Config Management Camp 2023 Ghent

Cross OS security hardening - the practical stuff
2023-02-07, 15:55–16:45, B.3.037

In 2020 I was able to share a look at a security hardening policy built for Linux systems.
It was built it using rudder.io, but my focus of the talk was more on 'strategy items'.

This talk picks up on feedback received and will focus on the technical side, covering actual policy items that should make sense for most.

The talk should serve people who want to harden their systems just as well as those who just want to hear some ideas. It will be sufficient to have understanding of templating and a general feeling that security matters and image sprawl is best left in the early 2000s.


Last time, speaking about OS hardening, you could hear about some high-level topics:
- dealing with the multitude of guidelines
- grey zones between guides and opinionated security
- automating testing to reach quality goals
- documentation for long-term maitenance

For 2023 the focus will shift to technical ones:
- templates, groups, variables, for example multiple information sources used to build sshd_config.(*)
- generated configuration files and structural for sanity
- security 'levels', as in how to classify a system as "slightly" or "strongly" hardened
- integrations (i.e. with elastic endgame)

(*) sshd_config is the "hello world" of config management security examples, right?

The 'strategic' topics will still be there, I hope to be able to explain a bit about Risk Management and system lifecycle.

Like, hardening images or running systems, also aspects of systems "built" from random sources.