CentOS-7 Installer Security Profiles

The CentOS Project does not provide any verification, certification, or software assurance with respect to security for CentOS Linux. The Security Profiles provided in the CentOS Linux installers are a conversion of the ones included in RHEL Source Code. If certified / verified software that has guaranteed assurance is what you are looking for, then you likely do not want to use CentOS Linux.

1. CentOS Linux and Security

Please see the WARNING in the above red box about CentOS Linux and Security. The CentOS team does not verify or certify any software with respect to security. The CentOS team builds Source Code released by Red Hat, Inc. for RHEL as it is released (with minor modifications for trademarks and artwork). Any assurance, verification, or certification that Red Hat provides for RHEL do not apply to CentOS Linux. If you want verified, certified software then please contact Red Hat.

2. Security Profiles

The anaconda installer used on the CentOS Linux Minimal, DVD, and Everything ISOs contain a section called Security Profiles. These profiles add packages to installs and they also may perform set up options for several services.

A detailed description of the Security Profiles is included for RHEL here. On that page, you will find links that explain each of the options in great detail. If you have questions about what an individual profile is trying to accomplish, you can research it there.

The CentOS team has changed the profiles for branding and we have tested the installs to ensure they complete and that you are left with a functionally booting system. We have done no tests for suitability.

2.1. Requirements

These profiles require a connection to the internet to install. If you select a security profile that can not connect to the internet on port 80 (to mirror.centos.org), your install may fail spectacularly and not even allow access to the console locally. Please only try these profiles while connected to the internet.

Packages will be installed from the internet if you use security profiles, even if those packages also reside on the ISOs.

2.2. Known Issues

Currently with the 7.3.1611 ISOs, we know that all 4 of the STIG installs produce an sshd_config file that will not allow SSHD to start. This is an upstream issue and here is the Bug Report bz 1401069.

TipsAndTricks/C7SecurityProfiles (last edited 2016-12-05 16:46:26 by JohnnyHughes)