From a5cebb1df6ee3042fbc75f315e1b7a93497d58e0 Mon Sep 17 00:00:00 2001 From: trimstray Date: Tue, 19 Feb 2019 22:53:33 +0100 Subject: [PATCH] minor updates - signed-off-by: trimstray --- README.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 9eb561c..d4f6b4f 100644 --- a/README.md +++ b/README.md @@ -194,7 +194,7 @@ This guide also provides you with _practical step-by-step instructions_ for buil A few simple rules for this project: -- this guide does not exhaust everything about Linux Hardening +- this guide does not exhaust everything about Linux hardening - some hardening rules can be done better - you can think of it also as a checklist @@ -210,12 +210,14 @@ You need to harden your system to protect your assets as much as possible. Why i ### How to hardening Linux? -In my opinion you should definitely drop all non-industry policies, articles, manuals and other especially on your production environments. This stuff exist to give false sense of security. +In my opinion you should definitely drop all non-industry policies, articles, manuals and other (especially on your production environments but also if you harden standalone home server). This stuff exist to give false sense of security. -We have a lot of great GNU/Linux hardening policies to provide safer operating systems compatible with security protocols. For me, CIS and the various NSA STIGs are about the best actual prescriptive guides. +We have a lot of great GNU/Linux hardening policies to provide safer operating systems compatible with security protocols. For me, **CIS** and the various **NSA STIGs** are about the best actual prescriptive guides. > Most of all you should use [Security Benchmarks/Policies](#policy-compliance) which describe consensus best practices for the secure configuration of target systems because configuring your systems in compliance with e.g. CIS has been shown to eliminate 80-95% of known security vulnerabilities. +On the other hand e.g. STIG itself is just a complicated (for newbies difficult to implement) check-list. In my opinion ideally, real world implementation is automated via something like OpenSCAP. + ## Policy Compliance ### Center of Internet Security (CIS) @@ -234,7 +236,7 @@ Please see **[Stigviewer](https://www.stigviewer.com/stigs)** for explore all st Security Content Automation Protocol (SCAP) provides a mechanism to check configurations, vulnerability management and evaluate policy compliance for a variety of systems. -One of the most popular implementations of SCAP is [OpenSCAP](https://www.open-scap.org/security-policies/) and it is very helpful for vulnerability assessment and also as hardening helper. +One of the most popular implementations of SCAP is **[OpenSCAP](https://www.open-scap.org/security-policies/)** and it is very helpful for vulnerability assessment and also as hardening helper. ## DevSec Hardening Framework