I am exploring CentOS as a possibility for hosting a number of servers (mail, web, database, etc). Each machine will have a single purpose, and security is a priority.
At the first installation, I am confronted with this:
Information about these policies is here but it's a bit overwhelming. Also if you drill into it you see things like
To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed.
Presumably not all such things translate exactly to CentOS, but I'm an Ubuntu user so I don't really understand the extent of the equivalence.
It seems that these security profiles are created as a matter of legal compliance, audits, and business concerns foremost, rather than being defined strictly in terms of security itself.
What's the best option for "I'm not exactly sure what I'm doing just get but for now I want to be paranoid"?
As well as each server instance having a single function, they will be non-graphical terminals with ssh access.
Just use the default policy with no rules. These policies are about reporting that certain configuration declarations exist and are not being violated, which is somewhat orthogonal to actual security concerns. Furthermore, use of them without understanding what they do will cause confusing behavior.
Would like to add my bit of findings and what really helped me. Such options make most users feel paranoid. I was also searching for a direct explanation which is short and to the point. I came across this redHat-article
The article clearly says mentions the following :
I'm using the installation for my standalone use. These two sentences were enough to cure me of the paranoia. And I turned off the security policy and moved ahead with the next steps. No issues during or post-installation as of now.
Yes, you need to know what are your requirements.
To add to discussion, an alternative to default policy, which won't do anything to your system, is to select Standard Profile. The aim of this profile is to check security and audit settings that improve security level of the system without being intrusive to practical usability.