Les Bell a écrit : > Policy. It's a drag, writing policies, but without policies, you're in the > "Ready! Fire! Aim!" school of security. The top tier of policy is the > "Enterprise Security Policy", which establishes the security function, > roles, responsibilities, budget, etc. It also gives the power to enforce > penalties for breaches of policies. At the next tier, you have system- and > issue-specific policies, such as the "Use of corporate email" policy, the > "Inappropriate content in the workplace" policy. You may then move down to > standards (platforms, SOE, etc.) and procedures (e.g. for provisioning user > accounts, resetting passwords, etc.). <snip> Thanks for your very detailed response. Though I can't help feeling a bit like having asked for an identity photo... and getting a 10-foot oil painting :oD Basically, all I'm concerned about security-wise is a modest Apache/PHP/MySQL server running a single public library management software, and interconnecting eleven (small) public libraries, with a total of 60.000 database entries. No (very) big deal. The configuration is supposed to run on a dedicated server, so my question will be more practical: - Is it worth the hassle to bother with SELinux? - Is the standard firewall configuration enough, or do I really have to fine-tune the thing? - Basically, what auditing tools besides NMap can you recommend for such a thing? cheers, Niki