Re: Common (basic) security checks for a base installation? (was Re: Security notification script in Perl)
On Mon, Dec 30, 2002 at 12:25:05PM +0100, Javier Fern?ndez-Sanguino Pe?a wrote:
> I've taken a (brief) look at msec. It seems that it is divided into
> two different functionalities:
> - security checks, written in shell scripts and run through cron.
> - security hardening scripts, written in python and run when the user sets
> the security level. Some of the hardening stuff is _also_ done on system
> bootup (this time through shell scripts in init.d)
> I believe the first part is similar to the checks we already
> discussed (Tiger, OpenBSD's and SUSE's) whileas the second part is roughly
> similar to what Bastille does (albeit different).
> One of the things I think might be nice for end-users is to have
> four different security levels. Novice admins might find it easy to set the
> configuration based on a level 0 (nothing) to 4 (paranoid).
> That's one idea that I migh bring to the Tiger package (which
> currently installs in 'paranoid', i.e. all security checks enabled, mode).
While I think a bastille like hardening system is a good thing I do
want to be clear on what I'm suggesting.
I'm _not_ talking about adding a 100% fully comprehensive fully tweakable
system of tightening and reporting on every single potential flaw or
compromise into the base system. (There are packages present for that,
tripwire, snort, tiger, etc).
I'm simply trying to work out a good collection of generic, and tweakable
lightweight checks which can be safely included in the base install.
(This means that several desirable features like testing for security
updates may well be present, but have to be disabled by default - modulo
debconf question I guess. It has to be this way because such a test
requires 'net access and we don't know that the user had it).
I'm very interested at looking at existing systems, as I hope I've
demonstrated - but I don't want to go down the road of adding a
huge behemoth of a system in place of the small, misnamed, checksecurity