[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Common (basic) security checks for a base installation? (was Re: Security notification script in Perl)



On Mon, Dec 30, 2002 at 08:09:36PM +0000, Steve Kemp wrote:
> 
>   While I think a bastille like hardening system is a good thing I do
>  want to be clear on what I'm suggesting.

	I wasn't of course. Suggesting this for 'checksecurity' either. I
was just stating what 'msec' does for Mandrake. Which is a mixed behaviour
of what Tiger+Bastille does for Debian users ATM.

>   I'm _not_ talking about adding a 100% fully comprehensive fully tweakable
>  system of tightening and reporting on every single potential flaw or
>  compromise into the base system.  (There are packages present for that,
>  tripwire, snort, tiger, etc).

	You forgot bastille.
> 
>   I'm simply trying to work out a good collection of generic, and tweakable
>  lightweight checks which can be safely included in the base install.
> 
	Of course, this is my same idea.

>   (This means that several desirable features like testing for security
>  updates may well be present, but have to be disabled by default - modulo
>  debconf question I guess.  It has to be this way because such a test
>  requires 'net access and we don't know that the user had it).
> 
>   I'm very interested at looking at existing systems, as I hope I've
>  demonstrated - but I don't want to go down the road of adding a
>  huge behemoth of a system in place of the small, misnamed, checksecurity
>  script.

	Neither do I. Even more when we already have it in Debian. The
'behemoth' equivalent is
bastille+tiger+snort+aide|tripwire|samhain|integrit+selinux+....

	Regards

	Javi

Attachment: pgphd75MjXe_o.pgp
Description: PGP signature


Reply to: