CSEC_PUBLIC/the-practical-linux-hardening-guide
1
0
Fork 0
mirror of https://github.com/trimstray/the-practical-linux-hardening-guide.git synced 2025-12-06 17:22:51 +01:00
Code Issues Packages Projects Releases Wiki Activity

updated descriptions

Browse Source 
- signed-off-by: trimstray <trimstray@gmail.com>
This commit is contained in:
trimstray
2019-02-20 23:45:18 +01:00
parent ce38e694b2
commit 3dfe4481e2
1 changed files with 6 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
README.md
View File

@@ -237,15 +237,17 @@ In my opinion you should definitely drop all non-industry policies, articles, ma
We have a lot of great GNU/Linux hardening policies to provide safer operating systems compatible with security protocols. For me, **CIS** and the **PCI-DSS** compliant are about the best actual prescriptive guides - but of course you can choose a different one. We have a lot of great GNU/Linux hardening policies to provide safer operating systems compatible with security protocols. For me, **CIS** and the **PCI-DSS** compliant are about the best actual prescriptive guides - but of course you can choose a different one.
> Most of all you should use [Security Benchmarks/Policies](#policy-compliance) which describe consensus best practices for the secure configuration of target systems because configuring your systems in compliance eliminate the most common security fails/bugs. For example, CIS has been shown to eliminate 80-95% of known security vulnerabilities. > Most of all you should use [Security Benchmarks/Policies](#policy-compliance) which describe consensus best practices for the secure configuration of target systems.
Configuring your systems in compliance eliminate the most common security fails/bugs. For example, CIS has been shown to eliminate 80-95% of known security vulnerabilities.
On the other hand e.g. STIG itself is just a complicated (for newbies difficult to implement) check-list. In my opinion ideally, real world implementation is automated via something like OpenSCAP. On the other hand e.g. STIG itself is just a complicated (for newbies difficult to implement) check-list. In my opinion ideally, real world implementation is automated via something like OpenSCAP.
> You should use a rational approach, remember that more is not better. Each environment is different so security rules should all work in theory, but sometimes it not works as well. > You should use a rational approach because more is not better. Each environment is different so security rules should all work in theory, but sometimes it not works as well.
### Which distribution should be used? ### Which distribution should be used?
This guide is being written and tested on **Red Hat Enterprise Linux** and **CentOS Linux** distributions because: This guide is being written and tested on **Red Hat Enterprise Linux 7** and **CentOS 7** distributions because:
- they are a free (CentOS) and open source - they are a free (CentOS) and open source
- they are enterprise-class - they are enterprise-class
@@ -253,7 +255,7 @@ This guide is being written and tested on **Red Hat Enterprise Linux** and **Cen
- they have great community support - they have great community support
- they are built on coherent snapshots of old packages - they are built on coherent snapshots of old packages
Both distributions provides **[certified tools](#scap-security-guide)** which can parse and evaluate each component of the SCAP standard. Both distributions allow the use of **[certified tools](#scap-security-guide)** which can parse and evaluate each component of the SCAP standard.
### How to read this guide? ### How to read this guide?