[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Old question: what is SUSE going to do with harden_suse / Bastille

> Hi, 
> Am Samstag, 25. Oktober 2003 02:04 schrieb Bo Jacobsen:
> > The standard SuSE installation is much to open. 
> I agree upon that. But instead of hardening the system _after_ it has 
> already been set up, I'd prefer a clean install that's not "too open". 
> Maybe SuSE can introduce an install option such as "secure system" or 
> something similar. 
> If only that fsck'ing portmapper wouldn't be run by default. That is the 
> same ...stuff like MS Windows with RPC bound to anything looking like 
> an interface -- remember W32/Blaster? Each time I set up a SuSE, I get 
> angry about that idiocy. 
> Best wishes, 
> Lutz 
I agree 100%. They need an install option named firewall, or some thing like that, that 
leaves out ANY stuff that should not run on a firewall. I actually find it a little strange 
that they have not implemented that a long time ago, since security has been a hot topic 
for a long time now.

One of the advantages of being able to run a separate script like hardensuse, is that if something 
will not run, it can be difficult to figure out if it's a problem with the tightened security, or 
if it's something else. I have had some problems in the past, where something would not run after 
executing hardenSuSE, but I knew it had something to do with the things the script did, so I just 
had to run hardensuse step-by-step to find out what system changes caused the problem.

Another advantage was that I could run hardensuse on systems that was used as normal file,
print and email servers. I just had to NOT select the security options that I new would disrupt
the programs running on the server, or I could just make changes afterwoods, to the specific programs.

However implemented, it would be a lot better then the situation we have today where there
is s no official, and simple, way to upgrade the security of a SuSE host.
The normal SuSE installation even have world-read permission on all files in /root  !!!. I find that more then a little open.

Actually, SuSE's lack of priority on basic system secutity tools, has forced me to start looking at other
systems like FreeBSD etc.


Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here