Closed Miro-H closed 4 years ago
We could also use existing hardening roles [1], though they are quite large.
We could also use existing hardening roles [1], though they are quite large.
Any problem with them being large? I've looked through this role a little, I wouldn't reinvent the wheel as we aim at similar effects. But maybe let's copy it into our repository for adjustments.
We could also use existing hardening roles [1], though they are quite large. [1] https://github.com/konstruktoid/ansible-role-hardening
Any problem with them being large? I've looked through this role a little, I wouldn't reinvent the wheel as we aim at similar effects. But maybe let's copy it into our repository for adjustments.
Just that we don't know what it's doing unless we look at it in more detail. But yes, if this role doesn't break too much it's probably more secure when we use it than when we create a smaller version ourselves.
Do we want to install AppArmor or SELinux on our machines? Debian does not provide MAC by default.
AppArmor is already installed by default on buster, but as far as I know no strict policies are in place.
https://www.debian.org/releases/stable/amd64/release-notes/ch-whats-new.en.html#apparmor
Right, it wouldn't make sense to write all these rules by hand. Should we look for a predefined ruleset?
Should we add an ansible role for OS hardening?
E.g. implement some of the measures mentioned in [1], including
[1] https://www.tecmint.com/linux-server-hardening-security-tips/