Questions

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

Questions

Bardot Jérôme
Hello i try to harden my debian server.

I use yasat for perform some «stupid» check.

#yasat -f

In the Check system rights Debian i have some WARNING, BAD status.

First :
331 files have invalid others rights in /boot                  [
WARNING ]  Do a chmod o-rxw <i>name_of_the_file</i>
Right of /boot: 755                                                     [ BAD ]

I use an full (exept boot (ext2)) encrypt lvm «hard drive». (haven’t
try the grub2 full encrypt beta option).
I understand security implication for wrong rights. There is a real
risk with boot wrong rights ? Why are not set by default, it prevent
some things to work ?

Pretty same question for others rights warning :
 /etc/shadow is not 600 root root                                 [ WARNING ]
/etc/gshadow is not 400 root root                                [ WARNING ]

and for a bunch of cron files :

8 files have invalid others rights in /etc/cron.d              [
WARNING ]  Do a chmod o-rxw <i>name_of_the_file</i>
Right of /etc/cron.d: 755                                      [ BAD ]

same for hourly/daily/weekly/monthly

And for services like :
Checking /etc/apache2                                            [ INFO ]
170 files have invalid others rights in /etc/apache2    [ WARNING ]
Do a chmod o-rxw <i>name_of_the_file</i>
Right of /etc/apache2: 755                                     [ BAD ]

Checking /etc/mysql                                              [ INFO ]
12 files have invalid others rights in /etc/mysql              [
WARNING ]  Do a chmod o-rxw <i>name_of_the_file</i>
Right of /etc/mysql: 755                                       [ BAD ]

/etc/sysctl.conf is not 640 root root                           [ WARNING ]
/etc/logrotate.conf is not 640 root root                       [ WARNING ]
/etc/crontab is not 640 root root                                [ WARNING ]

/var/log/faillog is not 600 root root                            [ WARNING ]
/var/log/mysql is not 750 mysql mysql                            [ WARNING ]

  Checking /var/lib/mysql                                          [ INFO ]
    2 files have invalid others rights in /var/lib/mysql           [
WARNING ]  Do a chmod o-rxw <i>name_of_the_file</i>
    Right of /var/lib/mysql: 755                                   [ BAD ]
  Bad owner /var/lib/mysql (must be mysql)                         [ WARNING ]
    /var/lib/mysql/debian-10.1.flag                                [ root ]
    /var/lib/mysql/mysql_upgrade_info                              [ root ]
  Bad group /var/lib/mysql (must be mysql)                         [ WARNING ]
    /var/lib/mysql/debian-10.1.flag                                [ root ]
    /var/lib/mysql/mysql                                           [ root ]
    /var/lib/mysql/mysql_upgrade_info                              [ root ]


I want do understand all of this «warning».
If they are false positive maybe this part should be update because
it’s debian related ?

Thx.

qmi
Reply | Threaded
Open this post in threaded view
|

Re: Questions

qmi
Hi

On Fri, Nov 16, 2018 at 04:31:39PM +0100, Jérôme Bardot wrote:
> Hello i try to harden my debian server.
You are welcome to do so.

> I want do understand all of this «warning».
> If they are false positive maybe this part should be update because
> it’s debian related ?
On Debian by default the files and directories have 644 or 755 perms
unless special cases (i.e. shadow has 640, /root has 740).
See the relevant section of the Debian Policy at
https://www.debian.org/doc/debian-policy/ch-files.html#permissions-and-owners.
By default the Debian OS is not hardened. However, your mileage may
vary, so you are welcome to harden your Debian OS if you are concerned
about security or you simply would like to apply a more stringent security
policy. In addition to making sure you apply the latest security updates from
security.debian.org in your APT settings (i.e. /etc/apt/sources.list), you can
harden the your OS by using one or the combination of the following methods:

1- Set up HIDS (OSSEC)
2- Install file/directory integrity checker (i.e. Tripwire)
3- Run remote vulnerability scans (i.e. Openvas, Nessus)

See
https://www.debian.org/doc/manuals/securing-debian-howto/ch10.en.html#s-intrusion-detect
.

Regards,
--
qmi | Debian GNU/Linux enthusiast
WWW: www.miklos.info
GPG: 3C4B 1364 A379 7366 7FED  260A 2208 F2CE 3FCE A0D3

Reply | Threaded
Open this post in threaded view
|

Re: Debian hardening (was: Questions)

Michiel Klaver-2

qmi wrote at 2018-11-28 22:17:
> Hi
>
> On Fri, Nov 16, 2018 at 04:31:39PM +0100, Jérôme Bardot wrote:
>> Hello i try to harden my debian server.
> You are welcome to do so.
>

Some people already did, and wrote a free best-practice benchmark guide:
https://www.cisecurity.org/benchmark/debian_linux/

Reply | Threaded
Open this post in threaded view
|

Re: Debian hardening (was: Questions)

Bardot Jérôme
This website is not GDPR compliant … The law not allow to collect any
personnal data for a free download.
Le jeu. 29 nov. 2018 à 10:04, Michiel Klaver <[hidden email]> a écrit :

>
>
> qmi wrote at 2018-11-28 22:17:
> > Hi
> >
> > On Fri, Nov 16, 2018 at 04:31:39PM +0100, Jérôme Bardot wrote:
> >> Hello i try to harden my debian server.
> > You are welcome to do so.
> >
>
> Some people already did, and wrote a free best-practice benchmark guide:
> https://www.cisecurity.org/benchmark/debian_linux/
>

Reply | Threaded
Open this post in threaded view
|

Re: Questions

Bardot Jérôme
In reply to this post by qmi
Thx,
Why debian is not more harden by default ?
I try to set up openvas but it’s look like there more to do than a
apt, i will look deeper when i have the time.
Le mer. 28 nov. 2018 à 22:26, qmi <[hidden email]> a écrit :

>
> Hi
>
> On Fri, Nov 16, 2018 at 04:31:39PM +0100, Jérôme Bardot wrote:
> > Hello i try to harden my debian server.
> You are welcome to do so.
>
> > I want do understand all of this «warning».
> > If they are false positive maybe this part should be update because
> > it’s debian related ?
> On Debian by default the files and directories have 644 or 755 perms
> unless special cases (i.e. shadow has 640, /root has 740).
> See the relevant section of the Debian Policy at
> https://www.debian.org/doc/debian-policy/ch-files.html#permissions-and-owners.
> By default the Debian OS is not hardened. However, your mileage may
> vary, so you are welcome to harden your Debian OS if you are concerned
> about security or you simply would like to apply a more stringent security
> policy. In addition to making sure you apply the latest security updates from
> security.debian.org in your APT settings (i.e. /etc/apt/sources.list), you can
> harden the your OS by using one or the combination of the following methods:
>
> 1- Set up HIDS (OSSEC)
> 2- Install file/directory integrity checker (i.e. Tripwire)
> 3- Run remote vulnerability scans (i.e. Openvas, Nessus)
>
> See
> https://www.debian.org/doc/manuals/securing-debian-howto/ch10.en.html#s-intrusion-detect
> .
>
> Regards,
> --
> qmi | Debian GNU/Linux enthusiast
> WWW: www.miklos.info
> GPG: 3C4B 1364 A379 7366 7FED  260A 2208 F2CE 3FCE A0D3
>

Reply | Threaded
Open this post in threaded view
|

Re: Questions

Paul Wise via nm
Reply | Threaded
Open this post in threaded view
|

Re: Questions

Jonathan Hutchins-2
In reply to this post by Bardot Jérôme
On 2018-12-03 05:10, Jérôme Bardot wrote:

> Why debian is not more harden by default ?


Debian's hardening is adequate for most users, who are typically behind
some sort of protection such as a router/firewall.

If you actually need a hardened system, it's far better for you to do
the hardening yourself to address the specific threats you feel
vulnerable to.  That way you have a better understanding of what has
been done, why, and how.  Unlike Windows, where users typically allow
Microsoft to make all of the decisions for them, Linux in general and
Debian specifically put user choice ahead of cookie-cutter solutions.

--
Jonathan

Reply | Threaded
Open this post in threaded view
|

Re: Questions

Bardot Jérôme
Agree about some hardening only are usefull in certain use case. But
some of them should be set as default i guess because they are usefull
for most of the case and case not include require skills and in this
skill are include change an option in some not all the day open conf
file. Maybe i’m wrong. I think about kernel conf for ie. And or maybe
provide a way to choose some preset conf maybe in package.

Without any troll there is more and more non ready users on GNU\linux,
and debian, they can’t do real choices, do they really want ? I’m
agree it’s bad. But we don’t offer real way to help users to
understand. Maybe gnome have now some pretty first start tutorial ? I
don’t use it.

What threat i want to be protect against :
- hardware & physical attack
- network attack (including vulnerable world open app)
- compromise user attack

What want to protect : multi purpose server and laptop.


And by the way i love doing this kind of stuff. It’s like a problem to
solve. And more automate it can be better it is (for each use case
ofc) :)
Why automatisation instead of just make snapshot ? because it (my
point of view) permit to also test the setup step and keep the doc up
to date.

Sry for my really bad english. I need to sleep.
Thx for all your messages.

J.
Le mar. 4 déc. 2018 à 19:44, Jonathan Hutchins
<[hidden email]> a écrit :

>
> On 2018-12-03 05:10, Jérôme Bardot wrote:
>
> > Why debian is not more harden by default ?
>
>
> Debian's hardening is adequate for most users, who are typically behind
> some sort of protection such as a router/firewall.
>
> If you actually need a hardened system, it's far better for you to do
> the hardening yourself to address the specific threats you feel
> vulnerable to.  That way you have a better understanding of what has
> been done, why, and how.  Unlike Windows, where users typically allow
> Microsoft to make all of the decisions for them, Linux in general and
> Debian specifically put user choice ahead of cookie-cutter solutions.
>
> --
> Jonathan

Reply | Threaded
Open this post in threaded view
|

Re: Questions

SZÉPE Viktor
Idézem/Quoting Jérôme Bardot <[hidden email]>:

> Agree about some hardening only are usefull in certain use case. But
> some of them should be set as default i guess because they are usefull
> for most of the case and case not include require skills and in this
> skill are include change an option in some not all the day open conf
> file. Maybe i’m wrong. I think about kernel conf for ie. And or maybe
> provide a way to choose some preset conf maybe in package.

You can also try https://github.com/CISOfy/lynis



SZÉPE Viktor, honlap üzemeltetés / Running your application
https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md
--
ügyelet/hotline: +36-20-4242498  [hidden email]  skype: szepe.viktor
Budapest, III. kerület





Reply | Threaded
Open this post in threaded view
|

Re: Questions

Ruslanas Gžibovskis-2
In reply to this post by Bardot Jérôme
Hi all,

Jerome, I would say that most 'users' will go to pop choice, like only some hardcore lovers would listen to "Tsjuder" but most of the people would go with "Lady Gaga". Same here, if you do not want to learn, you use *buntu or any "*" made of, else if you wanna learn and use stable and updated distro you will go with Debian.

I would still agree that would be nice to have some package which would do some hardening settings. BUT, please note, that it might give a false confidence. Why?! Because once hardening done, you believe that it is safe, but any moment by accident your perm tuning might change. Your hardend setup might not run correctly some app AND then tired user will do "chmod 7777 -R /" and a package will still remain.

So if you want to ensure hardening is set and exist, make puppet profile! Run puppet all the time! And before running puppet check, have OpenSCAP test to check compliance. It has very nice compliance checks for different standards! Try it!

On Tue, 4 Dec 2018, 20:31 Jérôme Bardot <[hidden email] wrote:
Agree about some hardening only are usefull in certain use case. But
some of them should be set as default i guess because they are usefull
for most of the case and case not include require skills and in this
skill are include change an option in some not all the day open conf
file. Maybe i’m wrong. I think about kernel conf for ie. And or maybe
provide a way to choose some preset conf maybe in package.

Without any troll there is more and more non ready users on GNU\linux,
and debian, they can’t do real choices, do they really want ? I’m
agree it’s bad. But we don’t offer real way to help users to
understand. Maybe gnome have now some pretty first start tutorial ? I
don’t use it.

What threat i want to be protect against :
- hardware & physical attack
- network attack (including vulnerable world open app)
- compromise user attack

What want to protect : multi purpose server and laptop.


And by the way i love doing this kind of stuff. It’s like a problem to
solve. And more automate it can be better it is (for each use case
ofc) :)
Why automatisation instead of just make snapshot ? because it (my
point of view) permit to also test the setup step and keep the doc up
to date.

Sry for my really bad english. I need to sleep.
Thx for all your messages.

J.
Le mar. 4 déc. 2018 à 19:44, Jonathan Hutchins
<[hidden email]> a écrit :
>
> On 2018-12-03 05:10, Jérôme Bardot wrote:
>
> > Why debian is not more harden by default ?
>
>
> Debian's hardening is adequate for most users, who are typically behind
> some sort of protection such as a router/firewall.
>
> If you actually need a hardened system, it's far better for you to do
> the hardening yourself to address the specific threats you feel
> vulnerable to.  That way you have a better understanding of what has
> been done, why, and how.  Unlike Windows, where users typically allow
> Microsoft to make all of the decisions for them, Linux in general and
> Debian specifically put user choice ahead of cookie-cutter solutions.
>
> --
> Jonathan

Reply | Threaded
Open this post in threaded view
|

Re: Questions

Ruslanas Gžibovskis-2
In reply to this post by Paul Wise via nm
Paul Wise, what help is needed? I would like to commit, but not sure how, never done that, but would LOVE TO! Could you guide?

On Tue, 4 Dec 2018, 02:46 Paul Wise <[hidden email] wrote:
On Mon, Dec 3, 2018 at 7:10 PM Jérôme Bardot wrote:

> Why debian is not more harden by default ?

We need more people who are interested in working on this topic, some
links for anyone who is interested in contributing:

https://security-tracker.debian.org/tracker/data/report
https://www.debian.org/security/audit/
https://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security
https://www.debian.org/security/
https://wiki.debian.org/Hardening
https://wiki.debian.org/Hardening/Daemons
https://wiki.debian.org/Hardening/RepoAndImages
https://wiki.debian.org/Hardening/Goals

--
bye,
pabs

https://wiki.debian.org/PaulWise

Reply | Threaded
Open this post in threaded view
|

Re: Questions

Bardot Jérôme
Me too.

Le 04/12/2018 à 21:34, Ruslanas Gžibovskis a écrit :
Paul Wise, what help is needed? I would like to commit, but not sure how, never done that, but would LOVE TO! Could you guide?

On Tue, 4 Dec 2018, 02:46 Paul Wise <[hidden email] wrote:
On Mon, Dec 3, 2018 at 7:10 PM Jérôme Bardot wrote:

> Why debian is not more harden by default ?

We need more people who are interested in working on this topic, some
links for anyone who is interested in contributing:

https://security-tracker.debian.org/tracker/data/report
https://www.debian.org/security/audit/
https://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security
https://www.debian.org/security/
https://wiki.debian.org/Hardening
https://wiki.debian.org/Hardening/Daemons
https://wiki.debian.org/Hardening/RepoAndImages
https://wiki.debian.org/Hardening/Goals

--
bye,
pabs

https://wiki.debian.org/PaulWise



0x053A41EF03878A98.asc (3K) Download Attachment
signature.asc (916 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Questions

Bardot Jérôme
In reply to this post by Ruslanas Gžibovskis-2
Le 04/12/2018 à 21:32, Ruslanas Gžibovskis a écrit :
Hi all,

Jerome, I would say that most 'users' will go to pop choice, like only some hardcore lovers would listen to "Tsjuder" but most of the people would go with "Lady Gaga". Same here, if you do not want to learn, you use *buntu or any "*" made of, else if you wanna learn and use stable and updated distro you will go with Debian.

Look a good black metal band :D


I would still agree that would be nice to have some package which would do some hardening settings. BUT, please note, that it might give a false confidence. Why?! Because once hardening done, you believe that it is safe, but any moment by accident your perm tuning might change. Your hardend setup might not run correctly some app AND then tired user will do "chmod 7777 -R /" and a package will still remain.

I’m aware of this trouble. My most trouble come with the fact some hardening can broke some setup. And more upstream it’s less problems there will are and more easy is to maintain (Aka more people, not just me). One of my other concern is about knowledge and manage admin, maintener, dev ressources; maybe i’m wrong but it’s look likethere is less and less people can do some needed task (package & maintain, code with C, etc )

So if you want to ensure hardening is set and exist, make puppet profile! Run puppet all the time! And before running puppet check, have OpenSCAP test to check compliance. It has very nice compliance checks for different standards! Try it!

I will try openscap. As say before i also set up an openvas if it want to work. And for puppet i think i will more like ansible instead of puppet ;) I will check if already existing recipes are security aware.

Thx



On Tue, 4 Dec 2018, 20:31 Jérôme Bardot <[hidden email] wrote:
Agree about some hardening only are usefull in certain use case. But
some of them should be set as default i guess because they are usefull
for most of the case and case not include require skills and in this
skill are include change an option in some not all the day open conf
file. Maybe i’m wrong. I think about kernel conf for ie. And or maybe
provide a way to choose some preset conf maybe in package.

Without any troll there is more and more non ready users on GNU\linux,
and debian, they can’t do real choices, do they really want ? I’m
agree it’s bad. But we don’t offer real way to help users to
understand. Maybe gnome have now some pretty first start tutorial ? I
don’t use it.

What threat i want to be protect against :
- hardware & physical attack
- network attack (including vulnerable world open app)
- compromise user attack

What want to protect : multi purpose server and laptop.


And by the way i love doing this kind of stuff. It’s like a problem to
solve. And more automate it can be better it is (for each use case
ofc) :)
Why automatisation instead of just make snapshot ? because it (my
point of view) permit to also test the setup step and keep the doc up
to date.

Sry for my really bad english. I need to sleep.
Thx for all your messages.

J.
Le mar. 4 déc. 2018 à 19:44, Jonathan Hutchins
<[hidden email]> a écrit :
>
> On 2018-12-03 05:10, Jérôme Bardot wrote:
>
> > Why debian is not more harden by default ?
>
>
> Debian's hardening is adequate for most users, who are typically behind
> some sort of protection such as a router/firewall.
>
> If you actually need a hardened system, it's far better for you to do
> the hardening yourself to address the specific threats you feel
> vulnerable to.  That way you have a better understanding of what has
> been done, why, and how.  Unlike Windows, where users typically allow
> Microsoft to make all of the decisions for them, Linux in general and
> Debian specifically put user choice ahead of cookie-cutter solutions.
>
> --
> Jonathan



0x053A41EF03878A98.asc (3K) Download Attachment
signature.asc (916 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Questions

Paul Wise via nm
In reply to this post by Ruslanas Gžibovskis-2
On Tue, 2018-12-04 at 21:34 +0100, Ruslanas Gžibovskis wrote:

> Paul Wise, what help is needed? I would like to commit, but not sure
> how, never done that, but would LOVE TO! Could you guide?

Check the pages I mentioned and look through each of them, there should
be enough documentation there for you to figure it out. Feel free to
ask any questions if something isn't clear.

If you're looking for info about using git, check out the docs:

https://git-scm.com/doc

Which area would you like to work on?

--
bye,
pabs

https://wiki.debian.org/PaulWise


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Questions

Philippe Thierry
In reply to this post by Bardot Jérôme
Hi all,

For openscap, you can also check these pages:
https://wiki.debian.org/SCAPGuide
https://wiki.debian.org/UsingSCAP

Cheers,


Le 5 décembre 2018 00:32:49 GMT+01:00, "Bardot Jérôme" <[hidden email]> a écrit :
Le 04/12/2018 à 21:32, Ruslanas Gžibovskis a écrit :
Hi all,

Jerome, I would say that most 'users' will go to pop choice, like only some hardcore lovers would listen to "Tsjuder" but most of the people would go with "Lady Gaga". Same here, if you do not want to learn, you use *buntu or any "*" made of, else if you wanna learn and use stable and updated distro you will go with Debian.

Look a good black metal band :D


I would still agree that would be nice to have some package which would do some hardening settings. BUT, please note, that it might give a false confidence. Why?! Because once hardening done, you believe that it is safe, but any moment by accident your perm tuning might change. Your hardend setup might not run correctly some app AND then tired user will do "chmod 7777 -R /" and a package will still remain.

I’m aware of this trouble. My most trouble come with the fact some hardening can broke some setup. And more upstream it’s less problems there will are and more easy is to maintain (Aka more people, not just me). One of my other concern is about knowledge and manage admin, maintener, dev ressources; maybe i’m wrong but it’s look likethere is less and less people can do some needed task (package & maintain, code with C, etc )

So if you want to ensure hardening is set and exist, make puppet profile! Run puppet all the time! And before running puppet check, have OpenSCAP test to check compliance. It has very nice compliance checks for different standards! Try it!

I will try openscap. As say before i also set up an openvas if it want to work. And for puppet i think i will more like ansible instead of puppet ;) I will check if already existing recipes are security aware.

Thx



On Tue, 4 Dec 2018, 20:31 Jérôme Bardot <[hidden email] wrote:
Agree about some hardening only are usefull in certain use case. But
some of them should be set as default i guess because they are usefull
for most of the case and case not include require skills and in this
skill are include change an option in some not all the day open conf
file. Maybe i’m wrong. I think about kernel conf for ie. And or maybe
provide a way to choose some preset conf maybe in package.

Without any troll there is more and more non ready users on GNU\linux,
and debian, they can’t do real choices, do they really want ? I’m
agree it’s bad. But we don’t offer real way to help users to
understand. Maybe gnome have now some pretty first start tutorial ? I
don’t use it.

What threat i want to be protect against :
- hardware & physical attack
- network attack (including vulnerable world open app)
- compromise user attack

What want to protect : multi purpose server and laptop.


And by the way i love doing this kind of stuff. It’s like a problem to
solve. And more automate it can be better it is (for each use case
ofc) :)
Why automatisation instead of just make snapshot ? because it (my
point of view) permit to also test the setup step and keep the doc up
to date.

Sry for my really bad english. I need to sleep.
Thx for all your messages.

J.
Le mar. 4 déc. 2018 à 19:44, Jonathan Hutchins
<[hidden email]> a écrit :
>
> On 2018-12-03 05:10, Jérôme Bardot wrote:
>
> > Why debian is not more harden by default ?
>
>
> Debian's hardening is adequate for most users, who are typically behind
> some sort of protection such as a router/firewall.
>
> If you actually need a hardened system, it's far better for you to do
> the hardening yourself to address the specific threats you feel
> vulnerable to.  That way you have a better understanding of what has
> been done, why, and how.  Unlike Windows, where users typically allow
> Microsoft to make all of the decisions for them, Linux in general and
> Debian specifically put user choice ahead of cookie-cutter solutions.
>
> --
> Jonathan



--
O Philippe Thierry.
/Y\/ GPG: 7010 9a3c e210 763e 6341 4581 c257 b91b cdaf c1ea
o#o