info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: Security
1 view
Skip to first unread message
Jeffrey Chimene
May 12, 2023, 7:51:47 PM5/12/23
to
On 5/12/23 16:08, Jonathan Hutchins wrote:
> Here's hoping that this message is not lost in the flood of
> potentially thousands of read notifications to your mailing list
> post. Hope you learned your lesson on that.
I appreciate your concern that your message might have gotten lost.
There aren't a lot of active readers on this list.
>
> These days "security" seems to consist of installing and enabling
> every item you can find that's labeled "security". A huge amount of
> it is pure waste, addressing mythical scenarios that no ordinary user
> will ever encounter.
I'm not talking about ordinary users. I'm talking about people who might
manage fewer than 10 machines.
>
> Real security comes from correctly analyzing your actual threat
> profile, and carefully addressing real vulnerabilities, rather than a
> shotgun approach that misses as much as it hits.
>
> That said, here's my own favorite treatise on server security. A bit
> dated, RedHat oriented, and probably not generic to your own purposes.
>
> http://www.trinityos.com/LINUX/index-linux.html
>
>
> Best of luck,
Thanks for the advice.
So far, this official Debian list is in line with my expectations. For
every 1 person on a Debian list, there are 10 who will tell you it's a
waste of time. So far, the best "stop wasting our time" line is that
Debian is unlikely to want to write about a package that's not in one of
the repositories (e.g. webmin)
It's why I posted the question as I did.
Cheers,
jec
> Here's hoping that this message is not lost in the flood of
> potentially thousands of read notifications to your mailing list
> post. Hope you learned your lesson on that.
I appreciate your concern that your message might have gotten lost.
There aren't a lot of active readers on this list.
>
> These days "security" seems to consist of installing and enabling
> every item you can find that's labeled "security". A huge amount of
> it is pure waste, addressing mythical scenarios that no ordinary user
> will ever encounter.
I'm not talking about ordinary users. I'm talking about people who might
manage fewer than 10 machines.
>
> Real security comes from correctly analyzing your actual threat
> profile, and carefully addressing real vulnerabilities, rather than a
> shotgun approach that misses as much as it hits.
>
> That said, here's my own favorite treatise on server security. A bit
> dated, RedHat oriented, and probably not generic to your own purposes.
>
> http://www.trinityos.com/LINUX/index-linux.html
>
>
> Best of luck,
Thanks for the advice.
So far, this official Debian list is in line with my expectations. For
every 1 person on a Debian list, there are 10 who will tell you it's a
waste of time. So far, the best "stop wasting our time" line is that
Debian is unlikely to want to write about a package that's not in one of
the repositories (e.g. webmin)
It's why I posted the question as I did.
Cheers,
jec
Jeremy Stanley
May 12, 2023, 11:20:05 PM5/12/23
to
On 2023-05-12 16:27:59 -0700 (-0700), Jeffrey Chimene wrote:
[...]
Debian is, first and foremost, a software distribution, so it makes
sense that Debian documentation would focus on software that is
actually packaged in Debian. For example, you brought up HIDS: there
are several options for this already in the distribution. I've
personally used tiger, lynis and iwatch for HIDS purposes in a
professional syadmin capacity, and I can safely install them through
Debian's own cryptographically signed chain of trust.
Ideally, Debian can be secured with the software available in
Debian, but it also simply doesn't make sense (to me) for Debian to
recommend software it doesn't provide instead of providing that
software or otherwise recommending alternatives which someone has
put in the effort to get into the distribution. I don't consider
discussion of these topics to be a waste of time, but there are
plenty of places to publish articles about arbitrary software useful
to sysadmins where it might be more on topic and reach a wider
audience.
--
Jeremy Stanley
[...]
> So far, this official Debian list is in line with my expectations.
> For every 1 person on a Debian list, there are 10 who will tell
> you it's a waste of time. So far, the best "stop wasting our time"
> line is that Debian is unlikely to want to write about a package
> that's not in one of the repositories
[...]
> For every 1 person on a Debian list, there are 10 who will tell
> you it's a waste of time. So far, the best "stop wasting our time"
> line is that Debian is unlikely to want to write about a package
> that's not in one of the repositories
Debian is, first and foremost, a software distribution, so it makes
sense that Debian documentation would focus on software that is
actually packaged in Debian. For example, you brought up HIDS: there
are several options for this already in the distribution. I've
personally used tiger, lynis and iwatch for HIDS purposes in a
professional syadmin capacity, and I can safely install them through
Debian's own cryptographically signed chain of trust.
Ideally, Debian can be secured with the software available in
Debian, but it also simply doesn't make sense (to me) for Debian to
recommend software it doesn't provide instead of providing that
software or otherwise recommending alternatives which someone has
put in the effort to get into the distribution. I don't consider
discussion of these topics to be a waste of time, but there are
plenty of places to publish articles about arbitrary software useful
to sysadmins where it might be more on topic and reach a wider
audience.
--
Jeremy Stanley
0 new messages