Re: Linux hardening

["AragonX" <aragonx () dcsnow com>]

<quote who="Jayson Anderson">
> Perhaps it is assumed in one of those packages and if so I beg your
> pardon; but have you located, identified and demoted to the functional
> minimum (if not outright shredded), every single suid and sgid binary on
> the box ? 'find' coupled with spatial deduction and a lot of 'whatis' is
> one of the most indispensible and telling hardening methods available.
> For that matter, 'find'ing and enumerating everything world-accessible
> is almost as equally important. 'whatis' is a great ally during this
> procedure. Very mundane but the return on investment is outstanding.

LIDS by default denies suid and sgid.  If a program needs them, I have to
add it to my config file.  Very nice but oh so annoying to setup.

It also can make all directories read only, denied or whatever.  I have my
/bin, /sbin, /usr and /etc on read-only.  Some directories are on deny
etc.  It's taking me some time to get it working just the way I want but
it is VERY nice.