[WIP] Add security intro #95
Conversation
| immediate use, it is important to have a balanced understanding of your | ||
| system's security posture based on how it will be used after deployment. It's | ||
| important to take a layered approach so that your system's security is not | ||
| dependent on a single |
| consider for your use-case. Again, the list is not intended to be exhaustive, | ||
| but rather a starting point. | ||
|
|
||
| For a more thorough treatment of security in Ubuntu, we recommend checking |
There was a problem hiding this comment.
"we also recommend" otherwise it sounds like read here is you ar not serious but there if you are.
There was a problem hiding this comment.
And sadly - as we know and as of today - there people find mostly marketing and not so much actionable
| [Ubuntu Pro](https://ubuntu.com/pro) subscription. Ubuntu Pro is available | ||
| for free on up to 5 machines (for business or personal use). Although the | ||
| compliance and certification features of Ubuntu Pro are likely to be of more | ||
| interest to enterprise users, the security patching features are great for |
There was a problem hiding this comment.
That sounds odd, how about "security patching features" -> "enhanced security coverage"
| ### Vulnerability management | ||
|
|
||
| In a standard Ubuntu LTS release, security support is provided for packages in | ||
| the Main repository for 5 years. With Ubuntu Pro, this is expanded to 10 years, |
There was a problem hiding this comment.
is this mentioning of main worth a link to the page explaining the components?
| (which experienced system admins may prefer to use directly). To get started | ||
| with `ufw`, check out our {ref}`firewalls` guide. | ||
|
|
||
| 1. **Use the Secure Shell (SSH)** protocol to secure remote access. In Ubuntu, |
There was a problem hiding this comment.
Using ssh is fine, the art is doing it well.
We sadly lack content here on the pages to suggest proper key types and sizes, use passphrases, potentially suggest storing the private key securely as well as something like two factor like http://www.justgohome.co.uk/blog/2013/07/better-two-factor-ssh-authentication-on-ubuntu.html
If not there yet we at least should track that as an extension of the content.
| systems. Learn more in our | ||
| {ref}`introduction to Kerberos <introduction-to-kerberos>`, or see our | ||
| section on how to {ref}`set up and use Kerberos <how-to-kerberos>`. | ||
| 1. **System Security Services Daemon (SSSD)** is a collection of daemons that |
There was a problem hiding this comment.
To be fair to all options, should we include integration into an active directory in this list?
|
|
||
| ### Security of communications | ||
|
|
||
| 1. **TLS/SSL** for secure communication |
There was a problem hiding this comment.
I think we need here a short "why you'd want transport security" in general, and can then refer to those examples - because in reality it is always different and depends on the solution they are setting up.
Remiding users to use some transport level secuirty is fair without explaining all potential options.
Just be open that many stacks offer it, some even try to use it by default, but even then it requires certificate/secrets management which is why it almost always needs the system administrator to get it to be really good.
Adds an expanded introduction to security and a "suggestions" page that signposts all our other security-related content
(please don't merge yet, still not quite finished adding context to the suggestions page)