1 |
Le dimanche 29 octobre 2006 13:13, Panagiotis Atmatzidis a écrit : |
2 |
> Guillaume Castagnino wrote: |
3 |
> > Hi, |
4 |
> > |
5 |
> > hardening is not only to protect against your known users, but only |
6 |
> > from external attackers ! |
7 |
> > If you have a flaw in one of your servers that can be remotely |
8 |
> > exploited, hardening your box will help you containing the attacker |
9 |
> > ! |
10 |
> > |
11 |
> > Regards, |
12 |
> > |
13 |
> > Le dimanche 29 octobre 2006 05:16, bridavis@×××××××.net a écrit : |
14 |
> >> I have a total of 3 non-root users, 1 is me, the 2 others are |
15 |
> >> trusted (i.e. family/friend). RBAC looks like it's more complex |
16 |
> >> that I need and want to deal with, and I'm I'm wondering if I |
17 |
> >> should bother with this with so few users. |
18 |
> >> |
19 |
> >> Thoughts? |
20 |
> >> |
21 |
> >> Thanks, |
22 |
> >> Brian |
23 |
> |
24 |
> I replied before with a straight answer. My case is the case of a |
25 |
> "kid" (24 old) who likes to play with his computer so he applies |
26 |
> hardened&RSBAC now and then, set ups snort and plays with |
27 |
> security-wise system configuration (encryption etc) as much as time |
28 |
> and will permits. |
29 |
> |
30 |
> That said, there is no need for someone to set up a box like that |
31 |
> just for being "secure". The trade off imho is too much. Remember |
32 |
> that for an expert hacker a misconfiguration is enough to take over |
33 |
> the system. A hardened system takes time and brainpower to be set up |
34 |
> correctly. |
35 |
> |
36 |
> I see no point to apply orange-book security level on a standard |
37 |
> systems by default. |
38 |
|
39 |
It's your opinion... |
40 |
If Fedora provides SELinux by default, there are good reasons. |
41 |
|
42 |
It's not because it's a "personal" server that it can be not so secured |
43 |
as a professional server. You can be a normal person and have precious |
44 |
datas and want a more secured server. |
45 |
|
46 |
And securing a box is perhaps hard at begining to have a correct set up, |
47 |
but when it's configured, you do not have to reconfigure it each |
48 |
morning ! It simply works ! (Personnaly, my RBAC rules are up and |
49 |
running since 2 years, with very minor modifications). |
50 |
|
51 |
And I secure my box not against known users, but against potential |
52 |
security flaws that could make external hackers make me loose data or |
53 |
reinstall my box... |
54 |
Using RBAC mechanism can incredibly help to reduce the impact of a |
55 |
security issue (due to misconfiguration or flaw in the program itself). |
56 |
I think you know that, don't you ? |
57 |
|
58 |
For me it's not "too much", because personal data are as important as |
59 |
professional data. So same security mechanisms are relevant. |
60 |
Of course, it's also my opinion ;) |
61 |
|
62 |
Regards, |
63 |
|
64 |
-- |
65 |
Guillaume Castagnino |
66 |
guilc@×××××××.net / casta@×××××.info |
67 |
GnuPG/PGP key : |
68 |
http://wwwkeys.pgp.net:11371/pks/lookup?op=vindex&search=0x8AF468AF |
69 |
Fingerprint : CD52 FE40 9592 BA1E E89D 5FB6 820E 4742 8AF4 68AF |
70 |
|
71 |
-- |
72 |
gentoo-hardened@g.o mailing list |