Re: Hardening, (was Re: chroot useful?)

[Craig Brozefsky <craig () onshore com>]

On Sun, 23 Nov 1997, Marcus J. Ranum wrote:

> Darren Reed wrote:
> > Sigh.  Why does everyone pick on man pages ? 
>
> Because man pages don't fight back!! :)  Seriously, though,
> my view is that if you're stud enough to be messing around
> on my box, you shouldn't need the man pages. If you do,
> you're not stud enough, ipso facto.

Ok stud, which vowels are not ls command line arguments.  Tell me that 
without a man page 8)

I went thru something like this with a Debian Linux box a few months 
ago.  I find their distribution simple enough that I could easily strip 
it down to all but the neccesities, and remove all the setuid binaries.  
Granted it was then no longer a real multi-user unix, but what the hell.  
The Debian package system is helpful because you can really easily 
add/subtract things from the system, and it will preserve your various 
configurations along the way.  To be honest tho I still found that Linux 
and the tools I could use on it did not give me as much flexibility in 
the implementation of my desired security policy.  It wouldn't take that 
much work to whip up some better policy rules for the FWTK, or even to 
rewrite large portions of it, considering that much of it is kinda buggy 
(ie. http-gw rewriting javascript hrefs and breaking the funcs), but 
seems like noone has done that yet.  Are their any initiatives for 
rewriting, or developing an entirely new firewall toolkit for Linux and 
other free BSDs?  I'm looking for something that would allow me to do a 
full default deny firewall with a very complex set of protocols that much 
be allowed thru, ranging from ssh, to http, to raudio etc...







Craig Brozefsky              craig () onshore com
onShore Inc.                 http://www.onshore.com/~craig
Development Team             p_priority=PFUN+(p_work/4)+(2*p_cash)
I hear my inside, the mechanized hum of another world - Steely Dan