How do you secure your environment?

Latest response

Do you find yourself in an environment requiring any level of hardening of your operating system? What automated tools do you use to help you determine what you need to lock down? Have you checked out project aqueduct or openscap?

Responses

Hello David,

The first thing I do to secure my servers is enforcing SELinux. It takes more time to get new applications running because you need to read a lot of *_selinux manpages might and also might have to create custom rules, but that's worth it.

Afterwards I'm customizing PAM to enhance security (cracklib, limitations, etc.) before enabling Kernel auditing and installing fail2ban (on webservers).

Important configuration files are checked and reported to a monitoring system using AIDE.

 

Never heard about aqueduct, but it sounds interesting. I will have a deeper look at it.

Thanks for sharing!

 

Best regards,

Christian.

Nice, if you could write up any problems you have, we might be able to apply some of the SELinux fixes to the release.

 

Haven't managed to persuade current employer to use fail2ban, but have used it many times before.  It's excellent stuff.

We use Puppet to prevent config file drift instead of AIDE.  I'd been playing around with using inotify to trigger selective checks depending on which file had been changed (thereby narrowing the maximum time that a file could be misconfigured - in my view anyway).  Didn't get too far before other work got on top of me.

Aqueduct started off well, but recently has been seen as a duplication of the efforts in Red Hat's SCAP Security Guide.  Aqueduct scripted a lot of the lockdowns that you see in the major security guides (STIG, CIS, PCI etc).  After a discussion about Red Hat's SCAP stance on the mailing lists last month, Aqueduct has been pretty quiet.  I rated the Aqueduct project highly and it's work has been extremely valuable.  If that work lives on in SCAP content somehow, then that's a good thing.

D