On Sun, Dec 11, 2011 at 02:20:43PM +0200, Alex Efros wrote:
> On Sun, Dec 11, 2011 at 10:18:51AM +0000, Sven Vermeulen wrote:
> > Also consider hardening your system settings-wise. I would appreciate if you
> > take a look at
> > http://dev.gentoo.org/~swift/docs/previews/oval/gentoo-xccdf-guide.html.
>
> Some points at that guide looks strange to me. For example:
>
> 1) How can
> 4.2.4.1. Root Logon Through SSH Is Not Allowed
> increase security, if we're already using
> 4.2.4.2. Public Key Authentication Only
> Disabling root may have sense with password auth, but with keys it is
> just useless inconvenience.
I read somewhere that security is about making things more inconvenient for
malicious people than for authorized ones.
For me, immediately logging in as root is not done. I want to limit root
access through the regular accounts on the system (with su(do)). I never had
the need to log on as root immediately myself.
> 2) How can
> 4.2.4.6. Listen on Management Interface
> increase security? Moreover, on multihomed systems listening on all
> interfaces may help you a lot in case one of network link is broken.
True, but by only allowing management activities on the management interface
and not on a more public facing network, you reduce the likelihood that this
service is abused for malicious reasons.
Personally, I don't limit this on my systems because I don't really have a
multi-homed setup and I am not (yet) considering creating one. Just like
most hardening guides, it is meant to provide some insight in what can be
done - there are always reasons why a setting isn't good for your situation.
> 3) In my experience, the
> 4.4.2.2. Enable Source Route Verification
> often conflict with net-misc/openvpn based VPN interfaces. I didn't
> investigated this issue in deep, just google for issue and found
> solution which was to disable source route verification, and it works.
> Maybe there is exists better way to solve this issue, not sure.
Ah, didn't realise that. I'll look into this and if necessary, mention that
OpenVPN might require that this is disabled.
> 4) Nowadays, in addition to
> 4.8.2. Limit Setuid and Setgid File and Directory Usage
> we've to also check for SECURITY_FILE_CAPABILITIES and `getcat`.
I still need to look into capabilities. I know Anthony was considering
updating Gentoo/Portage to have this support elevated.
> 5) In my experience, while
> 4.8.5. Review File Integrity Regularly
> looks like good idea, it's nearly impossible to use in Gentoo because
> of daily updates which change a lot of system files, so it's too hard
> to review aide-like tool reports and quickly detect suspicious file
> changes. If anyone have a good recipe how to work around this I'll be
> glad to learn it.
It of course depends on how you manage your system. I can imagine that you
do not want to pull in daily updates on a server, but instead rely on other
hardening measures, glsa-check, cvechecker and the like to mitigate risks of
vulnerabilities.
Thanks a lot for the feedback though, really appreciated!
Wkr,
Sven Vermeulen
