Re: chroot useful?

[mcnabb () argus-systems com (Paul McNabb)]

>  From anton () Toronto com Mon Nov 17 19:05 CST 1997
>  
>  At 05:27 PM 17/11/97 -0600, Paul McNabb wrote:
>  >
>  >IMHO, stripping down a system by removing unnecessary utilities, services,
>  >and processes reduces the chances of leaving a hole open and is absolutely
>  >essential for making a firewall "secure", but it does little towards making
>  >the remaining services more secure.
>  
>  What about stripping down the kernel and removing things of dubious nature?

Absolutely.  I think most people would agree that the smaller the code,
the better.

Unfortunately, there is a problem with it.  Although most firewalls are
kept pretty stable once installed and operational, people generally like
to know that any new security product is a candidate for their machine.
If you run a stripped down kernel, there is the chance that your system
won't support the next firewall version, or that nice auditing program
you want, or ...

And what about when your system admin guy leaves and the next guy comes
along?  If he needs to rebuild the system or add a patch, will it break
everything?  Another issue: if you are looking for commercial support
and updates, having a home-grown OS version pretty much invalidates a lot
of customer support.

So as far as OSes are concerned, we are left with

1) running a strong commercial version (very few available)
2) running a bastardized but strong commercial version
3) running a potentially weak but fully supported commercial version
4) running a strong home version (with little help/experience from
   other sites)

paul

---------------------------------------------------------
Paul McNabb                     Argus Systems Group, Inc.
Vice President and CTO          1809 Woodfield Drive
mcnabb () argus-systems com        Savoy, IL 61874 USA
TEL 217-355-6308
FAX 217-355-1433                "Securing the Future"
---------------------------------------------------------