Nice discussion.
Having learned Linux out of disgust for Microsoft,
and now having run server and networks for many years,
I have to agree that knowledge and forethought are key,
but the notifications and tips that Tiger and other packages provided
have helped me gain the knowledge necessary
to have avoided many serious problems.
I think an overall security suite package for Debian
would be an appropriate vaccination for newbies
and make a great system even better.
I can't think of a faster way to learn that by doing
and I can't imagine the pain of having had to learn without help.
The choice is between doing it blind and having
automatic access to expert scripts and context based advice.
I only wish I knew enough to be able to help!
Thanks, Russell and thanks, Florian, for the link to open-scap.org.
Does Open-scap accomplish what Russell is suggesting?
Vince H.
Louisville KY
On 2020/03/07 13:29 PM, Noah Meyerhans wrote:
On Sat, Mar 07, 2020 at 11:46:54AM -0600, Jonathan Hutchins wrote:
The only way to achieve real security is through knowledge. Pressing a
shiny automated button is just going to implement what somebody else thinks
is good for the system they assume you're running. Find the security
websites, podcasts, newsletters, books. Learn what you really need to do
for your actual case, not what somebody else thinks you should do. Learn
what is superstitious paranoia that will never even come close to a private
personal system.
By your logic, we shouldn't bother taking any steps to help our users
secure their systems. Everything should be on them. This may come as a
surprise to you, but many computer users (I'll stop short of saying
anything about "the vast majority"), have no interest whatsoever in
"security websites, podcasts, newsletters, books". But guess what,
they're still using computers, and they're not going to stop. We can
either help them do so a little more safely, or we can watch them fail.
One of these choices is aligned with our social contract.
If you're going to run a public web server, mail server, or whatever, one
run of a script is not going to keep you secure. You need to know what the
actual attack vectors can be, and need to be prepared for a threat that
nobody's thought of yet.
Why? *Somebody* certainly needs to think about these things, but the
notion that *everybody* needs to do so to the deepest possible level
ignores the reality of human nature. It is our responsibility as a
Linux distribution to make difficult OS management tasks easier, and
that includes taking reasonable steps to configure a system for use on
today's internet.
Microsoft tells you all you have to do is click the little check box that
turns on the security they've built and you're all safe.
We're not talking about Microsoft.
noah
