[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Questions

Le 04/12/2018 à 21:32, Ruslanas Gžibovskis a écrit :
Hi all,

Jerome, I would say that most 'users' will go to pop choice, like only some hardcore lovers would listen to "Tsjuder" but most of the people would go with "Lady Gaga". Same here, if you do not want to learn, you use *buntu or any "*" made of, else if you wanna learn and use stable and updated distro you will go with Debian.

Look a good black metal band :D

I would still agree that would be nice to have some package which would do some hardening settings. BUT, please note, that it might give a false confidence. Why?! Because once hardening done, you believe that it is safe, but any moment by accident your perm tuning might change. Your hardend setup might not run correctly some app AND then tired user will do "chmod 7777 -R /" and a package will still remain.

I’m aware of this trouble. My most trouble come with the fact some hardening can broke some setup. And more upstream it’s less problems there will are and more easy is to maintain (Aka more people, not just me). One of my other concern is about knowledge and manage admin, maintener, dev ressources; maybe i’m wrong but it’s look likethere is less and less people can do some needed task (package & maintain, code with C, etc )

So if you want to ensure hardening is set and exist, make puppet profile! Run puppet all the time! And before running puppet check, have OpenSCAP test to check compliance. It has very nice compliance checks for different standards! Try it!

I will try openscap. As say before i also set up an openvas if it want to work. And for puppet i think i will more like ansible instead of puppet ;) I will check if already existing recipes are security aware.


On Tue, 4 Dec 2018, 20:31 Jérôme Bardot <bardot.jerome@gmail.com wrote:
Agree about some hardening only are usefull in certain use case. But
some of them should be set as default i guess because they are usefull
for most of the case and case not include require skills and in this
skill are include change an option in some not all the day open conf
file. Maybe i’m wrong. I think about kernel conf for ie. And or maybe
provide a way to choose some preset conf maybe in package.

Without any troll there is more and more non ready users on GNU\linux,
and debian, they can’t do real choices, do they really want ? I’m
agree it’s bad. But we don’t offer real way to help users to
understand. Maybe gnome have now some pretty first start tutorial ? I
don’t use it.

What threat i want to be protect against :
- hardware & physical attack
- network attack (including vulnerable world open app)
- compromise user attack

What want to protect : multi purpose server and laptop.

And by the way i love doing this kind of stuff. It’s like a problem to
solve. And more automate it can be better it is (for each use case
ofc) :)
Why automatisation instead of just make snapshot ? because it (my
point of view) permit to also test the setup step and keep the doc up
to date.

Sry for my really bad english. I need to sleep.
Thx for all your messages.

Le mar. 4 déc. 2018 à 19:44, Jonathan Hutchins
<hutchins@tarcanfel.org> a écrit :
> On 2018-12-03 05:10, Jérôme Bardot wrote:
> > Why debian is not more harden by default ?
> Debian's hardening is adequate for most users, who are typically behind
> some sort of protection such as a router/firewall.
> If you actually need a hardened system, it's far better for you to do
> the hardening yourself to address the specific threats you feel
> vulnerable to.  That way you have a better understanding of what has
> been done, why, and how.  Unlike Windows, where users typically allow
> Microsoft to make all of the decisions for them, Linux in general and
> Debian specifically put user choice ahead of cookie-cutter solutions.
> --
> Jonathan

Attachment: 0x053A41EF03878A98.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: