Miro-H
commented
4 years ago We could also use existing hardening roles [1], though they are quite large.
Closed Miro-H closed 4 years ago
Miro-H
commented
4 years ago We could also use existing hardening roles [1], though they are quite large.
keyctl
commented
4 years ago We could also use existing hardening roles [1], though they are quite large.
Any problem with them being large? I've looked through this role a little, I wouldn't reinvent the wheel as we aim at similar effects. But maybe let's copy it into our repository for adjustments.
Miro-H
commented
4 years ago We could also use existing hardening roles [1], though they are quite large. [1] https://github.com/konstruktoid/ansible-role-hardening
Any problem with them being large? I've looked through this role a little, I wouldn't reinvent the wheel as we aim at similar effects. But maybe let's copy it into our repository for adjustments.
Just that we don't know what it's doing unless we look at it in more detail. But yes, if this role doesn't break too much it's probably more secure when we use it than when we create a smaller version ourselves.
keyctl
commented
4 years ago Do we want to install AppArmor or SELinux on our machines? Debian does not provide MAC by default.
Liblor
commented
4 years ago AppArmor is already installed by default on buster, but as far as I know no strict policies are in place.
https://www.debian.org/releases/stable/amd64/release-notes/ch-whats-new.en.html#apparmor
keyctl
commented
4 years ago Right, it wouldn't make sense to write all these rules by hand. Should we look for a predefined ruleset?
Should we add an ansible role for OS hardening?
E.g. implement some of the measures mentioned in [1], including
[1] https://www.tecmint.com/linux-server-hardening-security-tips/