[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Sectool-list] msec + sectool?



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/02/2009 05:52 AM, Eugeni Dodonov wrote:
> Hi,
> 
> First of all, let me introduce myself. I work for Mandriva, developing
> the msec project, and I just recently found out about sectool (actually,
> it was from AdamW's blog post -
> http://www.happyassassin.net/2009/09/01/test-days-boog-and-more/). I
> started working on msec project a bit less than a year ago, and since
> then it underwent lots of changes - we now support custom security
> levels, plugins, and many new features. However, I was not aware of the
> sectool project when I started, that's why I haven't contacted you before.
> 

Cool, I might need to look at msec again. We looked at it when we
started designing sectool which was before you started and it did not
seem alive much (IIRC, I might be wrong).

>>From what I read on the wiki site (and seen in the code), you are doing
> a great project, and it has many similar features to msec. The biggest
> difference between msec and sectool is that sectool is focused on
> security checks (like vdanen's rsec tool -
> http://linsec.ca/blog/2009/08/25/monitor-your-system-for-threats-with-rsec-alerts/),
> while msec also aims at providing features which would configure the
> system security automatically.
> 

Yes, this was a concise design decision. We believe a hardening tool
should *never* touch configuration and that it also shouldn't give hints
that are easy to apply just with copy-n-paste. There had been too many
broken systems as a result of hardening attempt.

> Anyway, I think that both msec and sectool projects could benefit from
> each other. For example, msec could support sectool plugins, or sectool
> could grab msec features, or anything like that. I would just like to
> let you know that I am all open for any kind of cooperation with you if
> you are interested! I think that the not-invented-here syndrome does not
> truly belongs to the open source world, so if one opensource project
> could help other - I am more than interested in it!
> 

There's definitely something to think about. I agree that
distro-specific packages are bad.

That have been said, the main developer attention w.r.t. security
auditing tool had shifted from Sectool to OpenScap -
http://www.open-scap.org/page/Main_Page Sectool is not dead, as shown by
the test day, it's just aimed at different use-cases (desktop, single
systems) than OpenScap (datacenter, standard compliance). You might also
want to take a look at the OpenScap project.

> I put this on a blog post too -
> http://dodonov.net/blog/2009/09/02/msec-future-and-plans/ - so feel free
> to comment there as well if you find it interesting.
> 

/me looks

> Keep up the good work!

You too, thanks for letting us know!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkqfcC8ACgkQHsardTLnvCVAlACfdnu3g7ZJ6xV01gd0/gvAUhWq
CIIAnj7S1XeCpgUh/lllezahflqqNDnh
=7aD8
-----END PGP SIGNATURE-----


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]