Hello all,
I have been reviewing the progress of the Fedora project for over a year now. Honestly, I was a little reluctant to transition to another distribution. I had been a mainstay of SuSE since release 7.0; mainly because of the security oriented nature of the product(s).
Now that I've made the plunge and am loving it; I want to provide my services to the community where I can. Here goes my idea:
What about a documentation suite entitled --- Fedora Security Series?
Here's a brief vision statement.
The purpose of the series is to provide a security-related orientation of a great multitude of topics and how they relate to the Fedora distribution and its role in a network infrastructure.
For instance, the first couple topics that I would like to write would be: - Risk Assessment of a Fedora Core Installation Scheme - Risk Analysis of an Desktop Installation - Risk Analysis of an Server Installation - Policy Development in a Multiuser System - etc......
As you can see, the topics are sequential in structure. Which alleviates any issues due to end-user initiated problems.
i.e. in order to develop a complete operating system risk analysis and determine a control solution(s); you must first perform the risk assessment to determine probable threat agents, and safeguards
The intended audience would be Power-Users, and individuals with Information Technology experience. However, with a good content model it should be easily understood by the general user.
This series should be authored by individuals with relevant security experience. They don't need to be CISSP certified; just have first hand knowledge of the topic.
I am inclined to get the series started in the right direction; so I would like to write the first few topics for a good base. Then it's up to the community!
These should all be included in a series of related themes.
I can start the first topic as soon as the community accepts the idea. I personally think this is great idea (of source I would!); but don't want to work on this idea; if it undermines the ideas of other team members.
Thank you for your time. Thomas Jones
Hi Thomas,
You don't need any approval from anyone - if it is something you are excited about, just go ahead and do it! :-) If turns out to be valuable to others, that will be self-evident when you publicize the results of your writing to the Fedora community.
As far as continuing the project goes, I'm not sure how many people out there would be willing to do the work besides yourself (it's not just something you can drop on people's laps and expect them to keep maintaining). But don't let that stop you from taking on the challenge and seeing where things go - there's little downside :)
Good luck, -- Elliot
On Wed, 27 Apr 2005, Thomas Jones wrote:
What about a documentation suite entitled --- Fedora Security Series?
Here's a brief vision statement.
The purpose of the series is to provide a security-related orientation of a great multitude of topics and how they relate to the Fedora distribution and its role in a network infrastructure.
For instance, the first couple topics that I would like to write would be:
- Risk Assessment of a Fedora Core Installation Scheme
- Risk Analysis of an Desktop Installation
- Risk Analysis of an Server Installation
- Policy Development in a Multiuser System
- etc......
As you can see, the topics are sequential in structure. Which alleviates any issues due to end-user initiated problems.
i.e. in order to develop a complete operating system risk analysis and determine a control solution(s); you must first perform the risk assessment to determine probable threat agents, and safeguards
The intended audience would be Power-Users, and individuals with Information Technology experience. However, with a good content model it should be easily understood by the general user.
This series should be authored by individuals with relevant security experience. They don't need to be CISSP certified; just have first hand knowledge of the topic.
I am inclined to get the series started in the right direction; so I would like to write the first few topics for a good base. Then it's up to the community!
These should all be included in a series of related themes.
I can start the first topic as soon as the community accepts the idea. I personally think this is great idea (of source I would!); but don't want to work on this idea; if it undermines the ideas of other team members.
Elliot Lee wrote:
Hi Thomas,
You don't need any approval from anyone - if it is something you are excited about, just go ahead and do it! :-) If turns out to be valuable to others, that will be self-evident when you publicize the results of your writing to the Fedora community.
As far as continuing the project goes, I'm not sure how many people out there would be willing to do the work besides yourself (it's not just something you can drop on people's laps and expect them to keep maintaining). But don't let that stop you from taking on the challenge and seeing where things go - there's little downside :)
Good luck, -- Elliot
<snip>
Thanks for the words of encouragement Elliot!
I didn't mean to convey that I would just 'drop the series'. I just don't want to step on any toes given my short time writing for the Fedora project.
Actually, I am fine with sole authorship. I just wanted to provide the idea and bounce it around for comments.
If no objections, i'll start working up a document structure tomorrow.
Thanks again and I look forward to working with you. Thomas
On Wed, 2005-04-27 at 18:54 -0500, Thomas Jones wrote:
I didn't mean to convey that I would just 'drop the series'. I just don't want to step on any toes given my short time writing for the Fedora project.
You're doing great, thanks.
This morning (err ... yesterday morning by the time I am sending this), I was contemplating asking you to do a technical edit of tuxxer's Hardening Guide:
http://www.redhat.com/archives/fedora-docs-list/2005-April/msg00299.html
I'm outclassed in this particular area, somewhat. It would also give you a chance to become familiar with the other security doc in the works. It doesn't seem to me that your idea and this guide are mutually exclusive.
As far as your idea in general, it sounds like a very good one. I've envisioned sets of Fedora docs tied together by common theme. It would be an awesome service to the community to have proper Fedora security guidelines and practices.
It also sounds as if your ideas are generic enough to be easier to maintain across versions of Fedora Core. In other words, the ideas are timeless, and the documents don't necessarily contain procedures or formulas that need updating. That sort of work would happen in docs such as the Hardening Guide, SELinux Apache tutorial, etc. Have I interpreted this correctly?
Actually, I am fine with sole authorship. I just wanted to provide the idea and bounce it around for comments.
If no objections, i'll start working up a document structure tomorrow.
Thanks again and I look forward to working with you.
Sounds good, looking forward over here as well.
- Karsten
On Wed, 27 Apr 2005, Thomas Jones wrote:
What about a documentation suite entitled --- Fedora Security Series?
Here's a brief vision statement.
The purpose of the series is to provide a security-related orientation of a great multitude of topics and how they relate to the Fedora distribution and its role in a network infrastructure.
For instance, the first couple topics that I would like to write would be:
- Risk Assessment of a Fedora Core Installation Scheme
- Risk Analysis of an Desktop Installation
- Risk Analysis of an Server Installation
- Policy Development in a Multiuser System
- etc......
As you can see, the topics are sequential in structure. Which alleviates any issues due to end-user initiated problems.
i.e. in order to develop a complete operating system risk analysis and determine a control solution(s); you must first perform the risk assessment to determine probable threat agents, and safeguards
The intended audience would be Power-Users, and individuals with Information Technology experience. However, with a good content model it should be easily understood by the general user.
This series should be authored by individuals with relevant security experience. They don't need to be CISSP certified; just have first hand knowledge of the topic.
I am inclined to get the series started in the right direction; so I would like to write the first few topics for a good base. Then it's up to the community!
These should all be included in a series of related themes.
I can start the first topic as soon as the community accepts the idea. I personally think this is great idea (of source I would!); but don't want to work on this idea; if it undermines the ideas of other team members.
On Wed, 2005-04-27 at 19:28 -0400, Elliot Lee wrote:
You don't need any approval from anyone - if it is something you are excited about, just go ahead and do it! :-) If turns out to be valuable to others, that will be self-evident when you publicize the results of your writing to the Fedora community.
As far as continuing the project goes, I'm not sure how many people out there would be willing to do the work besides yourself (it's not just something you can drop on people's laps and expect them to keep maintaining). But don't let that stop you from taking on the challenge and seeing where things go - there's little downside :)
Charles Heselton (tuxxer) on this list has begun a "Fedora Hardening" tutorial with which you might be inclined to assist. He is working on at least a couple documents, and may appreciate the help! I think having a team of security writers would be a great thing, provided the work can be scoped to do the following:
(1) accommodate frequent maintenance based on Fedora Core's rapid release schedule;
(2) be Fedora-specific enough to give value over some of the other more standardized security guides; and
(3) survive contributor churn.
Regardless of whether you choose to work on the Fedora Hardening document, why don't you choose one of the topics you list for a tutorial (article format), and begin with a barebones draft. That would be a great way to introduce your vision for the series. Once you're happy enough with it to bring it on-list, just post a link for comments.
You will probably want to read the current Quick Start Guide:
http://fedora.redhat.com/participate/documentation-quick-start/
There's a bit of dust while we make building improvements, but this should help you get your feet wet. (Pardon the mixed metaphor, I have to go put the kids to bed!) Thanks, and we're looking forward to your participation.
Paul W. Frields wrote:
(2) be Fedora-specific enough to give value over some of the other more standardized security guides; and
What are these "standardized security guides"?
On Fri, 2005-04-29 at 20:56 +0100, Timothy Murphy wrote:
Paul W. Frields wrote:
(2) be Fedora-specific enough to give value over some of the other more standardized security guides; and
What are these "standardized security guides"?
I think he's talking about the general, high-level stuff you might get if you googled "linux security" or something.
-Charlie
On Fri, 2005-04-29 at 13:21 -0700, tuxxer wrote:
On Fri, 2005-04-29 at 20:56 +0100, Timothy Murphy wrote:
Paul W. Frields wrote:
(2) be Fedora-specific enough to give value over some of the other more standardized security guides; and
What are these "standardized security guides"?
I think he's talking about the general, high-level stuff you might get if you googled "linux security" or something.
Sure, but also things like "Practical UNIX and Internet Security, "Computer Security: Art & Science," Gollmann's "Computer Security," and such.
Paul W. Frields wrote:
On Fri, 2005-04-29 at 13:21 -0700, tuxxer wrote:
On Fri, 2005-04-29 at 20:56 +0100, Timothy Murphy wrote:
Paul W. Frields wrote:
(2) be Fedora-specific enough to give value over some of the other more standardized security guides; and
What are these "standardized security guides"?
I think he's talking about the general, high-level stuff you might get if you googled "linux security" or something.
Sure, but also things like "Practical UNIX and Internet Security, "Computer Security: Art & Science," Gollmann's "Computer Security," and such.
Personally, I would consider "standardized security guides" within the realm of the following sources:
Information Assurance Technology Framework Release 3.1, National Security Agency Automated Tools for Testing Computer System Vulnerability, NIST Special Publication 800-6 Establishing a Computer Security Incident Response Capability(CSIRC), NIST Special Publication 800-3
A great many(granted not all) security resources written today is full of fluff and doesn't recognize or even mention industry standards or procedures. To tell you the truth, i've found that CS research papers(available from NEC) seem to contain more relevant content than alot of the published books. IMHO.
I've got a basic content done for the first release. I just need to determine the most efficient way to structure the content for the intended audience.
Tuxxer: This is where I could use some help. If you've got the time --- drop me a line --- i'd like to forward to you my sources to look over. Also I wanted to review your list of intended documentation so that we can assure that we don't overlap content.
I am pretty sure the docs will be top notch stuff --- but then again I am pretty bias ;)
Thomas
On Fri, 2005-04-29 at 18:56 -0500, Thomas Jones wrote:
Paul W. Frields wrote:
On Fri, 2005-04-29 at 13:21 -0700, tuxxer wrote:
On Fri, 2005-04-29 at 20:56 +0100, Timothy Murphy wrote:
Paul W. Frields wrote:
(2) be Fedora-specific enough to give value over some of the other more standardized security guides; and
What are these "standardized security guides"?
I think he's talking about the general, high-level stuff you might get if you googled "linux security" or something.
Sure, but also things like "Practical UNIX and Internet Security, "Computer Security: Art & Science," Gollmann's "Computer Security," and such.
Personally, I would consider "standardized security guides" within the realm of the following sources:
Information Assurance Technology Framework Release 3.1, National Security Agency Automated Tools for Testing Computer System Vulnerability, NIST Special Publication 800-6 Establishing a Computer Security Incident Response Capability(CSIRC), NIST Special Publication 800-3
A great many(granted not all) security resources written today is full of fluff and doesn't recognize or even mention industry standards or procedures. To tell you the truth, i've found that CS research papers(available from NEC) seem to contain more relevant content than alot of the published books. IMHO.
Okay, okay, you definitely win the Battle of the Citations. ;-) (Like Karsten, my specialized experience doesn't fall into the security realm either, except in a more esoteric sense.) You're working from a different definition for "standardized" than I intended, which is a good indicator that I made a poor word choice. "General practical" would have been better, and would be more along the lines of the books I named. In any case, I'm glad we have a good security technical editor aboard.
docs@lists.stg.fedoraproject.org