Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Custom Unix server installations -- to harden extensively ?

From: Matthew Kirkwood <matthew () hairy beasts org>
Date: Fri, 16 May 2003 09:21:52 +0100 (BST)
On Wed, 14 May 2003, Carson Gaspar wrote:


I seem to be in the minority here, but I firmly believe that the costs
of maintaining a stripped down build exceed the security gains
achieved by removing binaries.


It'll never be perfect, because the ideal level of
package granularity varies a lot for different
purposes but a recent Red Hat setup to get its
packages from a local apt repository is not all
that far from the ideal of "no software I don't
need, but everything within reach".

An "apt-get remove-useless-leaf-packages" is the
only obvious (to me) missing step.


Once you have:

- removed setuid permissions
- removed setgid permissions
- removed world writeable files/directories
- removed group writeable files/directories
- ensured all files are owned by root
- ensured that only the required software is started at boot time

An attacker is left with no method for privilege escalation.

                           ^^
That "no" there assumes that there are no security
holes in your "required" software (which, as you
pointed out, will often be unable to run if you
follow the rest of your checklist).


Removing binaries only stops script kiddies - anyone who has access to
run processes on your box can install anything they want (assuming
they can create executable files).


The "executable" bit is not even necessary everywhere:

$ cp /bin/ls .
$ chmod -x ls
$ ls -l ls
-rw-r--r--    1 kirkwm   smg         46888 May 16 09:19 ls
$ /lib/ld-linux.so.2 ./ls
[...]

Matthew.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: