Re: OS Hardening
[No need to CC: me guys, I read each and every list mail I
>>>>> "BMA" == Bradley M Alexander <email@example.com> writes:
BMA> The problem with this is that, generally speaking, there are
BMA> as many configurations as there are sysadmins or users out
BMA> there. You would run the risk of bogging down in the mire of
BMA> details and asking questions that the user really has no clue
BMA> about. In this case, as a security person, the idea of
BMA> "profiles" in lieu of actual knowledge or familiarity is a
BMA> dangerous thing.
BMA> Personally I turn them off and rely on secure shell on my
BMA> network at home.
I use SSH on my home network as well.
You make some good points in your email Bradley. I think that if I were
to every to install a Linux distro using some kind of install profiles,
I would still want to know why things were installed a certain way.
After reading Andres' email about how Mandrake handles and implements
security profiles, and your email, I am convinced that they aren't the
best solution to securing a system. Afterall, any Linux installation is
only as secure as the user/administrator who performed the install and
tends to the post-install and administration tasks.
After doing a Debian install, I have my own checklist of things I do to
*try* and secure the installation.
Maybe what is then needed is some kind of script that checks a few basic
things after the installation (or the script is part of some package,
and the root user has the option of running this script from time to
time) to see what things might potentially be security problems. Such a
script wouldn't get into too many details about specific packages,
rather some issues common to a broad or general class of packages and
things common to all Linux installations (e.g. filesystems, permissions,
setuid/setgid issues, etc.).
I like the suggestions in the Securing-Debian-HOWTO and usually try to
go through them once I have completed installing all the packages I need
after a Debian install.
Once the Bastille-Linux scripts have support for Debian, I intend to
take a look at them too.
But, it would still be nice to have some of these security suggestions
and hardening steps available in the form of some official Debian
package/entity/script (for lack of a better word) as opposed to a 3rd
party thing. At the very least, critics wouldn't be able to say that
Debian isn't making an attempt to produce a secure and usable distro
(even though we debian users know better), as has been said about Debian
in the recent past.
ssahmed AT pathcom DOT com