[gentoo-user] Decent single-user/embedded-device security standard

[gentoo-user] Decent single-user/embedded-device security standard

[Laurence Perkins]

[-- Attachment #1: Type: text/plain, Size: 1027 bytes --]

When the security auditors come through and ask what standard I use for
securing my systems I'd like to have something to tell them.

I've had a few suggestions like USGCB, etc.  But looking at them they
all seem to start from the direction of "take a bloated, wide-open
Microsoft/Redhat default OS and do these things to make it 'secure' so
you can let several dozen users play around on it without fear."

A lot of the stuff on the list doesn't apply to or would slightly
reduce the overall security of the device (I think I'll keep my default
umask at 077 thanks...)

I'm hoping somebody here knows of a commonly used security
specification for bottom-up minimal systems so I can minimize the time
I have to waste explaining that it simply doesn't have a print server,
email server, cifs server, etc., (or even any way for any user to
obtain shell access without first being in possession of administrator-
level credentials) and that half to two-thirds of the checklist doesn't
even apply.

LMP

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: [gentoo-user] Decent single-user/embedded-device security standard

[Adam Carter]

[-- Attachment #1: Type: text/plain, Size: 1389 bytes --]

On Thu, Jul 11, 2019 at 9:30 AM Laurence Perkins <lperkins@openeye.net>
wrote:

> When the security auditors come through and ask what standard I use for
> securing my systems I'd like to have something to tell them.
>
> I've had a few suggestions like USGCB, etc.  But looking at them they
> all seem to start from the direction of "take a bloated, wide-open
> Microsoft/Redhat default OS and do these things to make it 'secure' so
> you can let several dozen users play around on it without fear."
>
> A lot of the stuff on the list doesn't apply to or would slightly
> reduce the overall security of the device (I think I'll keep my default
> umask at 077 thanks...)
>
>
You could still use USGCB (or which ever standard the auditors regard
highly) but then document the differences with a note explaining why. For
USGCB I'd add another column to the spreadsheet with options of
compliant/non compliant with mitigations/non compliant/not applicable and
another column for notes. eg umask 077 would be compliant, and in the notes
column "stricter than required".

From their point of view they need to justify passing you, and USGCB states
"these recommendations do not address site-specific configuration issues.
Care must be taken when implementing these settings to address local
operational and policy concerns" so deltas are expected. Don't worry if it
seems like its all deltas...

[-- Attachment #2: Type: text/html, Size: 1840 bytes --]

Re: [gentoo-user] Decent single-user/embedded-device security standard

[Laurence Perkins]

>You could still use USGCB (or which ever standard the auditors regard highly) but then document the differences with a
>note explaining why. For USGCB I'd add another column to the spreadsheet with options of compliant/non compliant with
>mitigations/non compliant/not applicable and another column for notes. eg umask 077 would be compliant, and in the
>notes column "stricter than required".
>
>From their point of view they need to justify passing you, and USGCB states "these recommendations do not address
>site-specific configuration issues. Care must be taken when implementing these settings to address local operational
>and policy concerns" so deltas are expected. Don't worry if it seems like its all deltas...

Yeah, that was the fallback option.  I was just hoping there was something in reasonably common usage that wouldn't end up being 60% deltas and didn't look like it was compiled by a practitioner of voodoo instead of someone who actually understands how the system works.

________________________________
From: Adam Carter <adamcarter3@gmail.com>
Sent: Wednesday, July 10, 2019 5:27:55 PM
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Decent single-user/embedded-device security standard

On Thu, Jul 11, 2019 at 9:30 AM Laurence Perkins <lperkins@openeye.net<mailto:lperkins@openeye.net>> wrote:
When the security auditors come through and ask what standard I use for
securing my systems I'd like to have something to tell them.

I've had a few suggestions like USGCB, etc.  But looking at them they
all seem to start from the direction of "take a bloated, wide-open
Microsoft/Redhat default OS and do these things to make it 'secure' so
you can let several dozen users play around on it without fear."

A lot of the stuff on the list doesn't apply to or would slightly
reduce the overall security of the device (I think I'll keep my default
umask at 077 thanks...)


You could still use USGCB (or which ever standard the auditors regard highly) but then document the differences with a note explaining why. For USGCB I'd add another column to the spreadsheet with options of compliant/non compliant with mitigations/non compliant/not applicable and another column for notes. eg umask 077 would be compliant, and in the notes column "stricter than required".

From their point of view they need to justify passing you, and USGCB states "these recommendations do not address site-specific configuration issues. Care must be taken when implementing these settings to address local operational and policy concerns" so deltas are expected. Don't worry if it seems like its all deltas...