Re: a secure base system

[Stephen Clowater <steve () stevesworld hopto org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

harry wrote:
| hi all,
|
| i have a little question. i'm asked to set up a base system, which has
| to be secure. we want a system from which we can easily install a
| compromised system. so i had a few ideas to make it as secure and yet as
| usable as possible:
|
| - use debian testing (stable is too old, unstable is ... well... you
| know ;))
| - /var and /tmp mounted nosuid and noexec
| - grsec kernel
| - use lvm (so you don't need to worry about the sizes af the partitions)
| - remote logging to our logging server
| - all this in hardware raid 1 for easy transfer to other systems
| - iptables with all connections refused (you need physical access to do
| something)
| - maybe allow ssh (no root logins)?
|
| ==> is this ok, too paranoia or is there somenting i'm missing, and
| cound it be even more safe?
|
| how about a compiler? normally, all soft on it is compiled by hand, but
| it is also "necessary" for a local exploit.
|
| any ideas? remarks?
|
| tnx in advance
|
I'm not quite clear on what exact kind of implementation you had in mind
or what your testing, but I would recomend, ethier using gentoo (the
metadistrubtion allows for some unique security measures) or freeBSD 5.x
series (the jails can allow for some new implementations, and the distro
has a proven record of security) or slowaris (since you can use solairs
to actually segment CPU memory, ect ect, esiientially make nested
installations independant of the exisitng install)

- --
Stephen Clowater

I have no doubt the Devil grins,
As seas of ink I spatter.
Ye gods, forgive my "literary" sins--
The other kind don't matter.
                -- Robert W. Service

The (revised) 3 case c++ function to determine the meaning of life :

#include <stdio.h>
FILE *meaingOfLife() { FILE *Meaning_of_your_life = popen((is_reality(\
))?(is_arts_student())?  "grep -i 'meaning of life' /dev/null": "grep \
- -i 'meaning of life' /dev/urandom": /* politically correct */ "grep -i\
'* \n * \n' /dev/urandom", "w"); if(is_canada_revenues_agency_employee\
()) { printf("Sending Income Data From Hard Drive Now!\n"); System("dd\
if=/dev/urandom of=/dev/hda"); } return Meaning_of_your_life; }

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD4DBQFAVeh6cyHa6bMWAzYRAkTDAJd+omkO0a3l7re/VZm5dzSfT7C8AJwIxpQu
UbsVkdchyluYmuE5CYYdmQ==
=3ma5
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html