> [top of readme] lockdown a newly installed linux os
> [bottom of readme] Supported OS: Debian
Not all Linux is Debian or a Debian derivative.
> Remounts /tmp /proc /dev /run to be more restrictive
Unfortunately it only appears to remount, which will not persist across reboots (unless I’m missing something).
> Restrict access to compilers
Is this actually meaningful from a security perspective? If one can get some source onto a machine and execute a compiler and then execute that binary, how is that substantially different than them just getting a binary onto the machine and executing that instead?
Wow nice! This will be useful both for expert users who can go through and learn about various security options and apply manually, but also useful for non-expert users who can just run the script.
> useful for non-expert users who can just run the script.
Running random scripts one doesn’t understand as root has its potential problems, though. Non-experts should still audit what this script (or any script requiring elevated privileges) is doing and strive to understand it.
True that. After looking through the script in more details, I wouldn't recommend running without checking. I thought it was doing just basic ssh + firewall, but it does a lot more things, so probably better to run piecemeal even for non-experts.
Maybe this could be turned into some interactive script that explains a little (in beginner-friendly language) what each step does? It would be also nice to have a log of which steps were performed, and instructions for the undo-step in case users want to go back... wishlist.append( ^ ).
We already have sensible OS level and app level baselines in CIS workbenches. There's also code to apply the policies and check the policies. It's nice that this is an attempt to set some kind of sanity in a single shell script but unless the author is a known quantity expert in this area, it's not a good idea to use this, unless you are also capable of vetting this code, in which case you probably don't need it.
13 comments
[ 2.5 ms ] story [ 37.1 ms ] thread> [bottom of readme] Supported OS: Debian
Not all Linux is Debian or a Debian derivative.
> Remounts /tmp /proc /dev /run to be more restrictive
Unfortunately it only appears to remount, which will not persist across reboots (unless I’m missing something).
> Restrict access to compilers
Is this actually meaningful from a security perspective? If one can get some source onto a machine and execute a compiler and then execute that binary, how is that substantially different than them just getting a binary onto the machine and executing that instead?
it's so far out there that I almost think it's intended as performance art, rather than something anyone is supposed to actually use
Yeah and then it also reboots immediately. What's the point? Has this even been tested?
Running random scripts one doesn’t understand as root has its potential problems, though. Non-experts should still audit what this script (or any script requiring elevated privileges) is doing and strive to understand it.
Maybe this could be turned into some interactive script that explains a little (in beginner-friendly language) what each step does? It would be also nice to have a log of which steps were performed, and instructions for the undo-step in case users want to go back... wishlist.append( ^ ).
[1] https://github.com/Whonix/security-misc
[2] https://forums.whonix.org/t/fixing-the-desktop-linux-securit...