Full Disclosure mailing list archives
Re: a secure base system
From: Ron DuFresne <dufresne () winternet com>
Date: Mon, 15 Mar 2004 11:54:30 -0600 (CST)
On Mon, 15 Mar 2004, Jochem Kossen wrote:
On Mon, Mar 15, 2004 at 12:37:13PM +0100, harry wrote:hi all, i have a little question. i'm asked to set up a base system, which has to be secure. we want a system from which we can easily install a compromised system. so i had a few ideas to make it as secure and yet as usable as possible:
install a compromised system? This is a forensics box? then perhaps to really kppe it secured it should be un-networked, at least when analysis is beong one. I'm taking it as a forensics box, you plan on popping in a DD'ed copy of the drive of the host that was in fact compromised for analysis? Ten again, perhaps I'm either mis reading your intentions for the system, or you mis-stated your desires? Thanks, Ron DuFresne
- use debian testing (stable is too old, unstable is ... well... you know ;))As testing doesn't get security updates (at least, it's not guaranteed), IMHO it's a bad point to start with.- /var and /tmp mounted nosuid and noexecHow about /home? and how about nodev? (dunno if Linux has nodev)- grsec kernel - use lvm (so you don't need to worry about the sizes af the partitions) - remote logging to our logging server - all this in hardware raid 1 for easy transfer to other systems - iptables with all connections refused (you need physical access to do something) - maybe allow ssh (no root logins)? ==> is this ok, too paranoia or is there somenting i'm missing, and cound it be even more safe?It could be more safe definitely. How about OpenBSD? (ye ye i'm biased ;), but there are more security oriented solutions around)how about a compiler? normally, all soft on it is compiled by hand, but it is also "necessary" for a local exploit.If you don't install a compiler, make sure users can't upload precompiled compilers :)any ideas? remarks?It all depends on what you want to do with the system (webserver? desktop pc's?) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- a secure base system harry (Mar 15)
- Re: a secure base system Jochem Kossen (Mar 15)
- Re: a secure base system Ron DuFresne (Mar 15)
- Re: a secure base system Maikel Verheijen (Mar 15)
- Re: a secure base system Fabrice MARIE (Mar 15)
- RE : a secure base system -> ADAMANTIX Abdelkader ALLAM (Mar 15)
- Re: a secure base system martin f krafft (Mar 15)
- Re: Re: a secure base system Tobias Weisserth (Mar 15)
- Re: Re: a secure base system martin f krafft (Mar 15)
- Re: Re: Re: a secure base system Tobias Weisserth (Mar 15)
- Re: Re: Re: a secure base system martin f krafft (Mar 15)
- RE : a secure base system -> ADAMANTIX Abdelkader ALLAM (Mar 15)
- Re: a secure base system Jochem Kossen (Mar 15)