| 1 |
Le dimanche 29 octobre 2006 13:13, Panagiotis Atmatzidis a écrit : |
| 2 |
> Guillaume Castagnino wrote: |
| 3 |
> > Hi, |
| 4 |
> > |
| 5 |
> > hardening is not only to protect against your known users, but only |
| 6 |
> > from external attackers ! |
| 7 |
> > If you have a flaw in one of your servers that can be remotely |
| 8 |
> > exploited, hardening your box will help you containing the attacker |
| 9 |
> > ! |
| 10 |
> > |
| 11 |
> > Regards, |
| 12 |
> > |
| 13 |
> > Le dimanche 29 octobre 2006 05:16, bridavis@×××××××.net a écrit : |
| 14 |
> >> I have a total of 3 non-root users, 1 is me, the 2 others are |
| 15 |
> >> trusted (i.e. family/friend). RBAC looks like it's more complex |
| 16 |
> >> that I need and want to deal with, and I'm I'm wondering if I |
| 17 |
> >> should bother with this with so few users. |
| 18 |
> >> |
| 19 |
> >> Thoughts? |
| 20 |
> >> |
| 21 |
> >> Thanks, |
| 22 |
> >> Brian |
| 23 |
> |
| 24 |
> I replied before with a straight answer. My case is the case of a |
| 25 |
> "kid" (24 old) who likes to play with his computer so he applies |
| 26 |
> hardened&RSBAC now and then, set ups snort and plays with |
| 27 |
> security-wise system configuration (encryption etc) as much as time |
| 28 |
> and will permits. |
| 29 |
> |
| 30 |
> That said, there is no need for someone to set up a box like that |
| 31 |
> just for being "secure". The trade off imho is too much. Remember |
| 32 |
> that for an expert hacker a misconfiguration is enough to take over |
| 33 |
> the system. A hardened system takes time and brainpower to be set up |
| 34 |
> correctly. |
| 35 |
> |
| 36 |
> I see no point to apply orange-book security level on a standard |
| 37 |
> systems by default. |
| 38 |
|
| 39 |
It's your opinion... |
| 40 |
If Fedora provides SELinux by default, there are good reasons. |
| 41 |
|
| 42 |
It's not because it's a "personal" server that it can be not so secured |
| 43 |
as a professional server. You can be a normal person and have precious |
| 44 |
datas and want a more secured server. |
| 45 |
|
| 46 |
And securing a box is perhaps hard at begining to have a correct set up, |
| 47 |
but when it's configured, you do not have to reconfigure it each |
| 48 |
morning ! It simply works ! (Personnaly, my RBAC rules are up and |
| 49 |
running since 2 years, with very minor modifications). |
| 50 |
|
| 51 |
And I secure my box not against known users, but against potential |
| 52 |
security flaws that could make external hackers make me loose data or |
| 53 |
reinstall my box... |
| 54 |
Using RBAC mechanism can incredibly help to reduce the impact of a |
| 55 |
security issue (due to misconfiguration or flaw in the program itself). |
| 56 |
I think you know that, don't you ? |
| 57 |
|
| 58 |
For me it's not "too much", because personal data are as important as |
| 59 |
professional data. So same security mechanisms are relevant. |
| 60 |
Of course, it's also my opinion ;) |
| 61 |
|
| 62 |
Regards, |
| 63 |
|
| 64 |
-- |
| 65 |
Guillaume Castagnino |
| 66 |
guilc@×××××××.net / casta@×××××.info |
| 67 |
GnuPG/PGP key : |
| 68 |
http://wwwkeys.pgp.net:11371/pks/lookup?op=vindex&search=0x8AF468AF |
| 69 |
Fingerprint : CD52 FE40 9592 BA1E E89D 5FB6 820E 4742 8AF4 68AF |
| 70 |
|
| 71 |
-- |
| 72 |
gentoo-hardened@g.o mailing list |
Archives