![]() It also emphasizes configuration through scripts rather than through the manual editing of files that many Linux users prefer. Some might argue that the file has a few omissions - for example, it makes no mention of packages such as cracklib that can be installed to prevent users from choosing too simple a password. Mindful that some users may be learning security basics from the file, CIS warns at the start of the importance of backing up key files and data, and, like Bastille, provides brief guidelines to help users decide whether they want to implement each step. The file ends with a listing of anti-virus software (making clear that this service is only for servers that interact with Windows), as well as a list of minor security steps that CIS members believe have a minimal effect on overall security. Installing and running Bastille is emphasized, but CIS also provides its own additional scripts and advice. ![]() The Benchmark PDF file is divided into 10 sections, covering dozens of topics varying from how recently the system was patched, to minimizing the xinetd and boot services, to the setup of file permissions, system authentication, user accounts, and environments. Some duplication exists between Bastille and the CIS Benchmark, such as the use of warningīanners for intruders, but the two are separate enough that not running Bastille can affect a raw score by 0.60 out of 10, almost twice as much as any other single item. It runs an interactive tutorial for securing a system, explaining options and why you might choose them. Bastille also requires the installation of either the Perl-Tk or Perl-Curses package.īastille is especially important to the Benchmark. To harden the current system, scan the log for negative items, then turn to the corresponding sections in the file to correct them.īefore beginning the process of hardening, you will also want to download the Bastille and sysstat packages so that they are available when you need them. Items are listed in the log in the same order as in the PDF file. Once you run the Benchmark, open the log and the PDF file. The two Benchmarks measure different vulnerabilities, so the results are not comparable across different platforms. Nor can the CIS Benchmarks be used to make a meaningful comparison between Linux and Windows installations. And the CIS Benchmark can do nothing to guard against sloppy practices such as using the root account for everyday computing. Web and mail servers, and probably other programs, could open security holes not covered by the Benchmark. However, you could not say that the system was immune from attack. That is to say, if a system scored a perfect 10.00, the results would detail its configuration in a way that anyone could confirm, and you could safely say that your system followed all of CIS’s best practices. These results provide an objective frame of reference, but not an absolute one. ![]() The Benchmark also writes a date-named log that breaks down the raw score into a detailed series of positive and negative assessments. The Benchmark gives an immediate raw score on a ten-point scale. Once the package is installed, running the command cis-scan provides a non-obtrusive test of the current system. The best time to run the Linux Benchmark is immediately after installation, so you can be reasonably sure that your system is secure from the start. The results may shake up your ideas about how secure your Linux box really is. ![]() If you are lucky enough to be able to use the Benchmark directly, it provides an objective standard for talking about Linux security. However, even if the Benchmark itself won’t run with a particular distribution, the information in the accompanying PDF file can be adapted to most distributions with a minimum of effort and expertise. Although CIS suggests that derivatives of these distributions may also be able to run the Benchmark, for now its usefulness is limited. The CIS Linux Benchmark provides a comprehensive checklist for system hardening.īecause the CIS has limited resources, its current Linux Benchmark is designed for only Red Hat Enterprise Linux 2.1 and 3.0 and Fedora Core 1, 2, and 3. These best practices are incorporated into benchmark scripts and accompanying PDF guides for interpreting the results and improving security with a series of actions and scripts. Through the consensus of members, it develops a list ofīest practices for Windows, Linux, Solaris and Free BSD, as well as Cisco routers, Oracle databases, and Apache Web servers. Members, largely North American, range from IBM and Motorola to universitiesĪnd individuals. (CIS) is a non-profit association for the promotion of computer security. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |