Default security vs RedHat documentation

[lylecorman]

So, because fedora docs seem to be under construction (e.g. "Fedora Security Guide" non existant reference in what is otherwise a very minimal documentation, albeit good quality),

I cannot figure out what is the relation between, say, RedHat security hardening guide and fedora default security (whatever the latest kernel and system).

I'll give you an example:

Do we "need" to configure "unbound" on a workstation? DNSSEC appears to be working even without it... or not?
It is default on some other *nixes...
Is it crucial?

Another example

Fedora has some RHEL functionality like crypto-policy.
When set to FUTURE, package repo doesn't work. Weak keys.

Example three:

Nowhere is it mentioned that selinux is on by default. Is it really that transparent that I cannot even seem to figure out it's on?

Example four:

A non-domain, non-company private workstation: SCAP baseline policy is too strict perhaps?

Anyway, new to the forum, first post, gauging the involment... perhaps a bit ranty, flame if you want.

[Kobuck]

Nowhere is it mentioned that selinux is on by default. Is it really that transparent that I cannot even seem to figure out it's on?

To see the status of selinux enforcement, open a terminal and type following at command prompt:

$ getenforce

[smr54]

SELinux has become far more transparent in recent years. Sometimes, the better you know something, the harder it is to document SELinux being on by default might be one of those things that "everybody knows," even though they don't. It probably is documented somewhere, maybe in a security section.

Even a few years ago, you'd see many howto articles begin with turn off SELinux, though many others would criticize that step.. Nowadays, it seldom gets in the way and has also become easier to fix when it does.

[markdk]

Most of the packages these days come with selinux rules which in the most case allow it to be transparent, a "semodule -l" shows how many packages have also loaded selinux rules. They are not perfect and you will still get denies that noticeably break things. I generally on a new build set "setenforce 0" for a week or two while collecting denies and load my own local rules based on that before turning it back on, the local rules I require these days have gone from over fifty to on most servers less than five now.

My biggest shock with fedora was on doing a workstation install from the workstation install dvd when I had to rebuild a desktop, I went to add my required rules and found all firewall ports were opened by explicit rules. Normally I do a server install where most ports are closed by default. Probably makes life easier for newbies and while the ports are all open as most services such as sshd are not started by default on the workstation install it does open the user up to risk as they install additional software.

While fc30 is the latest I did not take the time to download a workstation install for fc30 just for this post but I would guess it is the same.
I did a fresh install from Fedora-Workstation-Live-x86_64-28-1.1.iso to make sure I was not remembering incorrectly, this is the default below from a fc28 live desktop install to harddisk and after the reboot.
[mark@localhost ~]$ sudo firewall-cmd --list-services
[sudo] password for mark:
dhcpv6-client ssh samba-client mdns
[mark@localhost ~]$ sudo firewall-cmd --list-ports
1025-65535/udp 1025-65535/tcp
[mark@localhost ~]$

Server installs have the ports closed by default, so a lack of consistency to make it easier for new desktop users ?. Probably not an issue as those users are unlikely to have their routers forwarding external traffic to their desktops; but as your post was about default security is worth a mention.