what's the current "standard" for tools to security harden fedora/RHEL?

Wed Jun 17 01:10:10 UTC 2015

RHEL/CentOS/Fedora comes with a quite complete set of SELinux rules making
the system quite secure OOTB, however as YMWV it won't hurt to keep an eye
on SELinux alerts which you can track using the SELinux Troubleshooting
application; there are also other quite useful SELinux related tools like
the SELinux Policy Generation Tool and the SELinux Policy Management Tool
that you definitely ought to check.

Fedora also ships with Rkhunter and (IINM) Tripwire enabled by default.
Alongside OSSEC mentioned by @SternData, which is a HIDS like Snort, there
are simpler - but not because of that less useful - solutions like Lynis
which performs a series of tests and walks you on how to tap the holes
should you find any.

Bear in mind that protecting a system is a complex task that involves
several layers each of one cripples with varying degrees usability: you
start by protecting the boot loader, encrypting the partitions, booting a
hardened kernel, removing sudo, watching what services and daemons are
listening to where, checking for appropriate owner permissions, compiling
applications you will run by hardening them against overflows and so on.

I believe that while most of GNU+Linux distributions are quite secure
because they are just GNU+Linux, Fedora stands out as one of the most well
prepared for defense (general-purpose) distribution you will find out there
- big kudos to the security team for that.

As a final note let me share an earthly example:
A few days ago I needed to have WebEx *CRAP* working to attend a work's
webinar; while I could get it working at work's computer (an Ubuntu
workstation) I couldn't make it work on my personal laptop running Fedora
22 - at home I obviously run everything RHEL-related.

To even 'worsen' things I wasn't receiving the alerts from the SELinux
Troubleshooter as I don't use the full GNOME stack but rather i3wm.
So when I figured out that SELinux could be behind this strange behaviour I
indeed opened SELinux Troubleshooter and there they were, a bunch of alerts
indicating that some processes were trying to do something potentially
harmful.

Once I whitelisted the involved WebEx processes to run in a contained
sandbox everything went well and I could finally assist to my webinar.

As you see, Fedora is quite safe OOTB. Again, kudos to everyone involved.
And more important, thank you all.

-M.

On Tue, Jun 16, 2015 at 4:51 PM SternData <subscribed-lists at sterndata.com>
wrote:

> On 06/16/2015 01:29 PM, Robert P. J. Day wrote:
> >
> >   friend asked me about the most effective way to harden red hat
> > systems (both fedora and RHEL). what's the state of the art these
> > days? i know RH has online manuals on system security -- what's
> > available in terms of tools to scan existing systems for
> > vulnerabilties? is bastille linux still a going concern? etc, etc.
> >
> > rday
> >
>
> I like running OSSEC
>
> --
> -- Steve
> --
> users mailing list
> users at lists.fedoraproject.org
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
> Have a question? Ask away: http://ask.fedoraproject.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20150617/3ab6f4d4/attachment.html>