#fedora-security log

15:03:38 <q5sys> #startmeeting Security (2022-10-06)
15:03:38 <zodbot> Meeting started Thu Oct  6 15:03:38 2022 UTC.
15:03:38 <zodbot> This meeting is logged and archived in a public location.
15:03:38 <zodbot> The chair is q5sys. Information about MeetBot at https://fedoraproject.org/wiki/Zodbot#Meeting_Functions.
15:03:38 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
15:03:38 <zodbot> The meeting name has been set to 'security_(2022-10-06)'
15:03:41 <q5sys> #chair q5sys
15:03:41 <zodbot> Current chairs: q5sys
15:03:48 <q5sys> #link Temporary issues location : https://pagure.io/Fedora-Security-Team/issues
15:04:03 <q5sys> #topic Open floor to discuss anything security related
15:04:03 <q5sys> #info The next meeting will be October 13th.
15:04:10 <q5sys> I'm planning on filing tickets with Infra to get Security a repo on the fedora gitlab instance so we can have a place to work on tickets that's not the temp pagure repo.  This would also give us a location to place notes around work to be done.
15:04:24 <q5sys> I'd also like to start the discussion around the systemd service hardening work.  That's come up in the mailing list before.  I'd like to get ideas as to the best way to proceed.  I think the best outcome long term is for that to be done upstream, but I don't think most upstream devs will do that until they are shown it working well.
15:04:31 <q5sys> So we should probably figure out some of the most obvious service files that could use some initial attention and then decide on the most sane defaults.  These will obviously still need to be adjusted on a per system basis depending on how secure someone wants a system, but I think there are a lot of no brainers.
15:04:42 <q5sys> For example... should nginx be able to load kernel modules.  I don't think I'm too far off when I say that setting to no is probably a good idea.
15:04:42 <q5sys> If someone really needs that functionality they can always enable it, but by in large I don't think most people running nginx have any desire for nginx to do that.
15:04:46 <q5sys> But I'm interested in everyone else's thoughts.  This is not a one man show, input is not only welcomed it's preferred.
16:00:23 <q5sys> #endmeeting