I've asked RedHat to respond through our support channel, but I'd like
to raise this issue here too, for discussion, and to see if others see
a need for a response by RedHat.

There are third-party 'benchmarks' or configuration guides for RHEL5
that are becoming standards, or mandates, at least for some government
sites. E.g.:
http://www.cisecurity.org/tools2/linux/CIS_RHEL5_Benchmark_v1.0.pdf
(requires registration to download)
or:
http://www.nsa.gov/snac/os/redhat/rhel5-guide-i731.pdf

Each is over a hundred pages of configuration recommendations, from
the common sense (turn off services you don't need) to the
micro-managed and essentially arbitrary (chmod /etc/sysctl.conf from
0644 to 0600). Whether or not these documents induce a gag reflex,
compliance with some such configuration standard is becoming de rigeur
for some sites, how else to prove your system is securely set up?

So these are my questions:

- Are RedHat's "enterprise" operating systems insecure as shipped?
Is third-party expertise on how to secure RHEL systems necessary?

- Why isn't RedHat providing a certified secure OS installation?
Why aren't they working with CIS or other third-party 'authorities' to
either implement these security must-haves, or to educate the security
'experts' on what is appropriate? Or are they?

- To what degree are the so-called benchmarks arbitrary and unnecessary?

- What possibilities exist for breaking functionality, or voiding
RedHat support, if the benchmarks are implemented? What are the risks?

Anybody else similarly concerned, or have other perspectives?

-Ed

_______________________________________________
rhelv5-list mailing list
rhelv5-list@(protected)
https://www.redhat.com/mailman/listinfo/rhelv5-list