March 12 2014
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

The OSCAP Anaconda Addon is a project implementing an Anaconda installer addon integrating the installer with the OpenSCAP toolkit to provide nice UX when it comes to security policy application. Its kickstart and GUI support allows users choosing a security policy for the newly installed system in an easy and nicely scaling way. The SCAP Security Guide project on the other hand focuses on development of so-called SCAP content for Fedora, RHEL and other projects. A SCAP content is a set of XML files defining rules that should be followed by the system together with checks and fixes used to check and fix system's state. It also defines profiles selecting some of the rules (or groups of rules) targetting various use cases.

The following video preview demonstrates the feature: http://vimeo.com/89243587

Benefit to Fedora

With those two projects deployed in the installation images (composes) we may allow users easy way of choosing the security for their newly installed system as well as promote both of the projects, make them more visible and encourage community to participate on those projects (especially the content needs as most developers as possible). Easy and scaling application of a security policy for the newly installed system may make Fedora more popular choice for various use cases (cloud images, server deployments, etc.). Let Fedora take the lead on the way to a more secure IT world!

Scope

We are basically all set. Both OSCAP Anaconda Addon (OAA) and SCAP Security Guide (SSG) are packages that can be installed by lorax to the installation compose (distributed images). The addon is then detected and loaded by the installer and the SCAP content provided by the SSG is automatically detected and loaded by the addon.

Of course a lot of future development is expected in both of the projects to provide additional features, but even the current state provides nice features and good UX.

  • Proposal owners:

Bug fixing of both the OAA and SSG is expected to be required, but there are no known major bugs. Further development especially on the SSG side may be requried to provide more security policies for various products/spins/use cases.

  • Release engineering:

Few simple changes in the lorax templates will be needed to make the OAA and SSG included in the installer images. Patches are already available and will be submitted to the lorax maintainer (Brian Lane) who has agreed to review and help with them.

Upgrade/compatibility impact

Upgrades are no longer done by the Anaconda installer so this feature doesn't affect upgrades in any way.

How To Test

There is a custom (unofficial) compose with both OAA and SSG included available at http://vpodzime.fedorapeople.org/oscap_ana_addon_boot_0.6_f21.iso.xz which is expected to be used for testing. No special HW is needed a boot ISO that can be easily and efficiently gotten with the following command

$ curl http://vpodzime.fedorapeople.org/oscap_ana_addon_boot_0.6_f21.iso.xz | unxz -T$(getconf _NPROCESSORS_ONLN) > oscap_addon_boot_0.6.iso

can be booted on a bare-metal or virtual machine. When installed with applying the security policy and some profile chosen, the installer checks and fixes the installed system at the end of the installation process. The results of the scan are then saved under the /root/ directory of the newly installed system.

User Experience

Users will have an easy and scalable way of choosing a security policy for their systems. To not apply any security policy, they simply not select any security profile or use the switch to make the security policy not applied.

Dependencies

Only the few simple changes to lorax templates mentioned above will be needed (Brian Lane has agreed to review and help with them).

Contingency Plan

  • Contingency mechanism: simply revert the lorax changes and not install the OAA and SSG to the installer images
  • Contingency deadline: Fedora 21 Beta
  • Serious malfunctions in the OAA may make the Anaconda installer broken, but that can be covered by testing and with an easy contingency plan shouldn't cause any harm to the release schedule(s).

Documentation

Both OAA and SSG are properly documented on their project pages: OSCAP Anaconda Addon SCAP Security Guide

Release Notes

The new functionality should be promoted in the release notes.