Are security hardening guides still useful?
Are security hardening guides still useful?
This was the big question we asked ourselves recently, when reading a few of them. With Linux and other Unix systems being decently hardened by default, would it still make sense to invest a lot of time to harden your system?
Hardening guides
Years ago both Windows and Linux were easy targets. A lot of system software was installed by default and these services were targeted often by malicious people and scripts. Then hardening guides came along on how to secure these services and protect systems.
Minimal installation
After hardening guides used to be a normal practice, vendors were forced to deliver at least an option to use a “clean” installation. That is, an installation with the bare minimum installed. Under Linux these kind of installations were often called “minimal”, resulting in a quick installation and only those components needed to run the system. Depending on the role, additional software then could be installed.
Do we still need them?
With vendors delivering better hardened system installations, one could argue that the need for hardening guides then dropped as well. Still, we think the need will remain for many more years to come. After all, a system without running software, is similar to a house where no one lives. It is possible, yet not really useful.
Hardening of software
While the operating system maybe be better hardened already, many software components are not. Usually they never will be hardened out-of-the-box as, they need to provide functionality. Secure by default is a nice thing, but most people rather prefer something to work than being secure.
So in other words, hardening guides will remain useful. The focus will be more on individual software components and less on the operating system. This is also the reason why our auditing tool Lynis does more than just auditing the operating system. It is the combination of a hardened base system, properly configured system components, focus on networking and more. Only if all chains are strong enough, then you can rely on using it for your precious operations.
Security scanning with Lynis and Lynis Enterprise
3:52 PM
In my opinion, even reading a obsolete hardening guide is useful; not for actual system hardening, but to interest people in security and to create awareness. They sometimes reveal (security) options you never knew anything about, or highlight simple solutions to common security problems you weren’t aware of.
When you go on and search for the reasoning behind hardening tips, you’ll find the most interesting subjects in my experience :-) even if the suggestions don’t apply any more.
Also, checking if all the hardening options from a guide are *actually* applied may reveal configuration errors you’ve made in the past or old configurations that failed to update to the latest, safest, version.
3:58 PM
We believe also that you will learn a lot from it. Unfortunately that path is very time consuming ;-)
There is another small risk involved with old guides, similar to “best practices”. What someday could be a best practice, may result in people changing things while they aren’t a best practice anymore. So be careful not to apply old wisdom without thinking (and researching) yourself!
12:41 PM
Agreed, caution is required, and it takes a lot of time.
I usually have a couple of approaches to verify stuff before I implement them. Looking up the option in the manual for the current version usually is a good start. Googling a bit using Search Tools > ‘Part Year’, instead of ‘Any Time’ to limit old results and topics, may help as well. Sometimes searching the developer mailing lists to see what was discussed before making the option is very helpful.
It costs a lot of time, but I think it is worth it though. Understanding something makes me feel more at ease and eventually enables me to take my own decisions based on that understanding.
A lot of blogs don’t display any kind of time/date or version number with their articles, making it impossible to see how old the advice is. This in turn leads to a lot of badly informed people, who relay this information as good advice to others, which in turn, etc. I’ve been thinking about writing a blogpost about this problem.