|
|
Home | Switchboard | Unix Administration | Red Hat | TCP/IP Networks | Neoliberalism | Toxic Managers |
| (slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and bastardization of classic Unix | |||||||
| 2009 | 2008 | 2007 | 2006 | 2005 | 2004 | 2003_and_earlier |
Debian Hardened Aims For Security
Itch scratching, and audit (Score:3, Interesting)
by RedPhoenix (124662) on Tuesday September 14, @09:15PM (#10251879)At the risk of the post sounding like a discussion at a head-lice convention, everyone has their own personal itch to scratch.
Several posts thus far, have questioned the viability of establishing yet another secure-debian project, similar to other existing projects, and have indicated that there would be a better use of available resources if everyone would just get along and work together (or at least, form under a single project). Fair enough.
However, there are a whole range of reasons why diversity and natural selection w.r.t many competing projects can provide benefits over and above a single large project - organisational inertia, effective and efficient communication, and development priority differences, for example.
'Organisational inertia' in particular, whereby the larger a organisation/project gets, the slower it can react to changing requirements, is a good reason why this effort-amalgamation can potentially be a bad thing.
Each of these projects probably has a slightly different 'itch' to 'scratch'. There's no reason why, later on down the track, that the best elements of each of these projects cannot be merged into something cohesive.
A good example is the current situation in Linux Auditing (as in C2/CAPP style auditing and event logging, not code verification) and host-based audit-related intrusion detection. Over time, we've had Snare (http://www.intersectalliance.com), SLES (http://www.suse.com), and Riks Audit Daemon (http://www.redhat.com). Each project had a slightly different focus, and each development team have come up with some great solutions to the problems of auditing / event logging.
The developers of each of these projects are now communicating and collaborating, with a view to bringing a effective audit subsystem to Linux that incorporates the best ideas from each approach.
BTW: How about auditing in this project? Here's a starting point:
http://www.gweep.net/~malk/snare_debian.shtml
Red. (Snare Developer)
[Jan 27, 2005] Sys Admin Magazine/Tools to Help Harden Solaris™ by Kristy Westphal
There are several checklists on the Internet to help you lock down an out-of-the-box installation of Solaris. But, if you have followed any of them, you know how time consuming they can be, especially for a large enterprise. The Solaris community, however, is in luck when it comes to system hardening because a few forward-thinking Sun engineers have built some tools that can help to automate this procedure. In this article, I will discuss two such tools, TITAN and JASS.
... ... ...
A Comparison between TITAN and JASS
The experiment of seeing the differences between JASS and TITAN was very surprising. The first surprise was that the out-of-the-box, vanilla Solaris 8 installation passed several tests that I didn’t expect it to. Tests such as NFS running on privileged TCP and UDP ports, some default file permissions being set correctly (e.g., root owning /sbin, /etc not world writable), root cannot log in directly except on the console, and several default users were found in the ftpusers file. However, the issues that needed to be addressed far outweighed the default checks that passed the TITAN audit.
After running the JASS tool on an already installed machine, I re-ran the TitanReport script to see what had been done and what had been left open. JASS left open a few things that TITAN did not, such as:
- not configuring kernel auditing, (questionable idea unless you have too much disk space or very strict security requrements - nnb ;-)
- not locking down X access,
- setting strong default password strength in /etc/default/passwd,
- setting login defaults, not disabling sendmail,
- not adding all system users to ftpusers (like audit and news),
- and not setting a banner for telnet.
To see how TITAN stacks up, I ran it with the following:
<install dir>/Titan -fThe -f parameter is for “fix”.
Once TITAN was done fixing the system, I ran the TitanReport function again. There were only a handful of issues that TITAN could not fix because some of them still needed to be addressed outside of the environment (e.g., setting up a remote loghost and installing smrsh (sendmail restricted shell)) at the discretion of the sys admin. Some of the checks that failed will have to be investigated further to determine whether they are just not applicable to the system or if they just need to be manually fixed.
For instance, the last run of TitanReport claimed that the system did not pass the first check of XDMCP. Upon further investigation, it appears that although the system failed check one, it passed check two and is sufficiently secured. (Note that XDMCP (X Display Manager Control Protocol Description) looks for remote connections allowable through Xaccess.)
[Jan 23, 2004] freshmeat.net Project details for Tiger security tool -- attempt to reanimate Tiger
TIGER is a set of Bourne shell scripts, C programs, and data files which are used to perform a security audit of Unix systems. The security audit results are useful both for system analysis (security auditing) and for real-time, host-based intrusion detection.
freshmeat.net Project details for Slackware Administrators Security Toolkit
SAStk (Slackware Administrators Security tool kit) aims to provide a set of tools and utilities to install and maintain a reasonable level of security for the Slackware GNU/Linux distribution. At the same time, it should ease administration with a new centralized initialization setup and background information on what the daemons do.
[Jan 12th 2004] ThePacketMaster 1.2.0 by thepacketmaster
About: ThePacketMaster Linux Security Server is a CD-based security auditing tool that boots and runs penetration testing and forensic analysis tools. It is handy for security auditors. Some tools included are nessus, ethereal, The Coroner's Toolkit, chntpw, and minicom. It includes modules for any Linux 2.4.20 SCSI driver.
Changes: This release updates the kernel to 2.4.24 to address issues found in 2.4.23 and earlier. It adds new packages for forensic analysis and vulnerability testing. /usr is now in a cloop filesystem for a smaller ISO image. XFree86 is now included, as well as the Enlightenment window manager, the Mozilla Web browser, and Java.
Society
Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy
Quotes
War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes
Bulletin:
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
History:
Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history
Classic books:
The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor
The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D
Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|
|
You can use PayPal to to buy a cup of coffee for authors of this site |
Disclaimer:
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.
Last modified: March 12, 2019
