| 1 |
On Sun, Dec 11, 2011 at 02:20:43PM +0200, Alex Efros wrote: |
| 2 |
> On Sun, Dec 11, 2011 at 10:18:51AM +0000, Sven Vermeulen wrote: |
| 3 |
> > Also consider hardening your system settings-wise. I would appreciate if you |
| 4 |
> > take a look at |
| 5 |
> > http://dev.gentoo.org/~swift/docs/previews/oval/gentoo-xccdf-guide.html. |
| 6 |
> |
| 7 |
> Some points at that guide looks strange to me. For example: |
| 8 |
> |
| 9 |
> 1) How can |
| 10 |
> 4.2.4.1. Root Logon Through SSH Is Not Allowed |
| 11 |
> increase security, if we're already using |
| 12 |
> 4.2.4.2. Public Key Authentication Only |
| 13 |
> Disabling root may have sense with password auth, but with keys it is |
| 14 |
> just useless inconvenience. |
| 15 |
|
| 16 |
I read somewhere that security is about making things more inconvenient for |
| 17 |
malicious people than for authorized ones. |
| 18 |
|
| 19 |
For me, immediately logging in as root is not done. I want to limit root |
| 20 |
access through the regular accounts on the system (with su(do)). I never had |
| 21 |
the need to log on as root immediately myself. |
| 22 |
|
| 23 |
> 2) How can |
| 24 |
> 4.2.4.6. Listen on Management Interface |
| 25 |
> increase security? Moreover, on multihomed systems listening on all |
| 26 |
> interfaces may help you a lot in case one of network link is broken. |
| 27 |
|
| 28 |
True, but by only allowing management activities on the management interface |
| 29 |
and not on a more public facing network, you reduce the likelihood that this |
| 30 |
service is abused for malicious reasons. |
| 31 |
|
| 32 |
Personally, I don't limit this on my systems because I don't really have a |
| 33 |
multi-homed setup and I am not (yet) considering creating one. Just like |
| 34 |
most hardening guides, it is meant to provide some insight in what can be |
| 35 |
done - there are always reasons why a setting isn't good for your situation. |
| 36 |
|
| 37 |
> 3) In my experience, the |
| 38 |
> 4.4.2.2. Enable Source Route Verification |
| 39 |
> often conflict with net-misc/openvpn based VPN interfaces. I didn't |
| 40 |
> investigated this issue in deep, just google for issue and found |
| 41 |
> solution which was to disable source route verification, and it works. |
| 42 |
> Maybe there is exists better way to solve this issue, not sure. |
| 43 |
|
| 44 |
Ah, didn't realise that. I'll look into this and if necessary, mention that |
| 45 |
OpenVPN might require that this is disabled. |
| 46 |
|
| 47 |
> 4) Nowadays, in addition to |
| 48 |
> 4.8.2. Limit Setuid and Setgid File and Directory Usage |
| 49 |
> we've to also check for SECURITY_FILE_CAPABILITIES and `getcat`. |
| 50 |
|
| 51 |
I still need to look into capabilities. I know Anthony was considering |
| 52 |
updating Gentoo/Portage to have this support elevated. |
| 53 |
|
| 54 |
> 5) In my experience, while |
| 55 |
> 4.8.5. Review File Integrity Regularly |
| 56 |
> looks like good idea, it's nearly impossible to use in Gentoo because |
| 57 |
> of daily updates which change a lot of system files, so it's too hard |
| 58 |
> to review aide-like tool reports and quickly detect suspicious file |
| 59 |
> changes. If anyone have a good recipe how to work around this I'll be |
| 60 |
> glad to learn it. |
| 61 |
|
| 62 |
It of course depends on how you manage your system. I can imagine that you |
| 63 |
do not want to pull in daily updates on a server, but instead rely on other |
| 64 |
hardening measures, glsa-check, cvechecker and the like to mitigate risks of |
| 65 |
vulnerabilities. |
| 66 |
|
| 67 |
Thanks a lot for the feedback though, really appreciated! |
| 68 |
|
| 69 |
Wkr, |
| 70 |
Sven Vermeulen |
Archives