Re: what's the current "standard" for tools to security harden fedora/RHEL?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



RHEL/CentOS/Fedora comes with a quite complete set of SELinux rules making the system quite secure OOTB, however as YMWV it won't hurt to keep an eye on SELinux alerts which you can track using the SELinux Troubleshooting application; there are also other quite useful SELinux related tools like the SELinux Policy Generation Tool and the SELinux Policy Management Tool that you definitely ought to check.

Fedora also ships with Rkhunter and (IINM) Tripwire enabled by default. Alongside OSSEC mentioned by @SternData, which is a HIDS like Snort, there are simpler - but not because of that less useful - solutions like Lynis which performs a series of tests and walks you on how to tap the holes should you find any.

Bear in mind that protecting a system is a complex task that involves several layers each of one cripples with varying degrees usability: you start by protecting the boot loader, encrypting the partitions, booting a hardened kernel, removing sudo, watching what services and daemons are listening to where, checking for appropriate owner permissions, compiling applications you will run by hardening them against overflows and so on.

I believe that while most of GNU+Linux distributions are quite secure because they are just GNU+Linux, Fedora stands out as one of the most well prepared for defense (general-purpose) distribution you will find out there - big kudos to the security team for that.

As a final note let me share an earthly example:
A few days ago I needed to have WebEx *CRAP* working to attend a work's webinar; while I could get it working at work's computer (an Ubuntu workstation) I couldn't make it work on my personal laptop running Fedora 22 - at home I obviously run everything RHEL-related.

To even 'worsen' things I wasn't receiving the alerts from the SELinux Troubleshooter as I don't use the full GNOME stack but rather i3wm.
So when I figured out that SELinux could be behind this strange behaviour I indeed opened SELinux Troubleshooter and there they were, a bunch of alerts indicating that some processes were trying to do something potentially harmful.

Once I whitelisted the involved WebEx processes to run in a contained sandbox everything went well and I could finally assist to my webinar.

As you see, Fedora is quite safe OOTB. Again, kudos to everyone involved. And more important, thank you all.

-M.

On Tue, Jun 16, 2015 at 4:51 PM SternData <subscribed-lists@xxxxxxxxxxxxx> wrote:
On 06/16/2015 01:29 PM, Robert P. J. Day wrote:
>
>   friend asked me about the most effective way to harden red hat
> systems (both fedora and RHEL). what's the state of the art these
> days? i know RH has online manuals on system security -- what's
> available in terms of tools to scan existing systems for
> vulnerabilties? is bastille linux still a going concern? etc, etc.
>
> rday
>

I like running OSSEC

--
-- Steve
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux