Re: SECURITY

To: sarez45@att.net
Cc: debian-release@lists.debian.org
Subject: Re: SECURITY
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Wed, 20 Apr 2016 21:54:27 +0100
Message-id: <[🔎] 1461185667.14019.70.camel@adam-barratt.org.uk>
In-reply-to: <[🔎] 2114284725.4497535.1461182019632.JavaMail.yahoo@mail.yahoo.com>
References: <2114284725.4497535.1461182019632.JavaMail.yahoo.ref@mail.yahoo.com> <[🔎] 2114284725.4497535.1461182019632.JavaMail.yahoo@mail.yahoo.com>

On Wed, 2016-04-20 at 19:53 +0000, sarez45@att.net wrote:
> Why isn't Debian 8.4 secure by default? Does the Debian team ever run
> a security audit with Lynis security audit tool? It finds numerous
> security issues such as the sshd_config not configured properly.

What constitutes "secure" depends on many factors and has to be balanced
against usability and functionality. It's not a one-size-fits-all
concept, and an "audit tool" can't give a definitive answer.

If you wish to discuss the various trade-offs further, please do so in
either a user support forum or security-related venue - the
debian-release list is neither. You will probably want to start by
identifying actual issues, rather than simply "this tool I found says
bad things; why?".

For the record, on a Debian 8 machine that didn't previously have an
SSHD installed, installing the openssh-server package and running the
latest version of lynis from the upstream website... fails miserably
with more than half a dozen shell script errors due to repeated attempts
to access unset variables without quoting. This does make me wonder how
you performed your test to begin with.

Fixing up the errors (well, hacking the tests so that they always
evaluate to "yes, run this check", as the variables don't exist at all)
so that the script can actually be run leads to the following for SSHD:

[21:45:34] Performing test ID SSH-7412 (Check SSH option: PermitRootLogin)
[21:45:34] Test: check PermitRootLogin option
[21:45:34] Result: PermitRootLogin is disabled. Root can't login directly
[21:45:34] Hardening: assigned 3 hardening points (max for this item: 3), current: 57, total: 86
[21:45:34] ===---------------------------------------------------------------===
[21:45:34] Performing test ID SSH-7414 (Check SSH option: Protocol)
[21:45:34] Test: check allowed SSH protocol versions
[21:45:34] Result: only protocol 2 is allowed
[21:45:34] Hardening: assigned 3 hardening points (max for this item: 3), current: 60, total: 89
[21:45:34] ===---------------------------------------------------------------===
[21:45:34] Performing test ID SSH-7416 (Check SSH option: StrictModes)
[21:45:34] Test: Check configured StrictModes option
[21:45:34] Result: StrictModes active, file permissions are checked
[21:45:34] Hardening: assigned 3 hardening points (max for this item: 3), current: 63, total: 92
[21:45:34] ===---------------------------------------------------------------===
[21:45:34] Performing test ID SSH-7440 (Check SSH option: AllowUsers and AllowGroups)
[21:45:34] Result: AllowUsers is not set
[21:45:34] Result: AllowGroups is not set
[21:45:34] Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine.
[21:45:34] Hardening: assigned 0 hardening points (max for this item: 1), current: 63, total: 93

This does not include any suggestion that "the sshd_config not
configured properly".

Regards,

Adam

Reply to:

References:
- SECURITY
  - From: <sarez45@att.net>

Prev by Date: SECURITY
Next by Date: Bug#819227: Bug#821927: basename: missing operand
Previous by thread: SECURITY
Next by thread: Bug#819227: Bug#821927: basename: missing operand
Index(es):
- Date
- Thread