Hi,
Am Samstag, 25. Oktober 2003 02:04 schrieb Bo Jacobsen:
The standard SuSE installation is much to open.
I agree upon that. But instead of hardening the system _after_ it has already been set up, I'd prefer a clean install that's not "too open". Maybe SuSE can introduce an install option such as "secure system" or something similar.
If only that fsck'ing portmapper wouldn't be run by default. That is the same ...stuff like MS Windows with RPC bound to anything looking like an interface -- remember W32/Blaster? Each time I set up a SuSE, I get angry about that idiocy.
Best wishes, Lutz
I agree 100%. They need an install option named firewall, or some thing like that, that leaves out ANY stuff that should not run on a firewall. I actually find it a little strange that they have not implemented that a long time ago, since security has been a hot topic for a long time now. One of the advantages of being able to run a separate script like hardensuse, is that if something will not run, it can be difficult to figure out if it's a problem with the tightened security, or if it's something else. I have had some problems in the past, where something would not run after executing hardenSuSE, but I knew it had something to do with the things the script did, so I just had to run hardensuse step-by-step to find out what system changes caused the problem. Another advantage was that I could run hardensuse on systems that was used as normal file, print and email servers. I just had to NOT select the security options that I new would disrupt the programs running on the server, or I could just make changes afterwoods, to the specific programs. However implemented, it would be a lot better then the situation we have today where there is s no official, and simple, way to upgrade the security of a SuSE host. The normal SuSE installation even have world-read permission on all files in /root !!!. I find that more then a little open. Actually, SuSE's lack of priority on basic system secutity tools, has forced me to start looking at other systems like FreeBSD etc. Bo