@billdietrich444 Note: my comment is a trolling attempt, and hopefully an obvious one due to the choice of an obviously unimplementable-in-a-useful-way standard. Please take only 10% seriously.
It may be a good idea to stop talking about pure security according to our own set of criteria (because it's up to discussion what's good enough) and start talking about compliance to recognized standards. We can start with the UK standard named Cyber Essentials, which is required for all organizations that need to deal with the UK government. The standard itself is available at https://www.ncsc.gov.uk/files/Cyber- Essentials-Requirements-for-Infrastructure-v3-0-January-2022.pdf It has the following testable requirements related to technical controls: * Firewalls - we can check that the firewall is installed and configured to "block unauthenticated inbound connections by default". * Secure configuration - this also includes removing unneeded or unused services (and this means that it is forbidden to run the SSH server unless there is a documented business need) and uninstalling unused software. So we might want to display when each piece of software was last used so that to ease the audit. Another testable requirement is that any auto-run feature is disabled or configured to "ask". And also there are some checkable requirements related to device unlocking. * User access control - we could list administrative accounts. Also, if a fingerprint reader is detected, or another form of 2FA is available, we can list all all non-enrolled accounts as non-compliant. We can also check if the password quality requirements are implemented and the mandatory unsuccessful login throttling (or lock-out) policy is enforced by PAM. * Malware protection - with specific requirements, related to on-access scanning of all files (including those on network shares, so sorry, ClamAV is not compliant) and web pages. This was the reason I had to tell one of my clients that they have to stop using Linux or stop dealing with the UK government. * Security update management - we can check Ubuntu-specific settings related to the freshness of the database, whether a reboot is needed for something to apply (e.g. are there running copies of deleted and replaced binaries, or do they use deleted libraries), and whether the updates are configured to install automatically. * Backups - we can test whether they configured through known backup applications. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1987162 Title: 43: New Device Security feature is confusing and unhelpful currently Status in gnome-control-center package in Ubuntu: Fix Released Bug description: GNOME 43 added a new Device Security feature in the Settings app. You can access it in gnome-control-center 1:43~beta-1ubuntu1 1. Open the Settings app 2. Click Privacy then Device Security The Security Events aren't clickable. A default Ubuntu install only gets us "Security Level 1". The highest level is "Security Level 3". There isn't anything an Ubuntu user can do to get to a higher security level from the Device Security screen. If a user attempts to get their system to a higher security level, I think they could break their system since this isn't something we currently support. Therefore, I think we ought to hide/disable the screen for Ubuntu 22.10. We can work towards better integrating this screen for Ubuntu in future releases. I'm attaching several screenshots although it's worth trying out the feature for yourself too. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-control-center/+bug/1987162/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
