[WEB SECURITY] LAMP Security Guide - Focused on Drupal

Mike Gifford mike at openconcept.ca
Tue Nov 19 19:42:28 EST 2013

On Nov 19, 2013, at 6:21 PM, John Kinsella <jlk at thrashyour.com> wrote:
> Mike - didn't intend to come off harsh/blunt in my last note but I did, my apologies.

No worries. It's a reasonably long document and I was asking for a free review from a list which contains folks with a lot more security expertise than I have. 

> I also didn't intend to not read the paper, but it seems like i did that as most of what I pointed out was incorrect. Not sure what crawled up inside me this morning!

Happens to all of us some of the time I figure.

> Overall (now that I'm awake), good doc. I think partially what got me is the mix of links and indented example text - I think just flipping through it, I was looking just at the indented text and missed a bunch of the suggestions/recommendations. The reason I was flipping through was because the doc is 30 pages long, which is why I suggested just linking to hardening guides for the sections up-front. You've included tons of links to options/suggestions - great for the academic discussion, but I'd guess the target reader would prefer something more prescriptive?

The intended audience of the document isn't straight forward.  The first part of the document is really meant to be an overview that could be shared with management.  Ultimately, if they don't understand why security is important or why it needs proper resourcing then they aren't going to fund it correctly.  

This document could very easily become a book, however, I don't have time for that and really am not enough of a writer or security geek to pull it off.  I was trying to achieve a balance between simple command line tools that an administrator could install and the vast documentation that could accompany each one.  Thus all the links to other documents throughout.  

I'm still not sure what the target reader would prefer.  I haven't gotten enough feedback.  

> I suspect you posted this morning for security feedback not "it's too long," so I'll bring it back to that - as it felt too long to me, I bypassed a significant portion of the information. If I was trying to harden a system based on the doc, I would have missed a bunch of stuff.

This is very useful feedback.  Possibly it should be a number of distinct documents.  We're also looking at putting something up on Github that's more targeted.  Possibly with Puppet scripts or checklists that can be downloaded.  

> Maybe have a TL;DR version, as well as the more conservational one? Just a thought, hopefully this feedback's a little more useful. :)

This was useful but the last one also reminded me to reach out to the security team on Drupal.org.  So I reached out to almost everyone here:

Lee Rowlands told me about:
	sudo apt-get install rkhunter

And reminded me about Puppet/Chef which would allow you to:
	a) restore your server and come back online quickly 
	b) ensure you don't miss critical setup steps

That makes it longer still, but if it's broken down into small pieces it should help deal with the TL:DR issue.  

Mike Gifford, President, OpenConcept Consulting Inc. 
Drupal 8 Core Accessibility Maintainer -> http://drupal.org/user/27930
http://twitter.com/mgifford | http://linkedin.com/in/mgifford

Open source web development for social change – http://openconcept.ca 

More information about the websecurity mailing list