Re: Common (basic) security checks for a base installation? (was Re: Security notification script in Perl)

To: Javier Fern?ndez-Sanguino Pe?a <jfs@computer.org>
Cc: Gustavo Franco <stratus@legolas.alternex.com.br>, debian-devel@lists.debian.org
Subject: Re: Common (basic) security checks for a base installation? (was Re: Security notification script in Perl)
From: Steve Kemp <debian-devel@steve.org.uk>
Date: Mon, 30 Dec 2002 20:09:36 +0000
Message-id: <[🔎] 20021230200936.GB1599@uk.intasys.com>
In-reply-to: <[🔎] 20021230112505.GC19946@dat.etsit.upm.es>
References: <[🔎] 20021224232809.GA9374@uk.intasys.com> <[🔎] 20021226093038.GA27461@dat.etsit.upm.es> <[🔎] 1041001270.1874.41.camel@overflow.mz.digirati.com.br> <[🔎] 20021230112505.GC19946@dat.etsit.upm.es>

On Mon, Dec 30, 2002 at 12:25:05PM +0100, Javier Fern?ndez-Sanguino Pe?a wrote:

> 	I've taken a (brief) look at msec. It seems that it is divided into
> two different functionalities:
> 
> - security checks, written in shell scripts and run through cron.
> - security hardening scripts, written in python and run when the user sets
> the security level. Some of the hardening stuff is _also_ done on system
> bootup (this time through shell scripts in init.d)
> 
> 	I believe the first part is similar to the checks we already
> discussed (Tiger, OpenBSD's and SUSE's) whileas the second part is roughly
> similar to what Bastille does (albeit different).

> 	One of the things I think might be nice for end-users is to have
> four different security levels. Novice admins might find it easy to set the
> configuration based on a level 0 (nothing) to 4 (paranoid). 
> 	That's one idea that I migh bring to the Tiger package (which
> currently installs in 'paranoid', i.e. all security checks enabled, mode). 

  While I think a bastille like hardening system is a good thing I do
 want to be clear on what I'm suggesting.

  I'm _not_ talking about adding a 100% fully comprehensive fully tweakable
 system of tightening and reporting on every single potential flaw or
 compromise into the base system.  (There are packages present for that,
 tripwire, snort, tiger, etc).

  I'm simply trying to work out a good collection of generic, and tweakable
 lightweight checks which can be safely included in the base install.

  (This means that several desirable features like testing for security
 updates may well be present, but have to be disabled by default - modulo
 debconf question I guess.  It has to be this way because such a test
 requires 'net access and we don't know that the user had it).

  I'm very interested at looking at existing systems, as I hope I've
 demonstrated - but I don't want to go down the road of adding a
 huge behemoth of a system in place of the small, misnamed, checksecurity
 script.

Steve
---

Reply to:

References:
- Security notification script in Perl
  - From: Steve Kemp <debian-devel@steve.org.uk>
- Common (basic) security checks for a base installation? (was Re: Security notification script in Perl)
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>
- Re: Common (basic) security checks for a base installation? (was Re: Security notification script in Perl)
  - From: Gustavo Franco <stratus@legolas.alternex.com.br>
- Re: Common (basic) security checks for a base installation? (was Re: Security notification script in Perl)
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>

Prev by Date: Unknown problem report Bug#164942 (preliminary DCC packages)
Next by Date: Re: [Final comments]Are we losing users to Gentoo?
Previous by thread: Re: Common (basic) security checks for a base installation? (was Re: Security notification script in Perl)
Next by thread: Re: Common (basic) security checks for a base installation? (was Re: Security notification script in Perl)
Index(es):
- Date
- Thread