Red Hat Bugzilla – Bug 1145040
[Docs][Install][Async]Please add reference to rhel hardering manuals
Last modified: 2016-01-04 00:38:45 EST
Hello, Within installation guide, before begin, please reference the following[1][2] if not already referenced, to consult security aspects of installation and hardering (if desired). Contact: wmealing@redhat.com Thanks! [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/index.html [2] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/index.html
(In reply to Alon Bar-Lev from comment #0) > Hello, > > Within installation guide, before begin, please reference the > following[1][2] if not already referenced, to consult security aspects of > installation and hardering (if desired). > > Contact: wmealing@redhat.com > > Thanks! > > [1] > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/ > html/Security_Guide/index.html > [2] > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/ > html/Security_Guide/index.html hi Alon, I would like to get some clarification on why this is needed and what do we want to highlight about the RHEL security guide? It is not ideal to just tell customers to read the whole RHEL security guide before they can implement RHEV. Marina, if you could weigh in from the support perspective, that would be great. Cheers, Julie
(In reply to Julie from comment #1) > (In reply to Alon Bar-Lev from comment #0) > > Hello, > > > > Within installation guide, before begin, please reference the > > following[1][2] if not already referenced, to consult security aspects of > > installation and hardering (if desired). > > > > Contact: wmealing@redhat.com > > > > Thanks! > > > > [1] > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/ > > html/Security_Guide/index.html > > [2] > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/ > > html/Security_Guide/index.html > > hi Alon, > I would like to get some clarification on why this is needed and what do > we want to highlight about the RHEL security guide? It is not ideal to just > tell customers to read the whole RHEL security guide before they can > implement RHEV. > > Marina, if you could weigh in from the support perspective, that would be > great. There are more and more requests from security stuff to add specific subjects of these manuals into rhev product manuals and maintain them in two separate documents. For example, if a security issue found with nfs or postgresql or any other base component a note to be added to rhev documentation. I think this is impossible to maintain and track. There are two types of requests: 1. CVE reports of these components - fixed using z-stream and release nodes of these components, so probably no need to push documentation update. 2. Component hardering instructions - these are instructions that are dynamic in nature, we cannot provide up to date information within our documentation, so I think for these security aware who like extra security, we can refer to the hardering/security guides. Do you see any other viable option?
I agree with Alon. However I see Julie's point. My suggestion, Julie, indeed, if possible, add the link to relevant version security guide on top, as recommended for review. And then, per feature, I would suggest referencing specific topics from those guides, when discussing specific feature. Re: CVE reports. Those can be reported in Release Notes. The only concern is that there are CVE errata, that are part of Jboss or RHEL product, not RHEV directly. I am not sure how you meant to include them, Alon. Re: Component hardening. Agreed, as I said above. If you have now a specific feature example, please share and we will use it as example. However, in my opinion, we should not go into details of implementation of those in RHEV Admin/Installation guide. We can dedicate a section for those in the Technical Guide. And a good start would be indeed giving references to those guides.