Security Profiles

Support for security such as Firewalls and securing linux
Post Reply
DonTrustIm
Posts: 5
Joined: 2019/08/05 13:14:11

Security Profiles

Post by DonTrustIm » 2019/09/03 12:07:32

Guys sorry if this has been asked before but are aware if you can apply the security profiles after you have installed the OS with the normal profile?

Nate

User avatar
TrevorH
Forum Moderator
Posts: 27125
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Security Profiles

Post by TrevorH » 2019/09/03 13:17:13

It uses openscap to do the security profiles, so yes, it's possible. No idea how...
CentOS 6 will die in November 2020 - migrate sooner rather than later!
CentOS 5 has been EOL for nearly 3 years and should no longer be used for anything!
Full time Geek, part time moderator. Use the FAQ Luke

DonTrustIm
Posts: 5
Joined: 2019/08/05 13:14:11

Re: Security Profiles

Post by DonTrustIm » 2019/09/05 05:50:40

and this is a security hardening profile based on scap data?

DonTrustIm
Posts: 5
Joined: 2019/08/05 13:14:11

Re: Security Profiles

Post by DonTrustIm » 2019/10/01 13:58:32

does this actually apply the profile when selected on the installation screen or is it purely guidance?

ron7000
Posts: 123
Joined: 2019/01/15 20:00:28

Re: Security Profiles

Post by ron7000 » 2019/10/24 12:50:39

i sort of asked, and maybe not here but on stackexchange... how to find the details of the security profiles listed during system installation... what actually gets changed when choosing one of those security profiles?

- never found an answer or what able to find anything digging into the installation iso,

- never figured out how to access them after installation,

- and more than once had a [rhel] system tank after applying the stig profile; things on the surface seem normal but when user goes to run software that has worked in the past things fail and could not be figured out resulting in rebuild of system.

my opinion - if the specific details are not going to be published on those security profiles then they need to be removed and banned!

they cannot be left as black box mystery settings, they end up doing more harm then good.
does this actually apply the profile when selected on the installation screen or is it purely guidance?
it modifies various things... password minimum length, password expiration days, many many other things. For a given security profile what is everything that it modifies? i have no idea
and this is a security hardening profile based on scap data?
yes... SCAP = secure content automation protocol which I thought was more of a method and specifications than data. I have not been able to find that data making up those security profiles. Those profiles may as well be a virus or trojan horse... changes a bunch of things but you don't know what. I suspect there should be some [scap] benchmark scan (i.e. xml or xccdf file) for any of those profiles that you would run afterwards to validate the profile was applied... such as U_Red_Hat_Enterprise_Linux_7_V2R4_STIG.zip

ron7000
Posts: 123
Joined: 2019/01/15 20:00:28

Re: Security Profiles

Post by ron7000 » 2019/10/24 12:59:27

if you are a home user and see those security profiles and think...

oh cool security profile, apply automatically, equals good and better

the problem is you don't know what all gets modified and when many other things you normally take for granted don't work you're stuck not knowing how to do undo whatever security settings were changed or applied preventing things from working.

User avatar
KernelOops
Posts: 102
Joined: 2013/12/18 15:04:03
Location: xfs file system

Re: Security Profiles

Post by KernelOops » 2019/10/25 09:10:21

the security profiles are quite easy to read and understand, they are openscap and you can find lots of documentation about it online. You may even proofread and study the changes made by the profiles, so you can pick and choose the right one, or even make your own custom profile.

Eventually, I took the most advanced profile and made my own ansible playbook based on it. It's what I've been using for production servers for many years and had great success in preventing compromises. Plus, the added bonus that I can pass all PCI certifications quite easily.

So yes, I highly recommend everyone serious about security to take a look at the profiles. After all, they don't do anythnng magical, they just enforce what is known as... common sense ;)
--
I love my computer - all my friends live there.
--

ron7000
Posts: 123
Joined: 2019/01/15 20:00:28

Re: Security Profiles

Post by ron7000 » 2019/10/28 15:34:46

https://docs.centos.org/en-US/centos/in ... Spoke-x86/
The CentOS Project does not provide any verification, certification, or software assurance with respect to security for CentOS Linux. The Security Profiles provided in the CentOS Linux installers are a conversion of the ones included in RHEL Source Code. If certified / verified software that has guaranteed assurance is what you are looking for, then you likely do not want to use CentOS Linux.
my question: https://unix.stackexchange.com/question ... hel-centos
  • United States Government Configuration Baseline
  • Standard System Security Profile for RHEL 7
  • Criminal Justice Information Services (CJIS)
  • C2S for RHEL 7 {Commercial Cloud Services}
  • HIPPA
  • Unclassified Information in non-federal Information System Organizations (NIST 800-171)
  • DISA stig for RHEL 7
  • OSPP v4.2
  • PCI-DSS v3 control baseline for RHEL 7
  • Red Hat Corporate profile for certified cloud providers (RHCCP)
    [/code]


    please tell me the contents of any one of these, and how you found and accessed its scap file containing that information.

    I want to know what baseline system settings are going to be modified.
    So yes, I highly recommend everyone serious about security to take a look at the profiles.
    How :?: :?: :?:

Post Reply

Return to “CentOS 7 - Security Support”