Re: Custom Unix server installations -- to harden extensively ?

[Carson Gaspar <carson () taltos org>]

--On Tuesday, May 13, 2003 22:21:04 +0800 Julian Gomez <kluivert () tm net my> 
wrote:

> Hi,
>
> What is the relative opinion of hardening general purpose Unix servers
> (general == mail, web, db hosts). Obviously, wherever possible, I'd like
> to get most of the unwanted packages stripped and removed; but very
> frequently -- this is extremely time consuming and is alot of
> documentation work (which btw, no one ever bothers to read).
>
> Alas, this usually conflicts in the future when there is a need for
> additional software to be implemented, the whole compiling + installation
> steps, but the relevant packages have been removed as per the hardening
> work done in the above paragraph.
>
> So, what do most of you all do :
>
>         a) Leave the possibly-relevant future packages, intact on the
>            system, and just perform permission tweaks ?

I seem to be in the minority here, but I firmly believe that the costs of 
maintaining a stripped down build exceed the security gains achieved by 
removing binaries. Once you have:

- removed setuid permissions
- removed setgid permissions
- removed world writeable files/directories
- removed group writeable files/directories
- ensured all files are owned by root
- ensured that only the required software is started at boot time

An attacker is left with no method for privilege escalation. Removing 
binaries only stops script kiddies - anyone who has access to run processes 
on your box can install anything they want (assuming they can create 
executable files).

Of course, some application software requires exception to the above, and 
some OS functions do as well (such as the pt_chown binary on solaris to 
implement the grantpt() function).

--
Carson



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards