Rules like https://cisofy.com/lynis/controls/HRDN-7222/ make me think the whole thing is snake oil. There is zero security benefit to making publicly-available compilers not be world-readable.
I assume you don't work in security. The "HRDN" means it's a Hardening rule, and hardening is the action of reducing the attack surface for possible attacks as much as you can, even for the most crazy types, like a normal user or malware having access to download an exploit from exploit-db.com and being able to compile it without being root.
I've noticed that many ineffective and damaging security policies (mandating crowdstrike, increasingly arcane password requirements etc.) that businesses adopt seem to be implemented for "compliance" with ... what exactly? Sets of rules and regulations, apparently written by people who don't understand security, don't care about system reliability, availability, or usability, or have a business interest in dubious security solutions.
I just heard about this tool but someone else said it simply enumerates defaults already present in most distros.
I can tell you one thing that makes real changes to RHEL at least, CIS Benchmark. It hardens your system by tightening up file permissions, user logins, disables old protocols, sets partition flags and more.
But the best hardening imho doesn't follow any set standard, rather application dependent isolation using containers and MACs like SElinux and MCS (multi-category security).
Doesn't offer much utility IMO as most distributions come with secure defaults ootb these days. Unfortunately it's checklist is not thorough enough to keep you ahead of the security curve.
It's closer to checkbox compliance, rather than being effective. Sure, those checks may be interesting and point out some actual issues. But if you're given a choice, then a short threat modelling session will have much higher impact. Someone else brought up CIS here - it's the same category with counterproductive changes like installing an integrity checker and tcpwrapper inside docker images.
josephcsible|1 year ago
AbraKdabra|1 year ago
I assume you don't work in security. The "HRDN" means it's a Hardening rule, and hardening is the action of reducing the attack surface for possible attacks as much as you can, even for the most crazy types, like a normal user or malware having access to download an exploit from exploit-db.com and being able to compile it without being root.
HeatrayEnjoyer|1 year ago
perlgeek|1 year ago
> If a compiler is found, execution should be limited to authorized users only (e.g. root user).
patrakov|1 year ago
Also, the suggestion from https://cisofy.com/lynis/controls/NAME-4404/ is just wrong on systems with nss_myhostname (from systemd) configured.
musicale|1 year ago
kosolam|1 year ago
INTPenis|1 year ago
I can tell you one thing that makes real changes to RHEL at least, CIS Benchmark. It hardens your system by tightening up file permissions, user logins, disables old protocols, sets partition flags and more.
But the best hardening imho doesn't follow any set standard, rather application dependent isolation using containers and MACs like SElinux and MCS (multi-category security).
https://docs.redhat.com/en/documentation/red_hat_enterprise_...
Timber-6539|1 year ago
viraptor|1 year ago
mcsniff|1 year ago
unknown|1 year ago
[deleted]