[CentOS] General questions about security

Alain Spineux aspineux at gmail.com
Fri Feb 1 13:21:54 UTC 2008 

On Feb 1, 2008 12:47 PM, Niki Kovacs <contact at kikinovak.net> wrote:
> Les Bell a écrit :
>
> > Policy. It's a drag, writing policies, but without policies, you're in the
> > "Ready! Fire! Aim!" school of security.  The top tier of policy is the
> > "Enterprise Security Policy", which establishes the security function,
> > roles, responsibilities, budget, etc. It also gives the power to enforce
> > penalties for breaches of policies. At the next tier, you have system- and
> > issue-specific policies, such as the "Use of corporate email" policy, the
> > "Inappropriate content in the workplace" policy. You may then move down to
> > standards (platforms, SOE, etc.) and procedures (e.g. for provisioning user
> > accounts, resetting passwords, etc.).
>
> <snip>
>
> Thanks for your very detailed response. Though I can't help feeling a
> bit like having asked for an identity photo... and getting a 10-foot oil
> painting :oD
>
> Basically, all I'm concerned about security-wise is a modest
> Apache/PHP/MySQL server running a single public library management
> software, and interconnecting eleven (small) public libraries, with a
> total of 60.000 database entries. No (very) big deal.
>
> The configuration is supposed to run on a dedicated server, so my
> question will be more practical:
>
> - Is it worth the hassle to bother with SELinux?

Must be your last concern. Use permissive.
If you have time switch to enforcing at release time.

>
> - Is the standard firewall configuration enough, or do I really have to
> fine-tune the thing?

The problem is not the tools, It is its usage, and its user here.
Drugs can heal, but can kill too!
Yes this is a good start, but try toi understand what you are doing.
But the best is to put a cheap router/firwall in front of your server and
forward _only_ the required ports. Dont give your server a public IP.

>
> - Basically, what auditing tools besides NMap can you recommend for such
> a thing?

nmap :-)

>
> cheers,
>
> Niki
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>



-- 
Alain Spineux
aspineux gmail com
May the sources be with you

More information about the CentOS mailing list