Jerome, I would say that most 'users' will go to pop choice, like only some hardcore lovers would listen to "Tsjuder" but most of the people would go with "Lady Gaga". Same here, if you do not want to learn, you use *buntu or any "*" made of, else if you wanna learn and use stable and updated distro you will go with Debian.
I would still agree that would be nice to have some package which would do some hardening settings. BUT, please note, that it might give a false confidence. Why?! Because once hardening done, you believe that it is safe, but any moment by accident your perm tuning might change. Your hardend setup might not run correctly some app AND then tired user will do "chmod 7777 -R /" and a package will still remain.
So if you want to ensure hardening is set and exist, make puppet profile! Run puppet all the time! And before running puppet check, have OpenSCAP test to check compliance. It has very nice compliance checks for different standards! Try it!
Agree about some hardening only are usefull in certain use case. But
some of them should be set as default i guess because they are usefull
for most of the case and case not include require skills and in this
skill are include change an option in some not all the day open conf
file. Maybe i’m wrong. I think about kernel conf for ie. And or maybe
provide a way to choose some preset conf maybe in package.
Without any troll there is more and more non ready users on GNU\linux,
and debian, they can’t do real choices, do they really want ? I’m
agree it’s bad. But we don’t offer real way to help users to
understand. Maybe gnome have now some pretty first start tutorial ? I
don’t use it.
What threat i want to be protect against :
- hardware & physical attack
- network attack (including vulnerable world open app)
- compromise user attack
What want to protect : multi purpose server and laptop.
And by the way i love doing this kind of stuff. It’s like a problem to
solve. And more automate it can be better it is (for each use case
Why automatisation instead of just make snapshot ? because it (my
point of view) permit to also test the setup step and keep the doc up
Sry for my really bad english. I need to sleep.
Thx for all your messages.
Le mar. 4 déc. 2018 à 19:44, Jonathan Hutchins
<email@example.com> a écrit :
> On 2018-12-03 05:10, Jérôme Bardot wrote:
> > Why debian is not more harden by default ?
> Debian's hardening is adequate for most users, who are typically behind
> some sort of protection such as a router/firewall.
> If you actually need a hardened system, it's far better for you to do
> the hardening yourself to address the specific threats you feel
> vulnerable to. That way you have a better understanding of what has
> been done, why, and how. Unlike Windows, where users typically allow
> Microsoft to make all of the decisions for them, Linux in general and
> Debian specifically put user choice ahead of cookie-cutter solutions.