From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1RZiPc-0005KY-15 for garchives@archives.gentoo.org; Sun, 11 Dec 2011 12:21:48 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7839621C03B; Sun, 11 Dec 2011 12:21:34 +0000 (UTC) Received: from powerman.name (powerman.name [85.90.198.1]) by pigeon.gentoo.org (Postfix) with ESMTP id BAD1E21C02E for ; Sun, 11 Dec 2011 12:20:45 +0000 (UTC) Received: (qmail 21295 invoked by uid 1000); 11 Dec 2011 12:20:43 -0000 Date: Sun, 11 Dec 2011 14:20:43 +0200 From: Alex Efros To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] New Server, considering hardened, need pointers to tfm... Message-ID: <20111211122043.GD1990@home.power> Mail-Followup-To: gentoo-hardened@lists.gentoo.org References: <4EE3BE6B.6050507@libertytrek.org> <20111210145204.39ec9cba@khorne.mthode.org> <20111211101851.GA1810@gentoo.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20111211101851.GA1810@gentoo.org> Organization: http://powerman.name/ User-Agent: Mutt/1.5.21 (2010-09-15) X-Archives-Salt: 175d7f88-5db1-4998-b006-0d7ca54905a4 X-Archives-Hash: 855ba502d8cecb218d4b4b187b0137fd Hi! On Sun, Dec 11, 2011 at 10:18:51AM +0000, Sven Vermeulen wrote: > Also consider hardening your system settings-wise. I would appreciate if you > take a look at > http://dev.gentoo.org/~swift/docs/previews/oval/gentoo-xccdf-guide.html. Some points at that guide looks strange to me. For example: 1) How can 4.2.4.1. Root Logon Through SSH Is Not Allowed increase security, if we're already using 4.2.4.2. Public Key Authentication Only Disabling root may have sense with password auth, but with keys it is just useless inconvenience. 2) How can 4.2.4.6. Listen on Management Interface increase security? Moreover, on multihomed systems listening on all interfaces may help you a lot in case one of network link is broken. 3) In my experience, the 4.4.2.2. Enable Source Route Verification often conflict with net-misc/openvpn based VPN interfaces. I didn't investigated this issue in deep, just google for issue and found solution which was to disable source route verification, and it works. Maybe there is exists better way to solve this issue, not sure. 4) Nowadays, in addition to 4.8.2. Limit Setuid and Setgid File and Directory Usage we've to also check for SECURITY_FILE_CAPABILITIES and `getcat`. 5) In my experience, while 4.8.5. Review File Integrity Regularly looks like good idea, it's nearly impossible to use in Gentoo because of daily updates which change a lot of system files, so it's too hard to review aide-like tool reports and quickly detect suspicious file changes. If anyone have a good recipe how to work around this I'll be glad to learn it. -- WBR, Alex.