mailing list archives
Re: a secure base system
From: martin f krafft <madduck () madduck net>
Date: Mon, 15 Mar 2004 21:15:39 +0100
also sprach harry <Rik.Bobbaers () cc kuleuven ac be> [2004.03.15.1237 +0100]:
- /var and /tmp mounted nosuid and noexec
as others have probably written, this won't do much. first, noexec
can be easily overriden:
and second, nosuid on /var will make a couple of programs in Debian
fail. i don't remember which.
- grsec kernel
why not use SELinux?
==> is this ok, too paranoia or is there somenting i'm missing, and
cound it be even more safe?
you can surely get this a lot more save, especially against local
how about a compiler? normally, all soft on it is compiled by
hand, but it is also "necessary" for a local exploit.
i can compile on my system and then run it on yours. you can install
a compiler if you need it.
also sprach Jochem Kossen <jkossen () xs4all nl> [2004.03.15.1424 +0100]:
How about /home? and how about nodev? (dunno if Linux has nodev)
sure it does. mounting /home and the others nodev is a good idea.
It could be more safe definitely. How about OpenBSD? (ye ye i'm
biased ;), but there are more security oriented solutions around)
OpenBSD, Debian, OpenBSD, Debian... guess which one I'll pick. And
that's not a hard decision.
also sprach Tobias Weisserth <tobias () weisserth de> [2004.03.15.1933 +0100]:
If you want an up to date and modern productivity distribution with a
good security policy you mustn't use Debian but an alternative like
Fedora or SuSE or maybe Mandrake.
You may just as well use Debian and stay up to date with the
I know this will raise flames en masse from Debian fans. But it's
a sour truth that Debian woody is hopefully outdated and as long
as the Debian security team doesn't support the other releases
it's no option at all to use these other releases in productive
Productive environments are one of two kinds: servers and
What's missing from Woody for a server?
And concerning workstations: your security better shield a security
problem on a workstation.
/tmp should always be mounted noexec. Add /home as well with noexec. Why
should users be able to install or run programs from within their home
directories anyway? Administered systems supply everything users need,
so there's no need to give them this freedom. This may be a trade-off,
but the result is more security.
whatever. read above.
You have missed the most important thing: file integrity checking. Take
a look at Tripwire or AIDE.
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:" net () madduck
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
kill ugly radio
-- frank zappa
Description: Digital signature
Re: a secure base system gadgeteer (Mar 15)
Re: a secure base system Nico Golde (Mar 15)
Re: a secure base system Stephen Clowater (Mar 15)
Re: a secure base system Tobias Weisserth (Mar 15)