1 |
On Sun, Dec 11, 2011 at 02:20:43PM +0200, Alex Efros wrote: |
2 |
> On Sun, Dec 11, 2011 at 10:18:51AM +0000, Sven Vermeulen wrote: |
3 |
> > Also consider hardening your system settings-wise. I would appreciate if you |
4 |
> > take a look at |
5 |
> > http://dev.gentoo.org/~swift/docs/previews/oval/gentoo-xccdf-guide.html. |
6 |
> |
7 |
> Some points at that guide looks strange to me. For example: |
8 |
> |
9 |
> 1) How can |
10 |
> 4.2.4.1. Root Logon Through SSH Is Not Allowed |
11 |
> increase security, if we're already using |
12 |
> 4.2.4.2. Public Key Authentication Only |
13 |
> Disabling root may have sense with password auth, but with keys it is |
14 |
> just useless inconvenience. |
15 |
|
16 |
I read somewhere that security is about making things more inconvenient for |
17 |
malicious people than for authorized ones. |
18 |
|
19 |
For me, immediately logging in as root is not done. I want to limit root |
20 |
access through the regular accounts on the system (with su(do)). I never had |
21 |
the need to log on as root immediately myself. |
22 |
|
23 |
> 2) How can |
24 |
> 4.2.4.6. Listen on Management Interface |
25 |
> increase security? Moreover, on multihomed systems listening on all |
26 |
> interfaces may help you a lot in case one of network link is broken. |
27 |
|
28 |
True, but by only allowing management activities on the management interface |
29 |
and not on a more public facing network, you reduce the likelihood that this |
30 |
service is abused for malicious reasons. |
31 |
|
32 |
Personally, I don't limit this on my systems because I don't really have a |
33 |
multi-homed setup and I am not (yet) considering creating one. Just like |
34 |
most hardening guides, it is meant to provide some insight in what can be |
35 |
done - there are always reasons why a setting isn't good for your situation. |
36 |
|
37 |
> 3) In my experience, the |
38 |
> 4.4.2.2. Enable Source Route Verification |
39 |
> often conflict with net-misc/openvpn based VPN interfaces. I didn't |
40 |
> investigated this issue in deep, just google for issue and found |
41 |
> solution which was to disable source route verification, and it works. |
42 |
> Maybe there is exists better way to solve this issue, not sure. |
43 |
|
44 |
Ah, didn't realise that. I'll look into this and if necessary, mention that |
45 |
OpenVPN might require that this is disabled. |
46 |
|
47 |
> 4) Nowadays, in addition to |
48 |
> 4.8.2. Limit Setuid and Setgid File and Directory Usage |
49 |
> we've to also check for SECURITY_FILE_CAPABILITIES and `getcat`. |
50 |
|
51 |
I still need to look into capabilities. I know Anthony was considering |
52 |
updating Gentoo/Portage to have this support elevated. |
53 |
|
54 |
> 5) In my experience, while |
55 |
> 4.8.5. Review File Integrity Regularly |
56 |
> looks like good idea, it's nearly impossible to use in Gentoo because |
57 |
> of daily updates which change a lot of system files, so it's too hard |
58 |
> to review aide-like tool reports and quickly detect suspicious file |
59 |
> changes. If anyone have a good recipe how to work around this I'll be |
60 |
> glad to learn it. |
61 |
|
62 |
It of course depends on how you manage your system. I can imagine that you |
63 |
do not want to pull in daily updates on a server, but instead rely on other |
64 |
hardening measures, glsa-check, cvechecker and the like to mitigate risks of |
65 |
vulnerabilities. |
66 |
|
67 |
Thanks a lot for the feedback though, really appreciated! |
68 |
|
69 |
Wkr, |
70 |
Sven Vermeulen |