[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Old question: what is SUSE going to do with harden_suse / Bastille



> Hi, 
> 
> Am Samstag, 25. Oktober 2003 02:04 schrieb Bo Jacobsen:
> > The standard SuSE installation is much to open. 
> 
> I agree upon that. But instead of hardening the system _after_ it has 
> already been set up, I'd prefer a clean install that's not "too open". 
> Maybe SuSE can introduce an install option such as "secure system" or 
> something similar. 
> 
> If only that fsck'ing portmapper wouldn't be run by default. That is the 
> same ...stuff like MS Windows with RPC bound to anything looking like 
> an interface -- remember W32/Blaster? Each time I set up a SuSE, I get 
> angry about that idiocy. 
> 
> Best wishes, 
> Lutz 
> 
 
 
I agree 100%. They need an install option named firewall, or some thing like that, that 
leaves out ANY stuff that should not run on a firewall. I actually find it a little strange 
that they have not implemented that a long time ago, since security has been a hot topic 
for a long time now.

One of the advantages of being able to run a separate script like hardensuse, is that if something 
will not run, it can be difficult to figure out if it's a problem with the tightened security, or 
if it's something else. I have had some problems in the past, where something would not run after 
executing hardenSuSE, but I knew it had something to do with the things the script did, so I just 
had to run hardensuse step-by-step to find out what system changes caused the problem.

Another advantage was that I could run hardensuse on systems that was used as normal file,
print and email servers. I just had to NOT select the security options that I new would disrupt
the programs running on the server, or I could just make changes afterwoods, to the specific programs.

However implemented, it would be a lot better then the situation we have today where there
is s no official, and simple, way to upgrade the security of a SuSE host.
The normal SuSE installation even have world-read permission on all files in /root  !!!. I find that more then a little open.

Actually, SuSE's lack of priority on basic system secutity tools, has forced me to start looking at other
systems like FreeBSD etc.

Bo


--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here