Firewall Wizards mailing list archives
Re: Custom Unix server installations -- to harden extensively ?
From: Matthew Kirkwood <matthew () hairy beasts org>
Date: Fri, 16 May 2003 09:21:52 +0100 (BST)
On Wed, 14 May 2003, Carson Gaspar wrote:
I seem to be in the minority here, but I firmly believe that the costs of maintaining a stripped down build exceed the security gains achieved by removing binaries.
It'll never be perfect, because the ideal level of package granularity varies a lot for different purposes but a recent Red Hat setup to get its packages from a local apt repository is not all that far from the ideal of "no software I don't need, but everything within reach". An "apt-get remove-useless-leaf-packages" is the only obvious (to me) missing step.
Once you have: - removed setuid permissions - removed setgid permissions - removed world writeable files/directories - removed group writeable files/directories - ensured all files are owned by root - ensured that only the required software is started at boot time An attacker is left with no method for privilege escalation.
^^ That "no" there assumes that there are no security holes in your "required" software (which, as you pointed out, will often be unable to run if you follow the rest of your checklist).
Removing binaries only stops script kiddies - anyone who has access to run processes on your box can install anything they want (assuming they can create executable files).
The "executable" bit is not even necessary everywhere: $ cp /bin/ls . $ chmod -x ls $ ls -l ls -rw-r--r-- 1 kirkwm smg 46888 May 16 09:19 ls $ /lib/ld-linux.so.2 ./ls [...] Matthew. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Custom Unix server installations -- to harden extensively ? Julian Gomez (May 13)
- Re: Custom Unix server installations -- to harden extensively ? Paul Robertson (May 13)
- Re: Custom Unix server installations -- to harden extensively ? John Adams (May 13)
- Re: Custom Unix server installations -- to harden extensively ? Julian Gomez (May 15)
- RE: Custom Unix server installations -- to harden extensively ? Keith A. Glass (May 14)
- RE: Custom Unix server installations -- to harden extensively ? Ben Nagy (May 14)
- Re: Custom Unix server installations -- to harden extensively ? Carson Gaspar (May 14)
- Re: Custom Unix server installations -- to harden extensively ? Devdas Bhagat (May 15)
- Re: Custom Unix server installations -- to harden extensively ? Bill Royds (May 16)
- Re: Custom Unix server installations -- to harden extensively ? Marcus J. Ranum (May 15)
- Re: Custom Unix server installations -- to harden extensively ? Matthew Kirkwood (May 16)
- Re: Custom Unix server installations -- to harden extensively ? Devdas Bhagat (May 15)
- Re: Custom Unix server installations -- to harden extensively ? Crispin Cowan (May 14)
- Re: Custom Unix server installations -- to harden extensively ? Mason Schmitt (May 15)
- <Possible follow-ups>
- RE: Custom Unix server installations -- to harden extensively ? salgak (May 15)
- Re: Custom Unix server installations -- to harden extensively ? Barney Wolff (May 15)
- RE: Custom Unix server installations -- to harden extensively ? Keith A. Glass (May 16)
- RE: Custom Unix server installations -- to harden extensively ? R. DuFresne (May 16)
- Re: Custom Unix server installations -- to harden extensively ? Barney Wolff (May 15)