Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Securing a Linux Firewall

From: Roger Marquis <marquis () roble com>
Date: Tue, 23 Jul 2002 15:49:19 -0700 (PDT)
I've had to maintain "jumpstart"-like images for secure servers.
Maintaining a "known-good" list for privileged binaries is relatively
straightforward. Maintaining a "known-good" list of _all_ binaries is a
nightmare. I further assert that maintaining a "known-bad" list is a lost
cause.


I agree.  It's really a matter of cost vs. benefit.  If you kept
track of all the binaries that a Unix server doesn't need you
wouldn't have time to read firewall-wizards much less securityfocus,
CERT, and all the other information sources required to keep current.

Deleting unused binaries on non-shell servers has a negligible
effect on the risk.  De-suid sure, delete known-vulnerable binaries
sure, but much beyond that is a waste of time.

It's already hard enough to secure Unix much less Linux or Windows.
My cheet sheet is already over 850 lines long (some of which can
be found at <http://www.roble.com/docs/secure_solaris.html>).
These are all substantive hardening measures.  Adding marginal
stuff like 'rm /bin/rcp' would only skew the signal to noise ratio
in the wrong direction.

IMHO
-- 
Roger Marquis
Roble Systems Consulting
http://www.roble.com/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: