Dear CentOS Development Team,
I am interested in starting a new SIG or merging with the ‘Hardening’ SIG, I didn’t find sufficient information about the hardening SIG. I have been on the mailing list for some years and I have noticed a number of concerns with regards to security, e.g. the default sshd_config, gnome user list and more.
My goal is to use the base and modify the OS with these changes and make it available for the CentOS community, I will mention this on the mailing list to get the community feedback so that they can have an opportunity to contribute, and more importantly get an OS that meets their needs, with regards to their security concerns.
I’m not too familiar with the CentOS build system, however I started to read up on it and practice to get a feel on things. Some of the things that I will like to change are as follow:
SSH: disable root (uncomment 'PermitRootLogin' and change to no) enable 'strictMode' modify 'MaxAuthTries' modify 'ClientAliveInterval' modify 'ClientAliveCountMax'
Gnome: disable Gnome user list
Console: Remove reboot, halt poweroff from /etc/security/console.app
Looking forward for your response on how can I proceed with this?
On 04/13/15 07:24, Earl A Ramirez wrote:
Dear CentOS Development Team,
I am interested in starting a new SIG or merging with the ‘Hardening’ SIG, I didn’t find sufficient information about the hardening SIG. I have been on the mailing list for some years and I have noticed a number of concerns with regards to security, e.g. the default sshd_config, gnome user list and more. -- Kind Regards Earl Ramirez
Earl,
I'm in the same boat but different oar. I think we have a few folks interested in SIG Hardening.
Informal poll; who all is interested in SIG-Hardening? Speak up with your interests; let's see if there's enough to get more organized.
Leam
On 13 April 2015 at 07:55, Leam Hall leamhall@gmail.com wrote:
On 04/13/15 07:24, Earl A Ramirez wrote:
Dear CentOS Development Team,
I am interested in starting a new SIG or merging with the ‘Hardening’ SIG, I didn’t find sufficient information about the hardening SIG. I have been on the mailing list for some years and I have noticed a number of concerns with regards to security, e.g. the default sshd_config, gnome user list and more. -- Kind Regards Earl Ramirez
Earl,
I'm in the same boat but different oar. I think we have a few folks interested in SIG Hardening.
Informal poll; who all is interested in SIG-Hardening? Speak up with your interests; let's see if there's enough to get more organized.
Leam
CentOS-devel mailing list CentOS-devel@centos.org http://lists.centos.org/mailman/listinfo/centos-devel
Leam,
Happy that we are in the same boat; hopefully we get more folks involved and the approval of a board member so that we can make this happen. I will shoot an email over to the general mailing list to see if anyone are interested to get onboard.
On Apr 13, 2015, at 6:45 AM, Earl A Ramirez earlaramirez@gmail.com wrote:
On 13 April 2015 at 07:55, Leam Hall leamhall@gmail.com wrote:
On 04/13/15 07:24, Earl A Ramirez wrote: Dear CentOS Development Team,
I am interested in starting a new SIG or merging with the ‘Hardening’ SIG, I didn’t find sufficient information about the hardening SIG. I have been on the mailing list for some years and I have noticed a number of concerns with regards to security, e.g. the default sshd_config, gnome user list and more. -- Kind Regards Earl Ramirez
Earl,
I'm in the same boat but different oar. I think we have a few folks interested in SIG Hardening.
Informal poll; who all is interested in SIG-Hardening? Speak up with your interests; let's see if there's enough to get more organized.
Leam
CentOS-devel mailing list CentOS-devel@centos.org http://lists.centos.org/mailman/listinfo/centos-devel
Leam,
Happy that we are in the same boat; hopefully we get more folks involved and the approval of a board member so that we can make this happen. I will shoot an email over to the general mailing list to see if anyone are interested to get onboard.
-- Kind Regards Earl Ramirez _______________________________________________ CentOS-devel mailing list CentOS-devel@centos.org http://lists.centos.org/mailman/listinfo/centos-devel
I'm happy to throw my hat in the ring to help out. I just can't be the one coordinating things.
-- Corey
-----Original Message----- From: Earl A Ramirez Sent: Monday, April 13, 2015 7:24
Dear CentOS Development Team,
I am interested in starting a new SIG or merging with the 'Hardening' SIG, I didn't find sufficient information about the hardening SIG. I have been on the mailing list for some years and I have noticed a number of concerns with regards to security, e.g. the default sshd_config, gnome user list and more.
I have been patching/rebuilding RHEL/Centos RPMs to comply with the STIGs. This sounds interesting.
My goal is to use the base and modify the OS with these changes and make it available for the CentOS community, I will mention this on the mailing list to get the community feedback so that they can have an opportunity to contribute, and more importantly get an OS that meets their needs, with regards to their security concerns.
I'm not too familiar with the CentOS build system, however I started to read up on it and practice to get a feel on things. Some of the things that I will like to change are as follow:
SSH: disable root (uncomment 'PermitRootLogin' and change to no) enable 'strictMode' modify 'MaxAuthTries' modify 'ClientAliveInterval' modify 'ClientAliveCountMax'
Gnome: disable Gnome user list
Console: Remove reboot, halt poweroff from /etc/security/console.app
Looking forward for your response on how can I proceed with this?
--
Kind Regards Earl Ramirez
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.
On Mon, Apr 13, 2015 at 9:33 AM, Jason Pyeron jpyeron@pdinc.us wrote:
I have been patching/rebuilding RHEL/Centos RPMs to comply with the STIGs. This sounds interesting.
Hey Jason! The stuff I'm working on is STIG compliance as well. I've done a lot of RHEL 6 scripts, Vincent Passaro did a lot of RHEL 5 ones, and the new project is pulling in those and Puppet content as well.
https://github.com/LeamHall/SecComFrame
Leam
On 13 April 2015 at 09:37, leam hall leamhall@gmail.com wrote:
On Mon, Apr 13, 2015 at 9:33 AM, Jason Pyeron jpyeron@pdinc.us wrote:
I have been patching/rebuilding RHEL/Centos RPMs to comply with the STIGs. This sounds interesting.
Hey Jason! The stuff I'm working on is STIG compliance as well. I've done a lot of RHEL 6 scripts, Vincent Passaro did a lot of RHEL 5 ones, and the new project is pulling in those and Puppet content as well.
https://github.com/LeamHall/SecComFrame
Leam
-- Mind on a Mission http://leamhall.blogspot.com/
CentOS-devel mailing list CentOS-devel@centos.org http://lists.centos.org/mailman/listinfo/centos-devel
This looks promising, do we need some sort of formal proposal to the CentOS board to get the ball rolling?
Corey, We will be happy to have your hat in; I think one of us can coordinate things.
On 04/13/2015 03:10 PM, Earl A Ramirez wrote:
This looks promising, do we need some sort of formal proposal to the CentOS board to get the ball rolling?
You will need someone to help with that process, i can do that if you are willing to wait till the first week of May.
Another thing i want to throw in, paraphrasing another conversation:
We should consider for EL7, building everything (as far as possible) as PIE/RELRO, swapping out dlmalloc in libc for something else (probably jemalloc). Perhaps also use -finit-local-vars (especially in the kernel) and -fwrapv.
Thoughts ?
On Wed, Apr 22, 2015 at 9:55 AM, Karanbir Singh mail-lists@karan.org wrote:
On 04/13/2015 03:10 PM, Earl A Ramirez wrote:
This looks promising, do we need some sort of formal proposal to the CentOS board to get the ball rolling?
You will need someone to help with that process, i can do that if you are willing to wait till the first week of May.
I'm happy to wait, if we can move forward in decent time. What do you need from us?
Leam
On 04/22/2015 03:04 PM, leam hall wrote:
On Wed, Apr 22, 2015 at 9:55 AM, Karanbir Singh <mail-lists@karan.org mailto:mail-lists@karan.org> wrote:
On 04/13/2015 03:10 PM, Earl A Ramirez wrote: > > This looks promising, do we need some sort of formal proposal to the > CentOS board to get the ball rolling? You will need someone to help with that process, i can do that if you are willing to wait till the first week of May.I'm happy to wait, if we can move forward in decent time. What do you need from us?
We will need to workout a clear picture on what we intend to deliver, what the wider goal is going to be, what resources we need and who's going to be in and helping play the game ( ideally, also a few things around how we can promote this effort etc ).
Maybe take a look at the already onboarding/onboarded SIG's proposals eg: http://wiki.centos.org/SpecialInterestGroup/Virtualization and http://wiki.centos.org/SpecialInterestGroup/Cloud
http://wiki.centos.org/SpecialInterestGroup/Hardending is likely where the proposal should end up at. If you want, ask for write perms on that url in the centos-docs list and feel free to start working on a draft if you like :)
On Wed, 2015-04-22 at 15:28 +0100, Karanbir Singh wrote:
On 04/22/2015 03:04 PM, leam hall wrote:
On Wed, Apr 22, 2015 at 9:55 AM, Karanbir Singh <mail-lists@karan.org mailto:mail-lists@karan.org> wrote:
On 04/13/2015 03:10 PM, Earl A Ramirez wrote: > > This looks promising, do we need some sort of formal proposal to the > CentOS board to get the ball rolling? You will need someone to help with that process, i can do that if you are willing to wait till the first week of May.I'm happy to wait, if we can move forward in decent time. What do you need from us?
We will need to workout a clear picture on what we intend to deliver, what the wider goal is going to be, what resources we need and who's going to be in and helping play the game ( ideally, also a few things around how we can promote this effort etc ).
Maybe take a look at the already onboarding/onboarded SIG's proposals eg: http://wiki.centos.org/SpecialInterestGroup/Virtualization and http://wiki.centos.org/SpecialInterestGroup/Cloud
http://wiki.centos.org/SpecialInterestGroup/Hardending is likely where the proposal should end up at. If you want, ask for write perms on that url in the centos-docs list and feel free to start working on a draft if you like :)
I will start working on the draft in the mean time and when the clear picture worked out the wiki will be updated.
On Apr 22, 2015, at 7:55 AM, Karanbir Singh mail-lists@karan.org wrote:
On 04/13/2015 03:10 PM, Earl A Ramirez wrote:
This looks promising, do we need some sort of formal proposal to the CentOS board to get the ball rolling?
You will need someone to help with that process, i can do that if you are willing to wait till the first week of May.
Another thing i want to throw in, paraphrasing another conversation:
We should consider for EL7, building everything (as far as possible) as PIE/RELRO, swapping out dlmalloc in libc for something else (probably jemalloc). Perhaps also use -finit-local-vars (especially in the kernel) and -fwrapv.
Thoughts ?
-- Karanbir Singh +44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh GnuPG Key : http://www.karan.org/publickey.asc _______________________________________________ CentOS-devel mailing list CentOS-devel@centos.org http://lists.centos.org/mailman/listinfo/centos-devel
Is this for stock EL7 or would there be a whole new slew of rpm packages in a separate repo with these compile options that need to be maintained?
On 04/22/2015 03:06 PM, Corey Henderson wrote:
Is this for stock EL7 or would there be a whole new slew of rpm packages in a separate repo with these compile options that need to be maintained?
yeah, seperate repo :)
-
Corey Henderson -
Earl A Ramirez -
Jason Pyeron -
Karanbir Singh -
Leam Hall