Re: [LUG] Linux Security Mentoring

["Simon Waters" <simon@xxxxxxxxxxxxxx>]

Philip Radford wrote:
>
> We have funding set aside for mentoring, so we are specifically looking for
> advice on online security and locking down the servers. Does anyone on this
> list know of a company or someone in the field within the Devon & Cornwall
> area who could provide mentoring/advice in this field of expertise.?

Sort of thing I do, have done, but I typically do it and haven't mentored,
so not sure expertise is the appropriate phrase.

It is also potentially a big topic, I don't have the skills to advise on
PHP coding specifics assuming you mean PHP for the P in LAMP, there are
folks here that do (Gemma springs to mind - although she has been quiet
recently, I'm sure there are others), I don't have the skills to advise on
SELinux, which might be vital to you depending on the sort of threat you
anticipate, our local expert on that got married and moved away, although
again we may have gained some more since.

What are you hoping to gain by looking for local expertise, are expecting
people to go to Redruth?

Are their specific tools you are looking at? Are there specific packages
you expect to support (Wordpress/Drupal/MediaWiki), or is it in-house
code?

The main gotcha with Debian PHP is the default php.ini is intended for
development. Debian also package Sushosin, install it early for PHP and
lock it down so you are relaxing things, as retrospectively tightening up
those  sorts of permissions never works (you break stuff and people
complain, where as if it never works in the first place they either ask or
do something different).

The other aspect is that "locking down" beyond the well trodden paths
often creates additional burdens on maintenance and development, and good
security is picking the right balance between locked down tight, and not
unduly restrictive, which depends on the threat model.


-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq