Re: How to get 100% secure debian system?
The only way to achieve 100% security is to totally disconnect the computer, including any power connection. You are still vulnerable to physical attacks, so for total security destroy all of the components. -- Jonathan
Re: What is the best free HIDS for Debian
With that many errors from that many different programs it strongly suggests that there is a problem with your filesystem, possibly an existing infection. When testing for intrusion on a system that has been running with a live connection, it's necessary to test from an inviolate source, an ISO image that is known to be un-infected. Obviously, this should not be created on an infected machine, which is a problem if you have limited resources. Nevertheless, you can try building a live image and testing from that. -- Jonathan On 2022-05-03 07:18, Sylvain wrote: Thank you for your responses! Tripwire: - - It throws a segfault error while scaning on one PC. No errors mentioned in log files. - on another machine tripwire worked fine for a long time but now I have this error while scaning: *** Fatal exception: basic_string::_M_create *** Exiting... run-parts: /etc/cron.daily/tripwire exited with return code 8 Aide: - I have a segfault and this line in syslog: kernel: [ 1771.894150] aide[7032]: segfault at 1c ip 7f7472672050 sp 7fffc95d5bf0 error 4 in libnss_systemd.so.2[7f7472671000+33000]. The system is up to date from backports. The segfault is solved if I use the aid-dynamic package, but the scan is too much long... Integrit: - I have this error while initializing the DB: integrit (main): Error: walk_file_tree: Permission denied The support is simply a mailing list and I still don't have an answer about this problem. OSSEC: -- There is no .deb for this soft. The compilation ends with an error. I've just contact the support. OSSEC+: --- There's a problem during installation. I've just contact the support. I'll test Wazuh.
Re: GPG verification of apt packages
If this were an actual problem thousands of people would be having it. Trust the force. -- Jonathan
Re: package for security advice
I would suggest that the effort you're asking for is already going in to Debian itself, and that together the maintainers deliver a system that is a reasonable compromise between security and convenience for a general use personal computer. People who want to go beyond that and offer a public service really do need to be expected to learn the vulnerabilities and vectors that apply to the type of service they're running. There is no blanket security policy that would be able to apply the correct security for every circumstance. Believe me, you wouldn't enjoy running a fully PCI/DOC secured system as your daily driver. -- Jonathan
Re: package for security advice
The only way to achieve real security is through knowledge. Pressing a shiny automated button is just going to implement what somebody else thinks is good for the system they assume you're running. Find the security websites, podcasts, newsletters, books. Learn what you really need to do for your actual case, not what somebody else thinks you should do. Learn what is superstitious paranoia that will never even come close to a private personal system. If you're going to run a public web server, mail server, or whatever, one run of a script is not going to keep you secure. You need to know what the actual attack vectors can be, and need to be prepared for a threat that nobody's thought of yet. Microsoft tells you all you have to do is click the little check box that turns on the security they've built and you're all safe. Microsoft lies. Read. -- Jonathan
Re: Two HDD on Desktop PC
On 2019-08-04 15:27, Richard Owlett wrote: On 08/04/2019 02:55 PM, *MORON* GM1 wrote: RTFM. Could not be bothered giving useful reply Seriously, reading the documentation is a necessary recommendation. It would have been useful to suggest WHAT documentation. I think the suggestion of encryption, probably with different passwords, is the way to go. Any attempt to "turn off" the other drive could be overridden. It's not clear what you're actual goal is, whether it's security from malicious users or simple concern that one distro might "contaminate" the files on the other drive. If it's the latter, your fears are misplaced, it's perfectly safe to have different distros, or even different OSs access the files. People often use a different distro to "rescure" a damaged system. -- Jonathan
Re: Questions
On 2018-12-03 05:10, Jérôme Bardot wrote: Why debian is not more harden by default ? Debian's hardening is adequate for most users, who are typically behind some sort of protection such as a router/firewall. If you actually need a hardened system, it's far better for you to do the hardening yourself to address the specific threats you feel vulnerable to. That way you have a better understanding of what has been done, why, and how. Unlike Windows, where users typically allow Microsoft to make all of the decisions for them, Linux in general and Debian specifically put user choice ahead of cookie-cutter solutions. -- Jonathan
Re: What patches/packages to install for specific bugs.
The kernel package versions can be difficult to sort out, but anything more recent than the fix date/version will have the fix. It is usually applied to the current kernel version across all supported releases, although testing and unstable can lag behind. What I do is pretty common, aptitude update && aptitude full-upgrade. When doing an in-release upgrade it's usually not necessary to do "upgrade" first, then "full-upgrade" (equivalent to dist-upgrade).
Re: Some Debian package upgrades are corrupting rsync "quick check" backups
Does it occur to you that the reason for having a "testing" release is precisely so that problems like this can be found and fixed, and that this is why it's not smart to run testing on essential production machines?
Re: Security features in the upcoming release (Stretch)
It is difficult for me to rationalize a serious concern for "security" with the idea that one should lie back and expect the packaging team to take care of it all for you. If you are concerned with security, you should be actively configuring security features yourself, not expecting that someone else has the same priorities that you do.
