[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Auditing systems for default homedir permissions and other potential security risks and also for overly long subjects and needlessly antagonistic mailing list discussion threads

On 17 February 2011 16:36, Lars Wirzenius <liw@liw.fi> wrote:
> It would be really cool if there was an automatic auditor for people to
> use. Not just showing emblems in Nautilus, but offering to fix things as
> well. Here's how I imagine it might work.

>From your description you are not looking at an 'auditor' but also a
hardening tool. These two niches are (sub-optimally) covered in Debian
separately by the Tiger security tool and Bastille, which I maintain.

Unfortunately, both of these tools are more oriented towards
security-knowledgeable users than end home users and they lack a
"nice" GUI: Tiger's reports are simple text files and Bastille uses
perl-tk which is hmmm a little bit ugly.

Other approaches I've send in other distributions are SuSE's yast
security "levels" [1] and Mandrake's msec tool [2]. The concept of
these tools is good, since they both define profiles for different
(typical) users and try to set some system configuration variables
accordingly. In addition, Mandrake's msec configures also periodical
reviews of the system (something we in Debian implement through
checksecurity or Tiger).

None of them, however, take the "expert system" approach you are
suggesting i.e. they do not ask the user what type of system they
have,  which security level they want and provide a list of things "to
fix". The user just selects a desired security level and the tools
implements all the associated "improvements" to get to that level.

Anyway, your idea is nice, and IMHO could be a proposal for this
year's GSOC. I would happily mentor (or co-mentor) such a tool. Even
though my past experience is that GSOC proposals related to OS
security do not grab too much attention / students requests. For
reference see [3] [4] [5] [6], of these, only [3] had a followup.



PS: RedHat uses the 'system-config-securitylevel' which is used to
configure firewall rules and SELinux but it is a different approach.

[1] http://doc.opensuse.org/products/draft/SLES/SLES-security/cha.yast_security.html
[2] http://wiki.mandriva.com/en/Draksec
[3] http://wiki.debian.org/SummerOfCode2007/ovalagent
[4] http://wiki.debian.org/SummerOfCode2007/commonsecuritychecks
[5] http://wiki.debian.org/SummerOfCode2007/autosecreview
[6] http://wiki.debian.org/SummerOfCode2008/SecurityPolicy

Reply to: