Not a fan of this guide: No explanations, no context and worse: missing critical stuff for your typical hosted $webapp server usecase:
run services as normal user and confine them using apparmor (or selinux if you are masochichst)
the NSA will probably hack you anyway, that drive by script-kiddie that kills your company JIRA instance by DDoSing some gameserver while exploiting some old Wordpress plugin can be stopped by apparmor!
What's missing is some kind of kernel live patching - if someone is not a script-kiddie on your machine that Wordpress shell is a nice tool to elevate to root - your kernel is rotting and exploits are plenty... so consider some kind of live-patching if your are paranoid.
Also no discussion about updates, the need to restart services for reloading updated .so files (like openssl)...
You can obey that guide and be busy with life and some skiddy root exploits your box anyway...
so /rant - there must be some better guides? found those cis benchmarks (https://www.cisecurity.org) a mixed bag - is there anything better out there?
from Hacker News - New Comments: "WordPress" http://bit.ly/2Re59mD
via IFTTT
No comments:
Post a Comment