Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: a secure base system
From: martin f krafft <madduck () madduck net>
Date: Mon, 15 Mar 2004 21:15:39 +0100

also sprach harry <Rik.Bobbaers () cc kuleuven ac be> [2004.03.15.1237 +0100]:
- /var and /tmp mounted nosuid and noexec

as others have probably written, this won't do much. first, noexec
can be easily overriden:

  /lib/ld-linux.so.2 /tmp/trojan

and second, nosuid on /var will make a couple of programs in Debian
fail. i don't remember which.

- grsec kernel

why not use SELinux?

==> is this ok, too paranoia or is there somenting i'm missing, and 
cound it be even more safe?

you can surely get this a lot more save, especially against local
access.

how about a compiler? normally, all soft on it is compiled by
hand, but it is also "necessary" for a local exploit.

i can compile on my system and then run it on yours. you can install
a compiler if you need it.

also sprach Jochem Kossen <jkossen () xs4all nl> [2004.03.15.1424 +0100]:
How about /home? and how about nodev? (dunno if Linux has nodev)

sure it does. mounting /home and the others nodev is a good idea.

It could be more safe definitely. How about OpenBSD? (ye ye i'm
biased ;), but there are more security oriented solutions around)

OpenBSD, Debian, OpenBSD, Debian... guess which one I'll pick. And
that's not a hard decision.

also sprach Tobias Weisserth <tobias () weisserth de> [2004.03.15.1933 +0100]:
If you want an up to date and modern productivity distribution with a
good security policy you mustn't use Debian but an alternative like
Fedora or SuSE or maybe Mandrake.

You may just as well use Debian and stay up to date with the
security problems.

I know this will raise flames en masse from Debian fans. But it's
a sour truth that Debian woody is hopefully outdated and as long
as the Debian security team doesn't support the other releases
it's no option at all to use these other releases in productive
environments.

Productive environments are one of two kinds: servers and
workstations.

What's missing from Woody for a server?

And concerning workstations: your security better shield a security
problem on a workstation.

/tmp should always be mounted noexec. Add /home as well with noexec. Why
should users be able to install or run programs from within their home
directories anyway? Administered systems supply everything users need,
so there's no need to give them this freedom. This may be a trade-off,
but the result is more security.

whatever. read above.

You have missed the most important thing: file integrity checking. Take
a look at Tripwire or AIDE.

good point!

-- 
martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net () madduck
 
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
 
kill ugly radio
                                                        -- frank zappa

Attachment: signature.asc
Description: Digital signature


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault