Rico Secada wrote:
> On Sat, 17 May 2008 06:42:57 +0530
> Raj Kiran Grandhi <grajkiran@gmail.com> wrote:
>
>> Rico Secada wrote:
>>> Hi.
>>>
>>> Why is Debian not setup to be secure be default?
>>>
>>> Not everyone is a security expert so imho the system should be fully
>>> secured out-of-the-box.
>> Please elaborate on what you consider to be the insecure parts of a
>> default installation. Describe a process by which an etch system can
>> be compromised remotely. Obviously, the ability to become root by
>> tweaking the boot parameters from the grub screen does not count as a
>> vulnerability.
>>
>
> All I am saying is that it shouldn't be needed to harden anything.
>
> http://www.debian.org/doc/manuals/securing-debian-howto/
Please consider the following about security
1. it's about risk management, not everybody has the same opinion about
what security is worth, basically there is no one-size-fits-all when it
comes to security
2. securing a system is a process, meaning that it's something ongoing
not something that one does once and then is done with
3. often security and usability are opposed (but not always), it's
possible to argue that server packages (e.g. SSH or lighttpd) are
installed they shouldn't be enabled, after all it might be a mistake by
the administrator to install it and disabled-by-default is more secure
than the opposite
So, while considering this, what concrete things would you suggest is
done by default on a new Debian system?
/M
--
Magnus Therning (OpenPGP: 0xAB4DFBA4)
magnus@therning.org Jabber: magnus.therning@gmail.com
http://therning.org/magnus
What if I don't want to obey the laws? Do they throw me in jail with
the other bad monads?
-- Daveman
Attachment:
signature.asc
Description: OpenPGP digital signature