Re: a secure base system

[martin f krafft <madduck () madduck net>]

also sprach harry <Rik.Bobbaers () cc kuleuven ac be> [2004.03.15.1237 +0100]:
> - /var and /tmp mounted nosuid and noexec

as others have probably written, this won't do much. first, noexec
can be easily overriden:

  /lib/ld-linux.so.2 /tmp/trojan

and second, nosuid on /var will make a couple of programs in Debian
fail. i don't remember which.

> - grsec kernel

why not use SELinux?

> ==> is this ok, too paranoia or is there somenting i'm missing, and 
> cound it be even more safe?

you can surely get this a lot more save, especially against local
access.

> how about a compiler? normally, all soft on it is compiled by
> hand, but it is also "necessary" for a local exploit.

i can compile on my system and then run it on yours. you can install
a compiler if you need it.

also sprach Jochem Kossen <jkossen () xs4all nl> [2004.03.15.1424 +0100]:
> How about /home? and how about nodev? (dunno if Linux has nodev)

sure it does. mounting /home and the others nodev is a good idea.

> It could be more safe definitely. How about OpenBSD? (ye ye i'm
> biased ;), but there are more security oriented solutions around)

OpenBSD, Debian, OpenBSD, Debian... guess which one I'll pick. And
that's not a hard decision.

also sprach Tobias Weisserth <tobias () weisserth de> [2004.03.15.1933 +0100]:
> If you want an up to date and modern productivity distribution with a
> good security policy you mustn't use Debian but an alternative like
> Fedora or SuSE or maybe Mandrake.

You may just as well use Debian and stay up to date with the
security problems.

> I know this will raise flames en masse from Debian fans. But it's
> a sour truth that Debian woody is hopefully outdated and as long
> as the Debian security team doesn't support the other releases
> it's no option at all to use these other releases in productive
> environments.

Productive environments are one of two kinds: servers and
workstations.

What's missing from Woody for a server?

And concerning workstations: your security better shield a security
problem on a workstation.

> /tmp should always be mounted noexec. Add /home as well with noexec. Why
> should users be able to install or run programs from within their home
> directories anyway? Administered systems supply everything users need,
> so there's no need to give them this freedom. This may be a trade-off,
> but the result is more security.

whatever. read above.

> You have missed the most important thing: file integrity checking. Take
> a look at Tripwire or AIDE.

good point!

-- 
martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
 
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
 
kill ugly radio
                                                        -- frank zappa

Attachment: signature.asc
Description: Digital signature