Le 04/12/2018 à 21:32, Ruslanas
Gžibovskis a écrit :
Hi all,
Jerome, I would say that most 'users' will go to
pop choice, like only some hardcore lovers would listen to
"Tsjuder" but most of the people would go with "Lady Gaga".
Same here, if you do not want to learn, you use *buntu or any
"*" made of, else if you wanna learn and use stable and
updated distro you will go with Debian.
Look a good black metal band :D
I would still agree that would be nice to have
some package which would do some hardening settings. BUT,
please note, that it might give a false confidence. Why?!
Because once hardening done, you believe that it is safe, but
any moment by accident your perm tuning might change. Your
hardend setup might not run correctly some app AND then tired
user will do "chmod 7777 -R /" and a package will still
remain.
I’m aware of this trouble. My most trouble come with the fact
some hardening can broke some setup. And more upstream it’s less
problems there will are and more easy is to maintain (Aka more
people, not just me). One of my other concern is about knowledge
and manage admin, maintener, dev ressources; maybe i’m wrong but
it’s look likethere is less and less people can do some needed
task (package & maintain, code with C, etc )
So if you want to ensure hardening is set and
exist, make puppet profile! Run puppet all the time! And
before running puppet check, have OpenSCAP test to check
compliance. It has very nice compliance checks for different
standards! Try it!
I will try openscap. As say before i also set up an openvas if it
want to work. And for puppet i think i will more like ansible
instead of puppet ;) I will check if already existing recipes are
security aware.
Thx
Agree about
some hardening only are usefull in certain use case. But
some of them should be set as default i guess because they are
usefull
for most of the case and case not include require skills and
in this
skill are include change an option in some not all the day
open conf
file. Maybe i’m wrong. I think about kernel conf for ie. And
or maybe
provide a way to choose some preset conf maybe in package.
Without any troll there is more and more non ready users on
GNU\linux,
and debian, they can’t do real choices, do they really want ?
I’m
agree it’s bad. But we don’t offer real way to help users to
understand. Maybe gnome have now some pretty first start
tutorial ? I
don’t use it.
What threat i want to be protect against :
- hardware & physical attack
- network attack (including vulnerable world open app)
- compromise user attack
What want to protect : multi purpose server and laptop.
And by the way i love doing this kind of stuff. It’s like a
problem to
solve. And more automate it can be better it is (for each use
case
ofc) :)
Why automatisation instead of just make snapshot ? because it
(my
point of view) permit to also test the setup step and keep the
doc up
to date.
Sry for my really bad english. I need to sleep.
Thx for all your messages.
J.
Le mar. 4 déc. 2018 à 19:44, Jonathan Hutchins
<hutchins@tarcanfel.org>
a écrit :
>
> On 2018-12-03 05:10, Jérôme Bardot wrote:
>
> > Why debian is not more harden by default ?
>
>
> Debian's hardening is adequate for most users, who are
typically behind
> some sort of protection such as a router/firewall.
>
> If you actually need a hardened system, it's far better
for you to do
> the hardening yourself to address the specific threats
you feel
> vulnerable to. That way you have a better understanding
of what has
> been done, why, and how. Unlike Windows, where users
typically allow
> Microsoft to make all of the decisions for them, Linux in
general and
> Debian specifically put user choice ahead of
cookie-cutter solutions.
>
> --
> Jonathan
|