Security Policy In The Installer
There are many known tips and tricks how to make a system more secure, often depending on the use case for the system. With the OSCAP Anaconda Addon and the SCAP Security Guide projects, we may allow users choosing a security policy for their newly installed system.
- Name: Vratislav Podzimek
- Email: firstname.lastname@example.org
- Release notes owner:
- Targeted release: Fedora 21
- Last updated: March 12 2014
- Tracker bug: <will be assigned by the Wrangler>
The OSCAP Anaconda Addon is a project implementing an Anaconda installer addon integrating the installer with the OpenSCAP toolkit to provide nice UX when it comes to security policy application. Its kickstart and GUI support allows users choosing a security policy for the newly installed system in an easy and nicely scaling way. The SCAP Security Guide project on the other hand focuses on development of so-called SCAP content for Fedora, RHEL and other projects. A SCAP content is a set of XML files defining rules that should be followed by the system together with checks and fixes used to check and fix system's state. It also defines profiles selecting some of the rules (or groups of rules) targetting various use cases.
The following video preview demonstrates the feature: http://vimeo.com/89243587
Benefit to Fedora
With those two projects deployed in the installation images (composes) we may allow users easy way of choosing the security for their newly installed system as well as promote both of the projects, make them more visible and encourage community to participate on those projects (especially the content needs as most developers as possible). Easy and scaling application of a security policy for the newly installed system may make Fedora more popular choice for various use cases (cloud images, server deployments, etc.). Let Fedora take the lead on the way to a more secure IT world!
We are basically all set. Both OSCAP Anaconda Addon (OAA) and SCAP Security Guide (SSG) are packages that can be installed by lorax to the installation compose (distributed images). The addon is then detected and loaded by the installer and the SCAP content provided by the SSG is automatically detected and loaded by the addon.
Of course a lot of future development is expected in both of the projects to provide additional features, but even the current state provides nice features and good UX.
- Proposal owners:
Bug fixing of both the OAA and SSG is expected to be required, but there are no known major bugs. Further development especially on the SSG side may be requried to provide more security policies for various products/spins/use cases.
- Release engineering:
Few simple changes in the lorax templates will be needed to make the OAA and SSG included in the installer images. Patches are already available and will be submitted to the lorax maintainer (Brian Lane) who has agreed to review and help with them.
Upgrades are no longer done by the Anaconda installer so this feature doesn't affect upgrades in any way.
How To Test
There is a custom (unofficial) compose with both OAA and SSG included available at http://vpodzime.fedorapeople.org/oscap_ana_addon_boot_0.6_f21.iso.xz which is expected to be used for testing. No special HW is needed a boot ISO that can be easily and efficiently gotten with the following command
$ curl http://vpodzime.fedorapeople.org/oscap_ana_addon_boot_0.6_f21.iso.xz | unxz -T$(getconf _NPROCESSORS_ONLN) > oscap_addon_boot_0.6.iso
can be booted on a bare-metal or virtual machine. When installed with applying the security policy and some profile chosen, the installer checks and fixes the installed system at the end of the installation process. The results of the scan are then saved under the /root/ directory of the newly installed system.
Users will have an easy and scalable way of choosing a security policy for their systems. To not apply any security policy, they simply not select any security profile or use the switch to make the security policy not applied.
Only the few simple changes to lorax templates mentioned above will be needed (Brian Lane has agreed to review and help with them).
- Contingency mechanism: simply revert the lorax changes and not install the OAA and SSG to the installer images
- Contingency deadline: Fedora 21 Beta
- Serious malfunctions in the OAA may make the Anaconda installer broken, but that can be covered by testing and with an easy contingency plan shouldn't cause any harm to the release schedule(s).
The new functionality should be promoted in the release notes.