Ubuntu
gnome-control-center package

  1. Bug #1987162
  2. Comment #18

Comment 18 for bug 1987162

Revision history for this message
Alexander E. Patrakov (patrakov-gmail) wrote :

@billdietrich444

Note: my comment is a trolling attempt, and hopefully an obvious one due to the choice of an obviously unimplementable-in-a-useful-way standard. Please take only 10% seriously.

It may be a good idea to stop talking about pure security according to our own set of criteria (because it's up to discussion what's good enough) and start talking about compliance to recognized standards. We can start with the UK standard named Cyber Essentials, which is required for all organizations that need to deal with the UK government. The standard itself is available at https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-Infrastructure-v3-0-January-2022.pdf

It has the following testable requirements related to technical controls:

* Firewalls - we can check that the firewall is installed and configured to "block unauthenticated inbound connections by default".

* Secure configuration - this also includes removing unneeded or unused services (and this means that it is forbidden to run the SSH server unless there is a documented business need) and uninstalling unused software. So we might want to display when each piece of software was last used so that to ease the audit. Another testable requirement is that any auto-run feature is disabled or configured to "ask". And also there are some checkable requirements related to device unlocking.

* User access control - we could list administrative accounts. Also, if a fingerprint reader is detected, or another form of 2FA is available, we can list all all non-enrolled accounts as non-compliant. We can also check if the password quality requirements are implemented and the mandatory unsuccessful login throttling (or lock-out) policy is enforced by PAM.

* Malware protection - with specific requirements, related to on-access scanning of all files (including those on network shares, so sorry, ClamAV is not compliant) and web pages. This was the reason I had to tell one of my clients that they have to stop using Linux or stop dealing with the UK government.

* Security update management - we can check Ubuntu-specific settings related to the freshness of the database, whether a reboot is needed for something to apply (e.g. are there running copies of deleted and replaced binaries, or do they use deleted libraries), and whether the updates are configured to install automatically.

* Backups - we can test whether they configured through known backup applications.