Univention Bugzilla – Bug 57166
Easy and transparent way for customers to security-harden UCS
Last modified: 2024-03-21 13:18:10 CET
In a customer project, the idea of implementing security levels via UCR came up. The customer needs to make the use of UCS BSI-compliant and wants us to implement a mechanism that can harden various services such as SSH, Apache2, DNS (by adapting the cipher, algorithm, etc.) via UCR. I don't mean existing UCR for individual services, but a global UCR that sets various services to the highest security level at once. I see a conflict here between "we offer an open configuration that the customer has to maintain themselves" and "we take care of this for the customer". What do you think?
Inspiration: https://help.univention.com/t/ucs-and-security-hardening/6059
Besides being difficult to implement and maintain a "key that turns multiple keys", it raises questions: what if the global key is set, and the customer wants to change just one setting back: will it also set the global key to false? If not, what does "true" mean then? Instead, I suggest writing a nice CLI script that asks the customer questions and makes proposals: "I see you have Dovecot installed. Do you want me to change the following UCRs: .....?" Such a script can be enhanced over time with new software and new defaults and can be part of UCS.
Yes, could start as CLI and grow into a sth like a UMC module (similar to System Diagnostics). IMHO it would have some use to add some verification functionality where possible, so that you know that the switch is not just set to "safety level XYZ" but the wire behind that switch has been cut.
We also considered the script route. Alternatively, a list of recommendations would also be conceivable, which the customer then implements himself. I like the idea with the process script, then later a UMC module with visibility of the respective settings. That is certainly all debatable. I can't estimate the added value for other customers. Basically, however, I think that we should think along as providers or at least make recommendations.