Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Re: a secure base system
From: Tobias Weisserth <tobias () weisserth de>
Date: Mon, 15 Mar 2004 22:08:32 +0100

Hi Martin,

Am Mo, den 15.03.2004 schrieb martin f krafft um 21:15:
also sprach harry <Rik.Bobbaers () cc kuleuven ac be> [2004.03.15.1237 +0100]:
- /var and /tmp mounted nosuid and noexec

as others have probably written, this won't do much. first, noexec
can be easily overriden:

  /lib/ld-linux.so.2 /tmp/trojan

True. But I guess a great deal of ready-to-run exploits need some fine
tuning before they can be run this way since they were written to run
directly from /tmp.

And it might be appropriate to assume that this will someday be fixed,
so mounting partitions with noexec isn't a bad idea. Maybe the 2.6
series will make an end of this. I don't know though.

and second, nosuid on /var will make a couple of programs in Debian
fail. i don't remember which.

There used to be a problem with apt as far as I remember. But it might
already be fixed.

- grsec kernel

why not use SELinux?

[kidding]Maybe he doesn't trust NSA? :-)[/kidding]

But I agree. SELinux looks promising.

...

also sprach Tobias Weisserth <tobias () weisserth de> [2004.03.15.1933 +0100]:
If you want an up to date and modern productivity distribution with a
good security policy you mustn't use Debian but an alternative like
Fedora or SuSE or maybe Mandrake.

You may just as well use Debian and stay up to date with the
security problems.

Which means that he has to a little bit more work because he can't
*rely* on the distributor to supply patches in time. It's a trade-off.
He'll have to stay informed himself if the Debian Security Team doesn't
warn in time about critical packages in unstable or testing. Maybe it
mustn't be this way and there are regular updates for unstable. But the
Debian site itself advises against the use of unstable regarding the
security issues.

I know this will raise flames en masse from Debian fans. But it's
a sour truth that Debian woody is hopefully outdated and as long
as the Debian security team doesn't support the other releases
it's no option at all to use these other releases in productive
environments.

Productive environments are one of two kinds: servers and
workstations.

He didn't mention. But I guess he's talking about many identical
workstation installations.

What's missing from Woody for a server?

Nothing :-) I'm running two :-) But I don't expect state of the art
desktop computing on a server. Debian woody doesn't offer this. And
after all, I'm just following the advice on the Debian site ;-) see
http://www.debian.org/releases ;-) The right tool for the right job...

And concerning workstations: your security better shield a security
problem on a workstation.

Non comprende? ;-)

/tmp should always be mounted noexec. Add /home as well with noexec. Why
should users be able to install or run programs from within their home
directories anyway? Administered systems supply everything users need,
so there's no need to give them this freedom. This may be a trade-off,
but the result is more security.

whatever. read above.

[grumpy]Well, at least it raises the bar a bit...[/grumpy]

You have missed the most important thing: file integrity checking. Take
a look at Tripwire or AIDE.

good point!

Though a lot of work if we're talking about workstations here...
Checking on Tripwire changes regularly on a couple of hundreds
individual machines might be tricky... But if we're talking about a base
installation, thus an image that is to be written over a compromised
installation, it might be helpful to check on this machine and see if
the attacker tries the same approach again. The Tripwire database and
the differences might then give away the angle of attack and allow for
counteraction, adapting the image and resulting in a new image which
resists _this_ approach.

regards,
Tobias W.

-- 
***************************************************
   ____  _____
  |  _ \| ____| Tobias Weisserth
  | | | |  _|   tobias () weisserth [de|com|net|org]
 _| |_| | |___  http://www.weisserth.org
(_)____/|_____|
                
Encrypted mail is welcome.
Key and fingerprint: http://imprint.weisserth.org

***************************************************

Attachment: signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]