2 comments

I was expecting something more .. advanced? like configuring apparmor, selinux, restricting perms and identifying suid binaries, maybe changing the owner of the files which are accesible from internet to a different user than the daemon serving it, or chrooting services using (docker|chroot jails|configuring the service apropiately or run it via firejail), or setting up inotify hooks to monitorize file actions on certain paths of the system (/dev, /etc, cronjobs, ...) and sending warnings and logs to a remote syslog server. Installing a grsecurity kernel, aide, rkhunter ... something that attaches to nfqueue (like opensnitch does), maybe configure tripwire or alike programs... set ACLs using chattr on extX filesystems, ...
gus
I was expecting something more .. advanced? like configuring apparmor, selinux, restricting perms and identifying suid binaries, maybe changing the owner of the files which are accesible from internet to a different user than the daemon serving it, or chrooting services using (docker|chroot jails|configuring the service apropiately or run it via firejail), or setting up inotify hooks to monitorize file actions on certain paths of the system (/dev, /etc, cronjobs, ...) and sending warnings and logs to a remote syslog server. Installing a grsecurity kernel, aide, rkhunter ... something that attaches to nfqueue (like opensnitch does), maybe configure tripwire or alike programs... set ACLs using chattr on extX filesystems, ...
Our problem is still that so many out there believe Windows is a scale to measure it all up to. Here you can make those tools as well and someone can quickly find ways to circumvent whatever you make, It so easy to walk around it that few bother. But I agree fully, it’s just to make some file system scripts, new UID and GID and a couple of screen to configure. Then you have something of huge value that cannot be achieved on Windows - but maybe on Mac / iOS . So I expect more, but I am used to this.