Firewall Wizards mailing list archives
Re: Custom Unix server installations -- to harden extensively ?
From: Carson Gaspar <carson () taltos org>
Date: Wed, 14 May 2003 14:12:16 -0400
--On Tuesday, May 13, 2003 22:21:04 +0800 Julian Gomez <kluivert () tm net my> wrote:
Hi, What is the relative opinion of hardening general purpose Unix servers (general == mail, web, db hosts). Obviously, wherever possible, I'd like to get most of the unwanted packages stripped and removed; but very frequently -- this is extremely time consuming and is alot of documentation work (which btw, no one ever bothers to read). Alas, this usually conflicts in the future when there is a need for additional software to be implemented, the whole compiling + installation steps, but the relevant packages have been removed as per the hardening work done in the above paragraph. So, what do most of you all do : a) Leave the possibly-relevant future packages, intact on the system, and just perform permission tweaks ?
I seem to be in the minority here, but I firmly believe that the costs of maintaining a stripped down build exceed the security gains achieved by removing binaries. Once you have:
- removed setuid permissions - removed setgid permissions - removed world writeable files/directories - removed group writeable files/directories - ensured all files are owned by root - ensured that only the required software is started at boot timeAn attacker is left with no method for privilege escalation. Removing binaries only stops script kiddies - anyone who has access to run processes on your box can install anything they want (assuming they can create executable files).
Of course, some application software requires exception to the above, and some OS functions do as well (such as the pt_chown binary on solaris to implement the grantpt() function).
-- Carson _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Custom Unix server installations -- to harden extensively ? Julian Gomez (May 13)
- Re: Custom Unix server installations -- to harden extensively ? Paul Robertson (May 13)
- Re: Custom Unix server installations -- to harden extensively ? John Adams (May 13)
- Re: Custom Unix server installations -- to harden extensively ? Julian Gomez (May 15)
- RE: Custom Unix server installations -- to harden extensively ? Keith A. Glass (May 14)
- RE: Custom Unix server installations -- to harden extensively ? Ben Nagy (May 14)
- Re: Custom Unix server installations -- to harden extensively ? Carson Gaspar (May 14)
- Re: Custom Unix server installations -- to harden extensively ? Devdas Bhagat (May 15)
- Re: Custom Unix server installations -- to harden extensively ? Bill Royds (May 16)
- Re: Custom Unix server installations -- to harden extensively ? Marcus J. Ranum (May 15)
- Re: Custom Unix server installations -- to harden extensively ? Matthew Kirkwood (May 16)
- Re: Custom Unix server installations -- to harden extensively ? Devdas Bhagat (May 15)
- Re: Custom Unix server installations -- to harden extensively ? Crispin Cowan (May 14)
- Re: Custom Unix server installations -- to harden extensively ? Mason Schmitt (May 15)
- <Possible follow-ups>
- RE: Custom Unix server installations -- to harden extensively ? salgak (May 15)
- Re: Custom Unix server installations -- to harden extensively ? Barney Wolff (May 15)
- RE: Custom Unix server installations -- to harden extensively ? Keith A. Glass (May 16)
- RE: Custom Unix server installations -- to harden extensively ? R. DuFresne (May 16)
- Re: Custom Unix server installations -- to harden extensively ? Barney Wolff (May 15)