Gentoo Archives: gentoo-user

From: Laurence Perkins <lperkins@×××××××.net>
To: "gentoo-user@l.g.o" <gentoo-user@l.g.o>
Subject: Re: [gentoo-user] Decent single-user/embedded-device security standard
Date: Thu, 11 Jul 2019 18:48:36
Message-Id: c6ea9bd82339458e808707b1eb401934@openeye.net
In Reply to: Re: [gentoo-user] Decent single-user/embedded-device security standard by Adam Carter
1 >You could still use USGCB (or which ever standard the auditors regard highly) but then document the differences with a
2 >note explaining why. For USGCB I'd add another column to the spreadsheet with options of compliant/non compliant with
3 >mitigations/non compliant/not applicable and another column for notes. eg umask 077 would be compliant, and in the
4 >notes column "stricter than required".
5 >
6 >From their point of view they need to justify passing you, and USGCB states "these recommendations do not address
7 >site-specific configuration issues. Care must be taken when implementing these settings to address local operational
8 >and policy concerns" so deltas are expected. Don't worry if it seems like its all deltas...
9
10 Yeah, that was the fallback option. I was just hoping there was something in reasonably common usage that wouldn't end up being 60% deltas and didn't look like it was compiled by a practitioner of voodoo instead of someone who actually understands how the system works.
11
12 ________________________________
13 From: Adam Carter <adamcarter3@×××××.com>
14 Sent: Wednesday, July 10, 2019 5:27:55 PM
15 To: gentoo-user@l.g.o
16 Subject: Re: [gentoo-user] Decent single-user/embedded-device security standard
17
18 On Thu, Jul 11, 2019 at 9:30 AM Laurence Perkins <lperkins@×××××××.net<mailto:lperkins@×××××××.net>> wrote:
19 When the security auditors come through and ask what standard I use for
20 securing my systems I'd like to have something to tell them.
21
22 I've had a few suggestions like USGCB, etc. But looking at them they
23 all seem to start from the direction of "take a bloated, wide-open
24 Microsoft/Redhat default OS and do these things to make it 'secure' so
25 you can let several dozen users play around on it without fear."
26
27 A lot of the stuff on the list doesn't apply to or would slightly
28 reduce the overall security of the device (I think I'll keep my default
29 umask at 077 thanks...)
30
31
32 You could still use USGCB (or which ever standard the auditors regard highly) but then document the differences with a note explaining why. For USGCB I'd add another column to the spreadsheet with options of compliant/non compliant with mitigations/non compliant/not applicable and another column for notes. eg umask 077 would be compliant, and in the notes column "stricter than required".
33
34 From their point of view they need to justify passing you, and USGCB states "these recommendations do not address site-specific configuration issues. Care must be taken when implementing these settings to address local operational and policy concerns" so deltas are expected. Don't worry if it seems like its all deltas...