Security Basics mailing list archives
Re: Linux hardening
From: "AragonX" <aragonx () dcsnow com>
Date: Wed, 24 Aug 2005 20:43:47 -0400 (EDT)
<quote who="Jayson Anderson">
Perhaps it is assumed in one of those packages and if so I beg your pardon; but have you located, identified and demoted to the functional minimum (if not outright shredded), every single suid and sgid binary on the box ? 'find' coupled with spatial deduction and a lot of 'whatis' is one of the most indispensible and telling hardening methods available. For that matter, 'find'ing and enumerating everything world-accessible is almost as equally important. 'whatis' is a great ally during this procedure. Very mundane but the return on investment is outstanding.
LIDS by default denies suid and sgid. If a program needs them, I have to add it to my config file. Very nice but oh so annoying to setup. It also can make all directories read only, denied or whatever. I have my /bin, /sbin, /usr and /etc on read-only. Some directories are on deny etc. It's taking me some time to get it working just the way I want but it is VERY nice.
Current thread:
- Linux hardening AragonX (Aug 22)
- Re: Linux hardening James Leighe (Aug 23)
- Re: Linux hardening Jayson Anderson (Aug 24)
- Re: Linux hardening security (Aug 26)
- Re: Linux hardening AragonX (Aug 26)
- Re: Linux hardening Jayson Anderson (Aug 24)
- Re: Linux hardening security (Aug 24)
- <Possible follow-ups>
- Re: Linux hardening cabeca (Aug 23)
- Re: Linux hardening AragonX (Aug 24)
- Re: Linux hardening James Leighe (Aug 23)