7

I am exploring CentOS as a possibility for hosting a number of servers (mail, web, database, etc). Each machine will have a single purpose, and security is a priority.

At the first installation, I am confronted with this:

enter image description here

Information about these policies is here but it's a bit overwhelming. Also if you drill into it you see things like

To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed.

Presumably not all such things translate exactly to CentOS, but I'm an Ubuntu user so I don't really understand the extent of the equivalence.

It seems that these security profiles are created as a matter of legal compliance, audits, and business concerns foremost, rather than being defined strictly in terms of security itself.

What's the best option for "I'm not exactly sure what I'm doing just get but for now I want to be paranoid"?

As well as each server instance having a single function, they will be non-graphical terminals with ssh access.

spraff
  • 519
  • 4
  • 8
  • 18
  • 1
    You need to define your requirements more specifically. One can always be more paranoid and spend more time to customize SCAP (or SELinux) policy. Also, these services exist for the organizations needs, the business case absolutely drives these. Suddenly more people care about TLS when PCI requires the use of not broken implementations. – John Mahowald Sep 11 '16 at 22:20
  • The best option is "Experiment and [learn your way around what's going on](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/chap-Compliance_and_Vulnerability_Scanning.html) first, before you make a decision". Any choice other than "Default" here may leave you with a system you can't actually log in to, if you don't understand what the policy is doing. – Michael Hampton Sep 14 '16 at 02:11

3 Answers3

6

Just use the default policy with no rules. These policies are about reporting that certain configuration declarations exist and are not being violated, which is somewhat orthogonal to actual security concerns. Furthermore, use of them without understanding what they do will cause confusing behavior.

Jonah Benton
  • 1,242
  • 7
  • 13
1

Would like to add my bit of findings and what really helped me. Such options make most users feel paranoid. I was also searching for a direct explanation which is short and to the point. I came across this redHat-article

The article clearly says mentions the following :

Applying a security policy is not necessary on all systems. This screen should only be used when a specific policy is mandated by your organization rules or governemnt regulations.

I'm using the installation for my standalone use. These two sentences were enough to cure me of the paranoia. And I turned off the security policy and moved ahead with the next steps. No issues during or post-installation as of now.

Asif Kamran Malick
  • 111
  • 3
0

Yes, you need to know what are your requirements.

To add to discussion, an alternative to default policy, which won't do anything to your system, is to select Standard Profile. The aim of this profile is to check security and audit settings that improve security level of the system without being intrusive to practical usability.

Yuuma
  • 36
  • 2