On Wed, 2016-04-20 at 19:53 +0000, [email protected] wrote: > Why isn't Debian 8.4 secure by default? Does the Debian team ever run > a security audit with Lynis security audit tool? It finds numerous > security issues such as the sshd_config not configured properly.
What constitutes "secure" depends on many factors and has to be balanced against usability and functionality. It's not a one-size-fits-all concept, and an "audit tool" can't give a definitive answer. If you wish to discuss the various trade-offs further, please do so in either a user support forum or security-related venue - the debian-release list is neither. You will probably want to start by identifying actual issues, rather than simply "this tool I found says bad things; why?". For the record, on a Debian 8 machine that didn't previously have an SSHD installed, installing the openssh-server package and running the latest version of lynis from the upstream website... fails miserably with more than half a dozen shell script errors due to repeated attempts to access unset variables without quoting. This does make me wonder how you performed your test to begin with. Fixing up the errors (well, hacking the tests so that they always evaluate to "yes, run this check", as the variables don't exist at all) so that the script can actually be run leads to the following for SSHD: [21:45:34] Performing test ID SSH-7412 (Check SSH option: PermitRootLogin) [21:45:34] Test: check PermitRootLogin option [21:45:34] Result: PermitRootLogin is disabled. Root can't login directly [21:45:34] Hardening: assigned 3 hardening points (max for this item: 3), current: 57, total: 86 [21:45:34] ===---------------------------------------------------------------=== [21:45:34] Performing test ID SSH-7414 (Check SSH option: Protocol) [21:45:34] Test: check allowed SSH protocol versions [21:45:34] Result: only protocol 2 is allowed [21:45:34] Hardening: assigned 3 hardening points (max for this item: 3), current: 60, total: 89 [21:45:34] ===---------------------------------------------------------------=== [21:45:34] Performing test ID SSH-7416 (Check SSH option: StrictModes) [21:45:34] Test: Check configured StrictModes option [21:45:34] Result: StrictModes active, file permissions are checked [21:45:34] Hardening: assigned 3 hardening points (max for this item: 3), current: 63, total: 92 [21:45:34] ===---------------------------------------------------------------=== [21:45:34] Performing test ID SSH-7440 (Check SSH option: AllowUsers and AllowGroups) [21:45:34] Result: AllowUsers is not set [21:45:34] Result: AllowGroups is not set [21:45:34] Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine. [21:45:34] Hardening: assigned 0 hardening points (max for this item: 1), current: 63, total: 93 This does not include any suggestion that "the sshd_config not configured properly". Regards, Adam
