Hi all, For openscap, you can also check these pages: https://wiki.debian.org/SCAPGuide https://wiki.debian.org/UsingSCAP
Cheers, Le 5 décembre 2018 00:32:49 GMT+01:00, "Bardot Jérôme" <bardot.jer...@gmail.com> a écrit : >Le 04/12/2018 à 21:32, Ruslanas Gžibovskis a écrit : >> Hi all, >> >> Jerome, I would say that most 'users' will go to pop choice, like >only >> some hardcore lovers would listen to "Tsjuder" but most of the people >> would go with "Lady Gaga". Same here, if you do not want to learn, >you >> use *buntu or any "*" made of, else if you wanna learn and use stable >> and updated distro you will go with Debian. > >Look a good black metal band :D > >> >> I would still agree that would be nice to have some package which >> would do some hardening settings. BUT, please note, that it might >give >> a false confidence. Why?! Because once hardening done, you believe >> that it is safe, but any moment by accident your perm tuning might >> change. Your hardend setup might not run correctly some app AND then >> tired user will do "chmod 7777 -R /" and a package will still remain. >> >I’m aware of this trouble. My most trouble come with the fact some >hardening can broke some setup. And more upstream it’s less problems >there will are and more easy is to maintain (Aka more people, not just >me). One of my other concern is about knowledge and manage admin, >maintener, dev ressources; maybe i’m wrong but it’s look likethere is >less and less people can do some needed task (package & maintain, code >with C, etc ) > >> So if you want to ensure hardening is set and exist, make puppet >> profile! Run puppet all the time! And before running puppet check, >> have OpenSCAP test to check compliance. It has very nice compliance >> checks for different standards! Try it! > >I will try openscap. As say before i also set up an openvas if it want >to work. And for puppet i think i will more like ansible instead of >puppet ;) I will check if already existing recipes are security aware. > >Thx > > >> >> On Tue, 4 Dec 2018, 20:31 Jérôme Bardot <bardot.jer...@gmail.com >> <mailto:bardot.jer...@gmail.com> wrote: >> >> Agree about some hardening only are usefull in certain use case. >But >> some of them should be set as default i guess because they are >usefull >> for most of the case and case not include require skills and in >this >> skill are include change an option in some not all the day open >conf >> file. Maybe i’m wrong. I think about kernel conf for ie. And or >maybe >> provide a way to choose some preset conf maybe in package. >> >> Without any troll there is more and more non ready users on >GNU\linux, >> and debian, they can’t do real choices, do they really want ? I’m >> agree it’s bad. But we don’t offer real way to help users to >> understand. Maybe gnome have now some pretty first start tutorial >? I >> don’t use it. >> >> What threat i want to be protect against : >> - hardware & physical attack >> - network attack (including vulnerable world open app) >> - compromise user attack >> >> What want to protect : multi purpose server and laptop. >> >> >> And by the way i love doing this kind of stuff. It’s like a >problem to >> solve. And more automate it can be better it is (for each use >case >> ofc) :) >> Why automatisation instead of just make snapshot ? because it (my >> point of view) permit to also test the setup step and keep the >doc up >> to date. >> >> Sry for my really bad english. I need to sleep. >> Thx for all your messages. >> >> J. >> Le mar. 4 déc. 2018 à 19:44, Jonathan Hutchins >> <hutch...@tarcanfel.org <mailto:hutch...@tarcanfel.org>> a écrit >: >> > >> > On 2018-12-03 05:10, Jérôme Bardot wrote: >> > >> > > Why debian is not more harden by default ? >> > >> > >> > Debian's hardening is adequate for most users, who are >typically >> behind >> > some sort of protection such as a router/firewall. >> > >> > If you actually need a hardened system, it's far better for you >> to do >> > the hardening yourself to address the specific threats you feel >> > vulnerable to. That way you have a better understanding of >what has >> > been done, why, and how. Unlike Windows, where users typically >> allow >> > Microsoft to make all of the decisions for them, Linux in >> general and >> > Debian specifically put user choice ahead of cookie-cutter >> solutions. >> > >> > -- >> > Jonathan >> -- O Philippe Thierry. /Y\/ GPG: 7010 9a3c e210 763e 6341 4581 c257 b91b cdaf c1ea o#o